From fa85c19b973fae2ad9d0b4fa24456c71d04c9c3b Mon Sep 17 00:00:00 2001
From: Sean Johnstone <60245358+sj-sec@users.noreply.github.com>
Date: Sat, 28 Oct 2023 19:17:14 -0400
Subject: [PATCH] Merge PR #4523 from @sj-sec - Add New AWS Rule `S3 Bucket
 Versioning Disable`

new: AWS S3 Bucket Versioning Disable

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
---
 .../aws_disable_bucket_versioning.yml         | 23 +++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 rules/cloud/aws/cloudtrail/aws_disable_bucket_versioning.yml

diff --git a/rules/cloud/aws/cloudtrail/aws_disable_bucket_versioning.yml b/rules/cloud/aws/cloudtrail/aws_disable_bucket_versioning.yml
new file mode 100644
index 000000000..e3694277b
--- /dev/null
+++ b/rules/cloud/aws/cloudtrail/aws_disable_bucket_versioning.yml
@@ -0,0 +1,23 @@
+title: AWS S3 Bucket Versioning Disable
+id: a136ac98-b2bc-4189-a14d-f0d0388e57a7
+status: experimental
+description: Detects when S3 bucket versioning is disabled. Threat actors use this technique during AWS ransomware incidents prior to deleting S3 objects.
+references:
+    - https://invictus-ir.medium.com/ransomware-in-the-cloud-7f14805bbe82
+author: Sean Johnstone | Unit 42
+date: 2023/10/28
+tags:
+    - attack.impact
+    - attack.t1490
+logsource:
+    product: aws
+    service: cloudtrail
+detection:
+    selection:
+        eventSource: s3.amazonaws.com
+        eventName: PutBucketVersioning
+        requestParameters|contains: 'Suspended'
+    condition: selection
+falsepositives:
+    - AWS administrator legitimately disabling bucket versioning
+level: medium