Skip to content

DET0041 Detection of Lifecycle Policy Modifications for Triggered Deletion in IaaS Cloud Storage

Item Value
ID DET0041
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1485.001 (Lifecycle-Triggered Deletion)

Analytics

IaaS

AN0117

Adversary with write access to storage modifies lifecycle policies (e.g., via PutBucketLifecycle) to schedule rapid object deletion across one or more storage buckets. This is often used to trigger impact (destruction), remove logs (defense evasion), or force extortion (ransomware).

Log Sources
Data Component Name Channel
Cloud Storage Modification (DC0023) AWS:CloudTrail PutBucketLifecycle, PutLifecycleConfiguration, SetBucketLifecycle, storage.buckets.update
Mutable Elements
Field Description
LifecycleExpirationDays Policy values setting Expiration in fewer than N days (e.g., 0–1) are highly suspicious.
TargetBucket Filter by bucket types (e.g., log storage, production DB snapshots) to prioritize detection.
Principal Correlate rare or anomalous IAM principals making destructive lifecycle changes.
TimeWindow Link lifecycle policy change with API activity suggesting staged deletion or extortion attempt.