T1485.001 Lifecycle-Triggered Deletion Mappings

Adversaries may modify the lifecycle policies of a cloud storage bucket to destroy all objects stored within.

Cloud storage buckets often allow users to set lifecycle policies to automate the migration, archival, or deletion of objects after a set period of time.(Citation: AWS Storage Lifecycles)(Citation: GCP Storage Lifecycles)(Citation: Azure Storage Lifecycles) If a threat actor has sufficient permissions to modify these policies, they may be able to delete all objects at once.

For example, in AWS environments, an adversary with the PutLifecycleConfiguration permission may use the PutBucketLifecycle API call to apply a lifecycle policy to an S3 bucket that deletes all objects in the bucket after one day.(Citation: Palo Alto Cloud Ransomware) In addition to destroying data for purposes of extortion and Financial Theft, adversaries may also perform this action on buckets storing cloud logs for Indicator Removal.(Citation: Datadog S3 Lifecycle CloudTrail Logs)

View in MITRE ATT&CK®

NIST 800-53 Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
CP-10 System Recovery and Reconstitution mitigates T1485.001 Lifecycle-Triggered Deletion
CP-09 System Backup mitigates T1485.001 Lifecycle-Triggered Deletion
SI-07 Software, Firmware, and Information Integrity mitigates T1485.001 Lifecycle-Triggered Deletion
AC-02 Account Management mitigates T1485.001 Lifecycle-Triggered Deletion
AC-03 Access Enforcement mitigates T1485.001 Lifecycle-Triggered Deletion
AC-06 Least Privilege mitigates T1485.001 Lifecycle-Triggered Deletion

VERIS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
action.malware.variety.Destroy data Destroy or corrupt stored data related-to T1485.001 Lifecycle-Triggered Deletion
attribute.availability.variety.Destruction Destruction related-to T1485.001 Lifecycle-Triggered Deletion
attribute.availability.variety.Interruption Interruption related-to T1485.001 Lifecycle-Triggered Deletion

GCP Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
backup_and_dr_actifiogo Backup and DR-Actifio GO technique_scores T1485.001 Lifecycle-Triggered Deletion
Comments
Backup and DR-Actifio GO is a copy data management plaform that virtualizes application data to improve an organizations resiliency and cloud mobility. This capability allows an organization to take regular backups and provides several methods of restoring applications and/or VM data to a previous state. This provides significant ability to respond to a Data Destruction event since an organization could easily restore lost data back to the latest backup.
References