nldcsc-elastic-rules 0.0.8__py3-none-any.whl

nldcsc_elastic_rules/rules/integrations/aws/impact_s3_object_encryption_with_external_key.toml

@@ -0,0 +1,126 @@
+[metadata]
+creation_date = "2024/07/02"
+integration = ["aws"]
+maturity = "production"
+updated_date = "2025/07/16"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies `CopyObject` events within an S3 bucket using an AWS KMS key from an external account for encryption.
+Adversaries with access to a misconfigured S3 bucket and the proper permissions may encrypt objects with an external KMS
+key to deny their victims access to their own data.
+"""
+false_positives = [
+    """
+    Administrators within an AWS Organization structure may legitimately encrypt bucket objects with a key from an
+    account different from the target bucket. Ensure that this behavior is not part of a legitimate operation before
+    taking action.
+    """,
+]
+from = "now-9m"
+language = "esql"
+license = "Elastic License v2"
+name = "AWS S3 Object Encryption Using External KMS Key"
+note = """## Triage and analysis
+
+### Investigating AWS S3 Object Encryption Using External KMS Key
+
+This rule detects the use of an external AWS KMS key to encrypt objects within an S3 bucket. Adversaries with access to a misconfigured S3 bucket may use an external key to copy objects within a bucket and deny victims the ability to access their own data.
+This rule uses [ESQL](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-esql-rule) to look for use of the `CopyObject` operation where the target bucket's `cloud.account.id` is different from the `key.account.id` dissected from the AWS KMS key used for encryption.
+
+#### Possible Investigation Steps:
+
+- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who performed the action. Verify if this actor typically performs such actions and if they have the necessary permissions.
+- **Review the Request Details**: Examine the `aws.cloudtrail.request_parameters` to understand the specific details of the `CopyObject` action. Look for any unusual parameters that could suggest unauthorized or malicious modifications or usage of an unknown KMS keyId.
+- **Analyze the Source of the Request**: Investigate the `source.ip` and `source.geo` fields to determine the geographical origin of the request. An external or unexpected location might indicate compromised credentials or unauthorized access.
+- **Contextualize with Timestamp**: Use the `@timestamp` field to check when the object was copied. Changes during non-business hours or outside regular maintenance windows might require further scrutiny.
+- **Correlate with Other Activities**: Search for related CloudTrail events before and after this action to see if the same actor or IP address engaged in other potentially suspicious activities.
+- **Check for Object Deletion or Access**: Look for `DeleteObject`, `DeleteObjects`, or `GetObject` API calls to the same S3 bucket that may indicate the adversary accessing and destroying objects including older object versions.
+- **Interview Relevant Personnel**: If the copy event was initiated by a user, verify the intent and authorization for this action with the person or team responsible for managing S3 buckets.
+
+### False Positive Analysis:
+
+- **Legitimate Administrative Actions**: Confirm if the `CopyObject` action aligns with scheduled updates, maintenance activities, or legitimate administrative tasks documented in change management systems.
+- **Consistency Check**: Compare the action against historical data of similar activities performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm.
+
+### Response and Remediation:
+
+- **Immediate Review**: If the activity was unauthorized, search for potential ransom note placed in S3 bucket and review the bucket's access logs for any suspicious activity.
+- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar `CopyObject` actions, especially those involving sensitive data or unusual file extensions.
+- **Educate and Train**: Provide additional training to users with administrative rights on the importance of security best practices concerning S3 bucket management and the risks of ransomware.
+- **Audit S3 Bucket Policies and Permissions**: Conduct a comprehensive audit of all S3 bucket policies and associated permissions to ensure they adhere to the principle of least privilege.
+- **Incident Response**: If there's an indication of malicious intent or a security breach, initiate the incident response protocol to mitigate any damage and prevent future occurrences.
+
+### Additional Information:
+
+For further guidance on managing S3 bucket security and protecting against ransomware, refer to the [AWS S3 documentation](https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html) and AWS best practices for security. Additionally, consult the following resources for specific details on S3 ransomware protection:
+- [ERMETIC REPORT - AWS S3 Ransomware Exposure in the Wild](https://s3.amazonaws.com/bizzabo.file.upload/PtZzA0eFQwV2RA5ysNeo_ERMETIC%20REPORT%20-%20AWS%20S3%20Ransomware%20Exposure%20in%20the%20Wild.pdf)
+- [S3 Ransomware Part 1: Attack Vector](https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/)
+"""
+references = [
+    "https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html/",
+    "https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html/",
+    "https://www.gem.security/post/cloud-ransomware-a-new-take-on-an-old-attack-pattern/",
+    "https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/",
+]
+risk_score = 47
+rule_id = "ab8f074c-5565-4bc4-991c-d49770e19fc9"
+setup = "AWS S3 data event types need to be enabled in the CloudTrail trail configuration."
