Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0117: Analytic 0117

Adversary with write access to storage modifies lifecycle policies (e.g., via PutBucketLifecycle) to schedule rapid object deletion across one or more storage buckets. This is often used to trigger impact (destruction), remove logs (defense evasion), or force extortion (ransomware).

EnterpriseAN0117AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic concerns a cloud storage risk: an adversary who already has write access can change storage lifecycle policies so objects are deleted quickly across one or more buckets. For leaders, the business issue is not the policy change itself; it is the potential loss of business data, audit logs, recovery evidence, or operational records if lifecycle controls are not monitored and governed.

Executive priority

Prioritize this where IaaS object storage holds regulated data, backups, application content, security logs, or evidence needed for incident response and compliance. Executives should ask whether lifecycle policy changes are approved, logged, alerted, and recoverable, and whether cloud identity permissions allow too many users or workloads to modify deletion behavior. This is relevant to resilience planning, ransomware/extortion readiness, and audit evidence preservation.

Technical view

SOC, cloud security, and IR teams should validate visibility into IaaS storage lifecycle policy modification events, especially changes that accelerate deletion or apply broadly across buckets. Because ATT&CK provides no official detection logic for AN0117, teams should build local analytics around control-plane events such as lifecycle configuration creation, update, or replacement, then enrich with identity, bucket criticality, prior change history, and whether affected buckets contain logs, backups, or production data.

Likely telemetry

  • IaaS cloud control-plane audit logs for storage bucket lifecycle policy changes
  • Identity and access management logs showing the principal, role, session, source, and authentication context
  • Storage bucket configuration history or cloud configuration snapshots
  • Change management or infrastructure-as-code deployment records for approved lifecycle policy updates
  • Object storage inventory, retention, versioning, backup, or replication status for affected buckets

Detection direction

  • Alert on lifecycle policy changes that shorten retention, introduce rapid expiration, or expand deletion scope across sensitive buckets.
  • Compare policy changes against approved change windows, infrastructure-as-code commits, and expected administrative identities to reduce false positives from legitimate retention management.
  • Prioritize detections for buckets containing logs, backups, compliance records, customer data, or operational dependencies.
  • Correlate lifecycle policy changes with unusual identity activity, new credentials, role assumption, or access from atypical locations where local telemetry supports it.
  • Treat absence of storage control-plane logging or configuration history as a material blind spot because ATT&CK supplies no ready-made detection logic for this analytic.

Mitigation priorities

  • Restrict permissions to create or modify storage lifecycle policies using least privilege and separation of duties.
  • Require governed change control for lifecycle policy modifications on critical buckets.
  • Enable and retain cloud control-plane audit logging for storage configuration changes.
  • Use storage protections appropriate to the environment, such as versioning, retention controls, replication, or backup strategies, especially for logs and recovery data.
  • Regularly review bucket lifecycle policies for overly aggressive deletion rules or unauthorized drift from approved baselines.
Analyst notes and limits

The supplied ATT&CK object is a detection analytic for IaaS storage lifecycle policy abuse. It identifies the behavior and gives examples such as PutBucketLifecycle, but provides no official detection text, tactics field, relationships, procedures, or platform detail beyond IaaS. Defensive value therefore depends on local cloud audit logging, identity context, bucket classification, and retention requirements.

This take is based only on the supplied STIX fields, external reference, and lack of relationship context. It does not assert active exploitation, attribution, confirmed detection coverage, or vendor-specific behavior. Local cloud provider semantics and logging configuration must be validated before operationalizing detections.

Official MITRE ATT&CK definition

Analytic 0117

Adversary with write access to storage modifies lifecycle policies (e.g., via PutBucketLifecycle) to schedule rapid object deletion across one or more storage buckets. This is often used to trigger impact (destruction), remove logs (defense evasion), or force extortion (ransomware).

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
274db991613a57f1...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 274db991613a…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0117
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use