SigmaHQ/rules/cloud/aws_s3_data_management_tampering.yml

title: AWS S3 Data Management Tamperin
id: 78b3756a-7804-4ef7-8555-7b9024a02e2d
description: Detects when a user tampers with S3 data management in Amazon Web Services.
author: Austin Songer
status: experimental
date: 2021/07/24
references:
    - https://github.com/elastic/detection-rules/pull/1145/files
    - https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html
    - https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html
    - https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite.html
    - https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html
    - https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html
    - https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html
logsource:
    service: cloudtrail
detection:
    selection_source:
        - eventSource: iam.amazonaws.com
    selection_eventname1:
        - eventName: PutBucketLogging
    selection_eventname2:
        - eventName: PutBucketWebsite
    selection_eventname3:
        - eventName: PutEncryptionConfiguration
    selection_eventname4:
        - eventName: PutLifecycleConfiguration
    selection_eventname5: 
        - eventName: PutReplicationConfiguration
    selection_eventname6: 
        - eventName: ReplicateObject
    selection_eventname7: 
        - eventName: RestoreObject
    condition: selection_source and selection_eventname1 or selection_eventname2 or selection_eventname3 or selection_eventname4 or selection_eventname5 or selection_eventname6 or selection_eventname7
level: low
tags:
    - attack.exfiltration
    - attack.t1537
falsepositives:
- A S3 configuration change may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. S3 configuration change from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
Update aws_s3_data_management_tampering.yml 2021-07-24 16:17:18 +00:00			`title: AWS S3 Data Management Tamperin`
Create aws_s3_data_management_tampering.yml 2021-07-24 16:12:19 +00:00			`id: 78b3756a-7804-4ef7-8555-7b9024a02e2d`
			`description: Detects when a user tampers with S3 data management in Amazon Web Services.`
Update aws_s3_data_management_tampering.yml 2021-07-24 16:17:18 +00:00			`author: Austin Songer`
Create aws_s3_data_management_tampering.yml 2021-07-24 16:12:19 +00:00			`status: experimental`
			`date: 2021/07/24`
			`references:`
Update aws_s3_data_management_tampering.yml 2021-07-24 16:17:18 +00:00			`- https://github.com/elastic/detection-rules/pull/1145/files`
Create aws_s3_data_management_tampering.yml 2021-07-24 16:12:19 +00:00			`- https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html`
			`- https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html`
			`- https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite.html`
			`- https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html`
			`- https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html`
			`- https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html`
			`logsource:`
			`service: cloudtrail`
			`detection:`
			`selection_source:`
			`- eventSource: iam.amazonaws.com`
			`selection_eventname1:`
			`- eventName: PutBucketLogging`
			`selection_eventname2:`
			`- eventName: PutBucketWebsite`
			`selection_eventname3:`
			`- eventName: PutEncryptionConfiguration`
			`selection_eventname4:`
			`- eventName: PutLifecycleConfiguration`
			`selection_eventname5:`
			`- eventName: PutReplicationConfiguration`
			`selection_eventname6:`
			`- eventName: ReplicateObject`
			`selection_eventname7:`
			`- eventName: RestoreObject`
			`condition: selection_source and selection_eventname1 or selection_eventname2 or selection_eventname3 or selection_eventname4 or selection_eventname5 or selection_eventname6 or selection_eventname7`
			`level: low`
			`tags:`
			`- attack.exfiltration`
			`- attack.t1537`
			`falsepositives:`
			`- A S3 configuration change may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. S3 configuration change from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.`