+severity = "medium"
+tags = [
+    "Domain: Cloud",
+    "Data Source: AWS",
+    "Data Source: Amazon Web Services",
+    "Data Source: AWS S3",
+    "Data Source: AWS KMS",
+    "Use Case: Threat Detection",
+    "Tactic: Impact",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "esql"
+
+query = '''
+from logs-aws.cloudtrail-* metadata _id, _version, _index
+
+// any successful S3 copy event
+| where
+  event.dataset == "aws.cloudtrail"
+  and event.provider == "s3.amazonaws.com"
+  and event.action == "CopyObject"
+  and event.outcome == "success"
+
+// dissect request parameters to extract KMS key info and target object info
+| dissect aws.cloudtrail.request_parameters
+    "{%{?bucketName}=%{Esql.aws_cloudtrail_request_parameters_target_bucket_name},%{?x-amz-server-side-encryption-aws-kms-key-id}=%{?arn}:%{?aws}:%{?kms}:%{?region}:%{Esql.aws_cloudtrail_request_parameters_kms_key_account_id}:%{?key}/%{Esql.aws_cloudtrail_request_parameters_kms_key_id},%{?Host}=%{?tls.client.server.name},%{?x-amz-server-side-encryption}=%{?server_side_encryption},%{?x-amz-copy-source}=%{?bucket.object.name},%{?key}=%{Esql.aws_cloudtrail_request_parameters_target_object_key}}"
+
+// detect cross-account key usage
+| where cloud.account.id != Esql.aws_cloudtrail_request_parameters_kms_key_account_id
+
+// keep ECS and dissected fields
+| keep
+  @timestamp,
+  aws.cloudtrail.user_identity.arn,
+  cloud.account.id,
+  event.action,
+  Esql.aws_cloudtrail_request_parameters_target_bucket_name,
+  Esql.aws_cloudtrail_request_parameters_kms_key_account_id,
+  Esql.aws_cloudtrail_request_parameters_kms_key_id,
+  Esql.aws_cloudtrail_request_parameters_target_object_key
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1486"
+name = "Data Encrypted for Impact"
+reference = "https://attack.mitre.org/techniques/T1486/"
+
+
+[rule.threat.tactic]
+id = "TA0040"
+name = "Impact"
+reference = "https://attack.mitre.org/tactics/TA0040/"
+

nldcsc_elastic_rules/rules/integrations/aws/impact_s3_object_versioning_disabled.toml

@@ -0,0 +1,153 @@
+[metadata]
+creation_date = "2024/07/12"
+integration = ["aws"]
+maturity = "production"
+updated_date = "2025/10/28"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies when object versioning is suspended for an Amazon S3 bucket. Object versioning allows for multiple versions of an object to exist in the same bucket. This allows for easy recovery of deleted or overwritten objects. When object versioning is suspended for a bucket, it could indicate an adversary's attempt to inhibit system recovery following malicious activity. Additionally, when versioning is suspended, buckets can then be deleted.
+"""
+event_category_override = "event.type"
+false_positives = [
+    """
+    Administrators within an AWS Organization structure may legitimately suspend object versioning. Ensure that this behavior is not part of a legitimate operation before taking action.
+    """,
+]
+from = "now-6m"
+index = ["filebeat-*", "logs-aws.cloudtrail-*"]
+language = "eql"
+license = "Elastic License v2"
+name = "AWS S3 Object Versioning Suspended"
+note = """## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating AWS S3 Object Versioning Suspended
+
+This rule detects when object versioning for an S3 bucket is suspended. S3 object versioning protects against data loss by maintaining prior versions of objects, allowing recovery if they are deleted or overwritten.  
+Adversaries with access to a misconfigured or compromised S3 bucket may disable versioning to inhibit recovery efforts, conceal data destruction, or prepare for ransomware-like activity.  
+This rule uses [EQL](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-eql-rule) to detect use of the `PutBucketVersioning` API operation where the request parameters include `Status=Suspended`.
+
+#### Possible investigation steps
+
+- **Identify the Actor**  
+  - Review `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` to determine who performed the action.  
+  - Verify whether this user or role has a legitimate operational reason to modify bucket versioning and whether such actions are common for this identity.
