Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0606: Analytic 0606

Encryption of cloud storage objects (e.g., S3 buckets) via Server-Side Encryption (SSE-C) or by replacing objects with encrypted variants. May include API patterns like PutObject with SSE-C headers.

EnterpriseAN0606AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic concerns suspicious encryption of cloud storage objects in IaaS environments, such as objects in S3-style buckets being written with server-side customer-provided encryption keys or replaced by encrypted variants. The business issue is not simply “encryption happened”; it is whether storage can become unreadable, inaccessible to normal recovery processes, or difficult to investigate if encryption is performed outside approved data-protection workflows.

Executive priority

Security leaders should treat this as a cloud resilience and evidence-retention question: can the organization distinguish approved storage encryption from unauthorized mass object replacement or unusual encryption-header usage? Priority should be driven by the criticality of affected cloud object stores, backup and recovery requirements, audit obligations, and whether cloud logging is sufficient for incident decisions.

Technical view

For SOC, cloud security, and IR teams, validation should focus on IaaS object-storage write activity and encryption-related request metadata. The supplied ATT&CK object specifically mentions cloud storage objects, SSE-C-style encryption, object replacement with encrypted variants, and API patterns such as PutObject with SSE-C headers. Because no official detection logic or relationships are supplied, teams should build local baselines for normal encryption behavior, approved services, expected principals, and expected bucket/object paths before alerting on deviations.

Likely telemetry

  • Cloud object-storage API audit logs for write operations such as PutObject or equivalent
  • Request metadata showing server-side encryption usage, including SSE-C-style headers where available
  • Object creation, overwrite, and replacement events for sensitive buckets or storage paths
  • Identity and access context for the calling principal, role, account, source location, and session
  • Bucket/object configuration and access policy change history relevant to storage encryption and write permissions

Detection direction

  • Validate that cloud audit logging captures object write operations and encryption-related request attributes; without these fields, this behavior may be difficult to separate from normal storage activity.
  • Tune detections around unusual use of SSE-C-style headers, unexpected principals performing encrypted writes, sudden increases in object overwrites, or encryption behavior outside approved pipelines.
  • Compare activity against known application, backup, data-protection, and migration workflows to reduce false positives from legitimate encryption or re-encryption processes.
  • Prioritize alerting for critical buckets, regulated data locations, production application storage, and storage where versioning or recovery evidence is weak.
  • Because ATT&CK provides no official detection text for this analytic, detection engineering should be validated with local cloud logs and approved encryption use cases rather than assumed from the ATT&CK entry alone.

Mitigation priorities

  • Inventory critical IaaS object stores and document expected encryption methods, approved writers, and recovery requirements.
  • Restrict object write and encryption-related permissions to authorized identities and services using least privilege.
  • Ensure cloud audit logs retain sufficient object-write and request-metadata detail for investigation and compliance evidence.
  • Use storage resilience controls such as versioning, retention, and tested recovery processes where appropriate to the business risk.
  • Review exceptions for services that legitimately perform bulk object replacement or encryption so monitoring can distinguish normal operations from suspicious changes.
Analyst notes and limits

This object is a detection analytic, not a technique entry. It is limited to IaaS platforms and describes encryption of cloud storage objects, including SSE-C-style usage and replacement with encrypted variants. No tactics, official detection logic, aliases, labels, or relationship context were supplied, so recommendations are framed as validation priorities rather than confirmed ATT&CK detection coverage.

The supplied ATT&CK fields do not provide a detection query, specific cloud provider control guidance, adversary attribution, active exploitation evidence, or related techniques. Local environment details are required to determine which storage services, identities, logs, and recovery controls are relevant.

Official MITRE ATT&CK definition

Analytic 0606

Encryption of cloud storage objects (e.g., S3 buckets) via Server-Side Encryption (SSE-C) or by replacing objects with encrypted variants. May include API patterns like PutObject with SSE-C headers.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
557281041051bfd4...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 557281041051…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0606
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use