DET0041: Detection of Lifecycle Policy Modifications for Triggered Deletion in IaaS Cloud Storage
DET0041 is a detection strategy for spotting changes to cloud storage lifecycle policies that could trigger deletion of stored objects. The business issue...
Analyst context for executives and security teams
DET0041 is a detection strategy for spotting changes to cloud storage lifecycle policies that could trigger deletion of stored objects. The business issue is resilience: lifecycle policies are normal administrative features, but if misused by an actor with sufficient permissions they can turn routine automation into large-scale data destruction in IaaS storage.
Executive priority
Treat this as a control-validation topic for cloud data durability and incident readiness. Leaders should ask whether changes to storage lifecycle policies are logged, reviewed, and recoverable; whether privileged cloud identities can modify deletion rules without oversight; and whether evidence exists for audits or post-incident decisions. This is especially relevant where cloud object storage supports critical operations, backups, records, or compliance evidence.
Technical view
This detection strategy is related to ATT&CK technique T1485.001, Lifecycle-Triggered Deletion, under the Impact tactic for IaaS. SOC, cloud security, and IR teams should validate that administrative modifications to bucket or object-storage lifecycle policies are visible in cloud control-plane logs and can be correlated with identity, target storage resource, policy action, and timing. Because the official ATT&CK object does not provide detection logic, teams should define local baselines for expected lifecycle policy changes and escalate unusual deletion-oriented modifications, especially by unexpected identities or outside approved change windows.
Likely telemetry
- Cloud control-plane audit logs for storage lifecycle policy create, update, or delete events
- Identity and access management context for the principal making the change
- Cloud storage bucket or container configuration change history
- Change-management records for approved lifecycle policy modifications
- Object deletion, expiration, or lifecycle execution logs where available
Detection direction
- Confirm that lifecycle policy modification events are collected for the relevant IaaS storage services identified in the related technique.
- Correlate policy changes with identity context, privilege level, source context, affected bucket/container, and whether the rule enables or accelerates deletion.
- Tune detections against approved retention, archival, and cost-management changes to reduce false positives.
- Prioritize alerting for deletion-oriented lifecycle rules on critical storage locations, backups, regulated records, or repositories used for recovery.
- Validate blind spots: short log retention, missing cloud audit logging, unmanaged accounts, service principals with broad storage administration rights, and lack of visibility into configuration drift.
Mitigation priorities
- Restrict who can modify storage lifecycle policies using least privilege and separation of duties.
- Require approval and change tracking for lifecycle rules that delete or expire objects.
- Enable and retain cloud audit logs for storage configuration changes.
- Protect critical storage with recovery-oriented controls such as versioning, retention, backup, or immutability where available and appropriate.
- Regularly review privileged identities and automation that can alter storage retention or deletion policies.
Analyst notes and limits
The supplied ATT&CK detection-strategy object has no official description, detection text, tactics, or platform fields of its own. The practical interpretation is derived from its name and its relationship to T1485.001, Lifecycle-Triggered Deletion, which describes adversaries modifying IaaS cloud storage lifecycle policies to delete stored objects.
This take does not assert active exploitation, attribution, vendor-specific behavior, or guaranteed detection coverage. Local cloud provider services, logging configuration, retention settings, identity model, and change-management practices are required to determine actual risk and detection quality.
Detection of Lifecycle Policy Modifications for Triggered Deletion in IaaS Cloud Storage
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1485.001 | Lifecycle-Triggered Deletion Sub-technique | This object detects Lifecycle-Triggered Deletion. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 03fcc92799c8… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0041Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.