+
+- **Analyze the Source and Context**  
+  - Review `source.ip` and `user_agent.original` to assess the origin of the request.  
+  - Check for unusual geographic locations, IP ranges, or clients that do not typically manage storage configurations.  
+
+- **Evaluate the Affected Resource**  
+  - Review `aws.cloudtrail.resources.arn` or `aws.cloudtrail.request_parameters` to identify which bucket’s versioning was modified.  
+  - Determine whether this bucket contains critical or regulated data (logs, backups, audit evidence, etc.) that would be impacted by versioning suspension.
+
+- **Correlate with Related Activity**  
+  - Search for additional CloudTrail events performed by the same actor or IP address within the same timeframe, such as:  
+    - `DeleteObject`, `DeleteObjects`, or `PutBucketLifecycle` events (potential data destruction).  
+    - `PutBucketPolicy` or `PutBucketAcl` changes (permission manipulation).  
+  - Review other detections related to S3 buckets or IAM changes to determine if this event is part of a larger sequence of destructive or unauthorized actions.
+
+- **Validate Intent**  
+  - Confirm whether this configuration change aligns with approved maintenance or automation activity (e.g., cost optimization, test environment reset).  
+  - If no corresponding change request or justification exists, treat this as a potential defense evasion or impact event.
+
+### False positive analysis
+
+- **Legitimate Administrative Actions**  
+  - Administrators or infrastructure automation tools may suspend versioning during migrations or lifecycle testing. Confirm through change management documentation.  
+- **Automation and Pipelines**  
+  - Verify whether Infrastructure-as-Code tools (e.g., Terraform, CloudFormation) or backup lifecycle scripts routinely modify versioning states.  
+  - Exclude predictable automation identities where justified, while ensuring strong audit controls remain in place.
+
+### Response and remediation
+
+**Containment and Validation**  
+- Re-enable versioning immediately for the affected bucket using the AWS Console or CLI (`aws s3api put-bucket-versioning --bucket my-bucket --versioning-configuration Status=Enabled`).  
+- Verify the change with `get-bucket-versioning` to confirm the bucket is restored to “Enabled.”  
+- Identify IAM users or roles with `s3:PutBucketVersioning` permissions and restrict access to trusted administrators only.  
+- Preserve relevant CloudTrail, Config, and CloudWatch logs for the timeframe of the change to ensure integrity of investigation evidence.
+
+**Investigation and Scoping**  
+- Search CloudTrail for related actions by the same user or IP, including `DeleteObject`, `PutBucketLifecycle`, or `PutBucketPolicy`, to determine whether versioning suspension preceded object deletion or policy manipulation.  
+- Review S3 access logs or Data Events for deleted, overwritten, or newly uploaded files after versioning suspension.  
+- Validate if the change corresponds to an authorized change request or approved pipeline deployment.
+
+**Recovery and Hardening**  
+- If object loss or overwrites occurred, attempt recovery using cross-region replication, AWS Backup, or previous snapshot copies.  
+- Enable S3 Object Lock and MFA Delete on critical buckets to prevent future tampering.  
+- Configure the AWS Config rule `s3-bucket-versioning-enabled` to continuously monitor for versioning suspension and trigger automated alerts.  
+- Review IAM and service control policies to ensure the principle of least privilege is enforced for all S3 management actions.  
+- Document findings and update incident response procedures to include versioning protection as part of ransomware and data destruction prevention strategies.
