T1485.001: Lifecycle-Triggered Deletion

Lifecycle-Triggered Deletion is a cloud impact technique where an adversary with enough permissions changes an IaaS storage bucket lifecycle policy so stored objects are automatically deleted. The business risk is not just “someone deleted files”; it is that a normal cloud administration feature can be turned into delayed or broad data destruction, including against buckets that store operational data or cloud logs.

Executive priority

Treat this as a resilience and permissions-governance issue for cloud storage. Leaders should ask whether critical buckets, backup locations, and log storage have change controls around lifecycle policies; whether identities with permissions such as AWS S3 lifecycle configuration changes are limited and monitored; and whether recovery evidence exists if a lifecycle rule deletes data. This matters for business continuity, incident response readiness, audit evidence retention, and ransomware/extortion decision-making, while the ATT&CK object supports only IaaS cloud storage scope.

Technical view

For SOC, detection engineering, cloud security, and IR teams, validate monitoring for lifecycle policy creation or modification on cloud storage buckets. ATT&CK cites AWS `PutLifecycleConfiguration` / `PutBucketLifecycle` as an example path for S3. Equivalent lifecycle-management policy changes should be reviewed across supported IaaS storage services where used. Because no official ATT&CK detection text is provided, use the related detection strategy DET0041 as directional context: focus on lifecycle policy modifications that can trigger deletion, especially on high-value data buckets and buckets containing cloud logs. Relate findings to the parent technique Data Destruction and to possible log impairment/indicator removal context when log buckets are affected.

Likely telemetry

Cloud control-plane audit logs for storage bucket lifecycle policy create, update, or delete actions
Identity and access management records showing principals allowed to modify storage lifecycle policies
Bucket configuration history or cloud asset inventory showing lifecycle rules, retention periods, and recent changes
Alerts or tickets from change-management systems for approved lifecycle policy updates
Object deletion, expiration, or retention events where available from the cloud provider

Detection direction

Inventory which buckets have lifecycle policies and which identities can modify them; prioritize buckets holding critical data, backups, or cloud logs.
Alert on lifecycle policy changes that shorten retention, add deletion/expiration actions, or apply broadly to all objects.
Tune for expected administrative activity by comparing against approved change windows, change tickets, and known automation roles.
Pay special attention to changes on log buckets, because the ATT&CK description notes this behavior may support indicator removal when cloud logs are stored in affected buckets.
Validate whether control-plane logs are retained outside the same bucket or account boundary; otherwise the deletion mechanism may also remove evidence needed for investigation.

Mitigation priorities

Apply User Account Management and least-privilege principles so only necessary administrators or automation roles can modify lifecycle policies.
Require change approval and review for lifecycle rules on critical, backup, and log-storage buckets.
Maintain Data Backup practices for critical cloud storage, with recovery paths protected from the same identities that can alter production bucket lifecycle policies.
Use retention and recovery designs that preserve audit and security logs even if a production bucket lifecycle policy is maliciously changed.
Regularly review lifecycle configurations for overly broad deletion rules or unexpectedly short retention windows.

Analyst notes and limits

This object is a sub-technique of Data Destruction under the Impact tactic and is scoped to IaaS. The supplied relationships identify DET0041 as a detection strategy and M1018 User Account Management plus M1053 Data Backup as mitigations. AWS S3 examples are explicitly supplied; Azure and GCP lifecycle-management references support the broader cloud storage lifecycle concept, but provider-specific detection details must be validated locally.

ATT&CK does not provide official detection text for this technique, and the supplied data does not establish active exploitation, attribution, prevalence, or guaranteed detection coverage. This take should be adapted to the organization’s actual cloud providers, bucket usage, IAM model, audit logging, retention requirements, and backup architecture.

Official MITRE ATT&CK definition

Lifecycle-Triggered Deletion

Adversaries may modify the lifecycle policies of a cloud storage bucket to destroy all objects stored within.

Cloud storage buckets often allow users to set lifecycle policies to automate the migration, archival, or deletion of objects after a set period of time.[1][2][3] If a threat actor has sufficient permissions to modify these policies, they may be able to delete all objects at once.

For example, in AWS environments, an adversary with the `PutLifecycleConfiguration` permission may use the `PutBucketLifecycle` API call to apply a lifecycle policy to an S3 bucket that deletes all objects in the bucket after one day.[4][5] In addition to destroying data for purposes of extortion and Financial Theft, adversaries may also perform this action on buckets storing cloud logs for Indicator Removal.[6]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 1 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1485	Data Destruction	This object subtechnique of Data Destruction.

Relationship explorer

All related ATT&CK context

subtechnique of · Technique T1485: Data Destruction Enterprise mitigates · Mitigation M1018: User Account Management Enterprise detects · Detection Strategy DET0041: Detection of Lifecycle Policy Modifications for Triggered Deletion in IaaS Cloud Storage Enterprise mitigates · Mitigation M1053: Data Backup Enterprise

Mitigations

Mitigation direction

M1018: User Account Management

User Account Management involves implementing and enforcing policies for the lifecycle of user accounts, including creation, modification, and deactivation. Proper account management reduces the attack surface by limiting unauthorized access, managing account privileges, and ensuring accounts are used according to organizational policies. This mitigation can be implemented through the following measures:

Enforcing the Principle of Least Privilege

- Implementation: Assign users only the minimum permissions required to perform their job functions. Regularly audit accounts to ensure no excess permissions are granted. - Use Case: Reduces the risk of privilege escalation by ensuring accounts cannot perform unauthorized actions.

