Description
Adversaries may modify the lifecycle policies of a cloud storage bucket to destroy all objects stored within.
Cloud storage buckets often allow users to set lifecycle policies to automate the migration, archival, or deletion of objects after a set period of time.(Citation: AWS Storage Lifecycles)(Citation: GCP Storage Lifecycles)(Citation: Azure Storage Lifecycles) If a threat actor has sufficient permissions to modify these policies, they may be able to delete all objects at once.
For example, in AWS environments, an adversary with the PutLifecycleConfiguration permission may use the PutBucketLifecycle API call to apply a lifecycle policy to an S3 bucket that deletes all objects in the bucket after one day.(Citation: Palo Alto Cloud Ransomware)(Citation: Halcyon AWS Ransomware 2025) In addition to destroying data for purposes of extortion and Financial Theft, adversaries may also perform this action on buckets storing cloud logs for Indicator Removal.(Citation: Datadog S3 Lifecycle CloudTrail Logs)
Platforms
Mitigations (2)
User Account ManagementM1018
In cloud environments, limit permissions to modify cloud bucket lifecycle policies (e.g., PutLifecycleConfiguration in AWS) to only those accounts that require it. In AWS environments, consider using Service Control policies to limit the use of the PutBucketLifecycle API call.
Data BackupM1053
Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data.(Citation: Ready.gov IT DRP) Ensure backups are stored off system and protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery.
References
- AWS. (n.d.). Managing the lifecycle of objects. Retrieved September 25, 2024.
- Google Cloud. (n.d.). Object Lifecycle Management. Retrieved September 25, 2024.
- Halcyon RISE Team. (2025, January 13). Abusing AWS Native Services: Ransomware Encrypting S3 Buckets with SSE-C. Retrieved March 18, 2025.
- Microsoft Azure. (2024, July 3). Configure a lifecycle management policy. Retrieved September 25, 2024.
- Ofir Balassiano and Ofir Shaty. (2023, November 29). Ransomware in the Cloud: Breaking Down the Attack Vectors. Retrieved September 25, 2024.
- Stratus Red Team. (n.d.). CloudTrail Logs Impairment Through S3 Lifecycle Rule. Retrieved September 25, 2024.
Frequently Asked Questions
What is T1485.001 (Lifecycle-Triggered Deletion)?
T1485.001 is a MITRE ATT&CK technique named 'Lifecycle-Triggered Deletion'. It belongs to the Impact tactic(s). Adversaries may modify the lifecycle policies of a cloud storage bucket to destroy all objects stored within. Cloud storage buckets often allow users to set lifecycle policies to automate the migra...
How can T1485.001 be detected?
Detection of T1485.001 (Lifecycle-Triggered Deletion) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1485.001?
There are 2 documented mitigations for T1485.001. Key mitigations include: User Account Management, Data Backup.
Which threat groups use T1485.001?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.