+
+
+### Additional information
+- AWS Documentation: [Using Versioning in S3](https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html)  
+- API Reference: [PutBucketVersioning](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketVersioning.html)  
+- [AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)
+- [AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)
+"""
+references = [
+    "https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html/",
+    "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketVersioning.html/",
+    "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-post-exploitation/aws-s3-post-exploitation/",
+    "https://www.invictus-ir.com/news/ransomware-in-the-cloud/",
+    "https://rhinosecuritylabs.com/aws/s3-ransomware-part-2-prevention-and-defense/",
+]
+risk_score = 47
+rule_id = "30b5bb96-c7db-492c-80e9-1eab00db580b"
+severity = "medium"
+tags = [
+    "Domain: Cloud",
+    "Data Source: AWS",
+    "Data Source: Amazon Web Services",
+    "Data Source: AWS S3",
+    "Use Case: Threat Detection",
+    "Tactic: Impact",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+info where event.dataset == "aws.cloudtrail"
+   and event.provider == "s3.amazonaws.com"
+   and event.action == "PutBucketVersioning"
+   and event.outcome == "success"
+   and stringContains(aws.cloudtrail.request_parameters, "Status=Suspended")
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1490"
+name = "Inhibit System Recovery"
+reference = "https://attack.mitre.org/techniques/T1490/"
+
+
+[rule.threat.tactic]
+id = "TA0040"
+name = "Impact"
+reference = "https://attack.mitre.org/tactics/TA0040/"
+
+[rule.investigation_fields]
+field_names = [
+    "@timestamp",
+    "user.name",
+    "user_agent.original",
+    "source.ip",
+    "aws.cloudtrail.user_identity.arn",
+    "aws.cloudtrail.user_identity.type",
+    "aws.cloudtrail.user_identity.access_key_id",
+    "aws.cloudtrail.resources.arn", 
+    "aws.cloudtrail.resources.type", 
+    "event.action",
+    "event.outcome",
+    "cloud.account.id",
+    "cloud.region",
+    "aws.cloudtrail.request_parameters"
+]

nldcsc_elastic_rules/rules/integrations/aws/impact_s3_static_site_js_file_uploaded.toml

@@ -0,0 +1,154 @@
+[metadata]
+creation_date = "2025/04/15"
+integration = ["aws"]
+maturity = "production"
+updated_date = "2025/10/28"
+
+[rule]
+author = ["Elastic"]
+description = """
+This rule detects when a JavaScript file is uploaded in an S3 static site directory (`static/js/`) by an IAM
+user or assumed role. This can indicate suspicious modification of web content hosted on S3, such as injecting malicious
+scripts into a static website frontend.
+"""
+false_positives = [
+    """
+    Development or deployment pipelines that update static frontends frequently (e.g., React/Vue apps) may trigger this.
+    Verify the user agent, source IP, and whether the modification was expected.
+    """,
+]
+from = "now-6m"
+language = "esql"
+license = "Elastic License v2"
+name = "AWS S3 Static Site JavaScript File Uploaded"
+note = """## Triage and Analysis
+
+### Investigating AWS S3 Static Site JavaScript File Uploaded
+
+An S3 `PutObject` action that targets a path like `static/js/` and uploads a `.js` file is a potential signal for web content modification. If done by an unexpected IAM user or outside of CI/CD workflows, it may indicate a compromise.
+
+#### Possible Investigation Steps
+
+- **Identify the Source User**: Check `aws.cloudtrail.user_identity.arn`, access key ID, and session type (`IAMUser`, `AssumedRole`, etc).
+- **Review File Content**: Use the S3 `GetObject` or CloudTrail `requestParameters` to inspect the uploaded file for signs of obfuscation or injection.
+- **Correlate to Other Events**: Review events from the same IAM user before and after the upload (e.g., `ListBuckets`, `GetCallerIdentity`, IAM activity).
+- **Look for Multiple Uploads**: Attackers may attempt to upload several files or modify multiple directories.
+
+### False Positive Analysis
+
+- This behavior may be expected during app deployments. Look at:
+  - The `user_agent.original` to detect legitimate CI tools (like Terraform or GitHub Actions).
+  - Timing patterns—does this match a regular release window?
+  - The origin IP and device identity.
+
+### Response and Remediation
+
+- **Revert Malicious Code**: Replace the uploaded JS file with a clean version and invalidate CloudFront cache if applicable.
+- **Revoke Access**: If compromise is confirmed, revoke the IAM credentials and disable the user.
+- **Audit IAM Policies**: Ensure that only deployment users can modify static site buckets.
+- **Enable Bucket Versioning**: This can allow for quick rollback and historical review.
+"""
+references = [
+    "https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/",
+    "https://docs.aws.amazon.com/AmazonS3/latest/userguide/WebsiteHosting.html",
+    "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObject.html",
+]
+risk_score = 47
+rule_id = "16acac42-b2f9-4802-9290-d6c30914db6e"
+severity = "medium"
+tags = [
+    "Domain: Cloud",
+    "Data Source: AWS",
+    "Data Source: Amazon Web Services",
+    "Data Source: AWS S3",
+    "Tactic: Impact",
+    "Use Case: Web Application Compromise",
+    "Use Case: Cloud Threat Detection",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "esql"
+
+query = '''
+from logs-aws.cloudtrail* metadata _id, _version, _index
+
+| where
+    // S3 object write activity
+    event.dataset == "aws.cloudtrail"
+    and event.provider == "s3.amazonaws.com"
+    and event.action == "PutObject"
+    and event.outcome == "success"
+
+    // IAM users or assumed roles only
+    and aws.cloudtrail.user_identity.type in ("IAMUser", "AssumedRole")
+
+    // Requests for static site bundles
+    and aws.cloudtrail.request_parameters like "*static/js/*.js*"
+
+    // Exclude IaC and automation tools
+    and not (
+        user_agent.original like "*Terraform*"
+        or user_agent.original like "*Ansible*"
+        or user_agent.original like "*Pulumi*"
+    )
+
+// Extract fields from request parameters
+| dissect aws.cloudtrail.request_parameters
+    "%{{?bucket.name.key}=%{Esql.aws_cloudtrail_request_parameters_bucket_name}, %{?host.key}=%{Esql_priv.aws_cloudtrail_request_parameters_host}, %{?bucket.object.location.key}=%{Esql.aws_cloudtrail_request_parameters_bucket_object_location}}"
+
+// Extract file name portion from full object path
+| dissect Esql.aws_cloudtrail_request_parameters_bucket_object_location "%{}static/js/%{Esql.aws_cloudtrail_request_parameters_object_key}"
+
+// Match on JavaScript files
+| where ends_with(Esql.aws_cloudtrail_request_parameters_object_key, ".js")
+
+// Retain relevant ECS and dissected fields
+| keep
+    aws.cloudtrail.user_identity.arn,
+    aws.cloudtrail.user_identity.access_key_id,
+    aws.cloudtrail.user_identity.type,
+    aws.cloudtrail.request_parameters,
+    Esql.aws_cloudtrail_request_parameters_bucket_name,
+    Esql.aws_cloudtrail_request_parameters_object_key,
+    user_agent.original,
+    source.ip,
+    event.action,
+    @timestamp
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1565"
+name = "Data Manipulation"
+reference = "https://attack.mitre.org/techniques/T1565/"
+[[rule.threat.technique.subtechnique]]
+id = "T1565.001"
+name = "Stored Data Manipulation"
+reference = "https://attack.mitre.org/techniques/T1565/001/"
+
+[rule.threat.tactic]
+id = "TA0040"
+name = "Impact"
+reference = "https://attack.mitre.org/tactics/TA0040/"
+
+[rule.investigation_fields]
+field_names = [
+    "@timestamp",
+    "user.name",
+    "user_agent.original",
+    "source.ip",
+    "aws.cloudtrail.user_identity.arn",
+    "aws.cloudtrail.user_identity.type",
+    "aws.cloudtrail.user_identity.access_key_id",
+    "aws.cloudtrail.resources.arn",
+    "aws.cloudtrail.resources.type",
+    "event.action",
+    "event.outcome",
+    "cloud.account.id",
+    "cloud.region",
+    "aws.cloudtrail.request_parameters",
+    "aws.cloudtrail.response_elements"
+]
+

nldcsc_elastic_rules/rules/integrations/aws/impact_s3_unusual_object_encryption_with_sse_c.toml

@@ -0,0 +1,143 @@
+[metadata]
+creation_date = "2025/01/15"
+integration = ["aws"]
+maturity = "production"
+updated_date = "2025/07/10"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies when AWS S3 objects stored in a bucket are encrypted using Server-Side Encryption with Customer-Provided Keys (SSE-C). Adversaries with compromised AWS credentials can encrypt objects in an S3 bucket using their own encryption keys, rendering the objects unreadable or recoverable without the key. This can be used as a form of ransomware to extort the bucket owner for the decryption key. This is a New Terms rule that flags when this behavior is observed for the first time user and target bucket name.
+"""
+false_positives = [
+    """
+    Legitimate use of Server-Side Encryption with Customer-Provided Keys (SSE-C) to encrypt objects in an S3 bucket.
+    """,
+]
+from = "now-6m"
+index = ["filebeat-*", "logs-aws.cloudtrail-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Unusual AWS S3 Object Encryption with SSE-C"
+note = """### Triage and Analysis
+
+#### Investigating Unusual AWS S3 Object Encryption with SSE-C
+This rule identifies the use of Server-Side Encryption with Customer-Provided Keys (SSE-C) in AWS S3. This could indicate malicious activity, such as ransomware encrypting objects, rendering them inaccessible without the corresponding encryption keys.
+
+##### Possible Investigation Steps
+
+1. **Identify the User and Source**:
+   - Review the `aws.cloudtrail.user_identity.arn` to identify the IAM user or role performing the operation.
+   - Cross-check the `source.ip` and `user_agent.original` fields for unusual IPs or user agents that could indicate unauthorized access.
+   - Review the `aws.cloudtrail.user_identity.access_key_id` to identify the access key used. This could be a compromised key.
+
+2. **Examine the Targeted Resources**:
+   - Check `aws.cloudtrail.request_parameters` to identify the bucket involved.
+   - Analyze the object key from `aws.cloudtrail.request_parameters`.
+
+3. **Evaluate Encryption Behavior**:
+   - Confirm the encryption details in `aws.cloudtrail.request_parameters` and `aws.cloudtrail.additional_eventdata`.
+   - Note if `SSEApplied` is `SSE-C`, which confirms encryption using a customer-provided key.
+
+4. **Correlate with Recent Events**:
+   - Look for any suspicious activity in proximity to the encryption event, such as new access key creation, policy changes, or unusual access patterns from the same user or IP.
+   - Identify `ListBucket` or `GetObject` operations on the same bucket to determine all affected objects.
+   - For `PutObject` events, identify any other unusual objecs uploaded such as a ransom note.
+
+5. **Validate Access Permissions**:
+   - Check the IAM policies and roles associated with the user to verify if they had legitimate access to encrypt objects.
+
+6. **Assess Impact**:
+   - Identify the number of encrypted objects in the bucket by examining other similar events.
+   - Determine if this encryption aligns with standard business practices or constitutes a deviation.
+
+### False Positive Analysis
+
+- **Legitimate Use Cases**:
+  - Confirm if SSE-C encryption is part of regular operations for compliance or data protection.
+  - Cross-reference known processes or users authorized for SSE-C encryption in the affected bucket.
+
+### Response and Remediation
+
+1. **Immediate Actions**:
+   - Disable access keys or permissions for the user if unauthorized behavior is confirmed.
+   - Rotate the bucket's encryption configuration to mitigate further misuse.
+
+2. **Data Recovery**:
+   - Attempt to identify and contact the party holding the SSE-C encryption keys if recovery is necessary.
+
+3. **Enhance Monitoring**:
+   - Enable alerts for future SSE-C encryption attempts in critical buckets.
+   - Review and tighten IAM policies for roles and users accessing S3.
+
+4. **Post-Incident Review**:
+   - Audit logs for additional activities by the same user or IP.
+   - Document findings and apply lessons learned to improve preventive measures.
+"""
+references = [
+    "https://www.halcyon.ai/blog/abusing-aws-native-services-ransomware-encrypting-s3-buckets-with-sse-c",
+    "https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerSideEncryptionCustomerKeys.html",
+]
+risk_score = 73
+rule_id = "c1a9ed70-d349-11ef-841c-f661ea17fbcd"
+setup = "AWS S3 data event types need to be enabled in the CloudTrail trail configuration."
+severity = "high"
+tags = [
+    "Domain: Cloud",
+    "Data Source: AWS",
+    "Data Source: Amazon Web Services",
+    "Data Source: AWS S3",
+    "Resources: Investigation Guide",
+    "Use Case: Threat Detection",
+    "Tactic: Impact",
+]
+timestamp_override = "event.ingested"
+type = "new_terms"
+
+query = '''
+event.dataset: "aws.cloudtrail"
+    and event.provider: "s3.amazonaws.com"
+    and event.action: "PutObject"
+    and event.outcome: "success"
+    and aws.cloudtrail.flattened.request_parameters.x-amz-server-side-encryption-customer-algorithm: "AES256"
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1486"
+name = "Data Encrypted for Impact"
+reference = "https://attack.mitre.org/techniques/T1486/"
+
+
+[rule.threat.tactic]
+id = "TA0040"
+name = "Impact"
+reference = "https://attack.mitre.org/tactics/TA0040/"
+
+[rule.investigation_fields]
+field_names = [
+    "@timestamp",
+    "source.ip",
+    "user_agent.original",
+    "aws.cloudtrail.user_identity.arn",
+    "aws.cloudtrail.user_identity.type",
+    "aws.cloudtrail.user_identity.access_key_id",
+    "event.action",
+    "event.outcome",
+    "aws.cloudtrail.request_parameters",
+    "aws.cloudtrail.additional_eventdata",
+    "aws.cloudtrail.response_elements",
+    "cloud.region",
+    "cloud.account.id",
+]
+
+[rule.new_terms]
+field = "new_terms_fields"
+value = ["cloud.account.id", "user.name", "tls.client.server_name"]
+[[rule.new_terms.history_window_start]]
+field = "history_window_start"
+value = "now-14d"
+
+