Implementing Strong Password Policies

- Implementation: Enforce password complexity requirements (e.g., length, character types). Require password expiration every 90 days and disallow password reuse. - Use Case: Prevents adversaries from gaining unauthorized access through password guessing or brute force attacks.

Managing Dormant and Orphaned Accounts

- Implementation: Implement automated workflows to disable accounts after a set period of inactivity (e.g., 30 days). Remove orphaned accounts (e.g., accounts without an assigned owner) during regular account audits. - Use Case: Eliminates dormant accounts that could be exploited by attackers.

Account Lockout Policies

- Implementation: Configure account lockout thresholds (e.g., lock accounts after five failed login attempts). Set lockout durations to a minimum of 15 minutes. - Use Case: Mitigates automated attack techniques that rely on repeated login attempts.

Multi-Factor Authentication (MFA) for High-Risk Accounts

- Implementation: Require MFA for all administrative accounts and high-risk users. Use MFA mechanisms like hardware tokens, authenticator apps, or biometrics. - Use Case: Prevents unauthorized access, even if credentials are stolen.

Restricting Interactive Logins

- Implementation: Restrict interactive logins for privileged accounts to specific secure systems or management consoles. Use group policies to enforce logon restrictions. - Use Case: Protects sensitive accounts from misuse or exploitation.

*Tools for Implementation*

Built-in Tools:

- Microsoft Active Directory (AD): Centralized account management and RBAC enforcement. - Group Policy Object (GPO): Enforce password policies, logon restrictions, and account lockout policies.

Identity and Access Management (IAM) Tools:

- Okta: Centralized user provisioning, MFA, and SSO integration. - Microsoft Azure Active Directory: Provides advanced account lifecycle management, role-based access, and conditional access policies.

Privileged Account Management (PAM): - CyberArk, BeyondTrust, Thycotic: Manage and monitor privileged account usage, enforce session recording, and JIT access.

M1053: Data Backup

Data Backup involves taking and securely storing backups of data from end-user systems and critical servers. It ensures that data remains available in the event of system compromise, ransomware attacks, or other disruptions. Backup processes should include hardening backup systems, implementing secure storage solutions, and keeping backups isolated from the corporate network to prevent compromise during active incidents. This mitigation can be implemented through the following measures:

Regular Backup Scheduling: - Use Case: Ensure timely and consistent backups of critical data. - Implementation: Schedule daily incremental backups and weekly full backups for all critical servers and systems.

Immutable Backups: - Use Case: Protect backups from modification or deletion, even by attackers. - Implementation: Use write-once-read-many (WORM) storage for backups, preventing ransomware from encrypting or deleting backup files.

Backup Encryption: - Use Case: Protect data integrity and confidentiality during transit and storage. - Implementation: Encrypt backups using strong encryption protocols (e.g., AES-256) before storing them in local, cloud, or remote locations.

Offsite Backup Storage: - Use Case: Ensure data availability during physical disasters or onsite breaches. - Implementation: Use cloud-based solutions like AWS S3, Azure Backup, or physical offsite storage to maintain a copy of critical data.

Backup Testing: - Use Case: Validate backup integrity and ensure recoverability. - Implementation: Regularly test data restoration processes to ensure that backups are not corrupted and can be recovered quickly.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.1
Created: Sep 25, 2024, 13:16 UTC (UTC+00:00)
Modified: Apr 15, 2025, 19:58 UTC (UTC+00:00)
Raw hash: 3fc2072b3c1ec7f9...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.1	Apr 15, 2025, 19:58 UTC (UTC+00:00)	Current bundle	`3fc2072b3c1e…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
AWS Storage Lifecycles

AWS. (n.d.). Managing the lifecycle of objects. Retrieved September 25, 2024.
Open source URL
[2]
GCP Storage Lifecycles

Google Cloud. (n.d.). Object Lifecycle Management. Retrieved September 25, 2024.
Open source URL
[3]
Azure Storage Lifecycles

Microsoft Azure. (2024, July 3). Configure a lifecycle management policy. Retrieved September 25, 2024.
Open source URL
[4]
Palo Alto Cloud Ransomware

Ofir Balassiano and Ofir Shaty. (2023, November 29). Ransomware in the Cloud: Breaking Down the Attack Vectors. Retrieved September 25, 2024.
Open source URL
[5]
Halcyon AWS Ransomware 2025

Halcyon RISE Team. (2025, January 13). Abusing AWS Native Services: Ransomware Encrypting S3 Buckets with SSE-C. Retrieved March 18, 2025.
Open source URL
[6]
Datadog S3 Lifecycle CloudTrail Logs

Stratus Red Team. (n.d.). CloudTrail Logs Impairment Through S3 Lifecycle Rule. Retrieved September 25, 2024.
Open source URL
[7]
mitre-attack T1485.001
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams