ATT&CK v18 has been released! Check out the blog post or changelog for more information.

Cloud Storage Modification

Cloud Storage Modification involves tracking changes made to cloud storage infrastructure, including updates to settings, permissions, or stored data. Examples include modifying object access control lists (ACLs), uploading new objects, or updating bucket policies. Examples:

AWS S3: An object is uploaded or its ACL is modified.
- Azure Blob Storage: A blob's metadata or permissions are updated.
- Google Cloud Storage: An object's lifecycle policy is updated, or a bucket policy is changed.
- OpenStack Swift: Modifications to container settings or uploading of new objects.

ID: DC0023

Domains: Enterprise

Version: 2.0

Created: 20 October 2021

Last Modified: 12 November 2025

Log Sources

Name	Channel
AWS:CloudTrail	PutBucketLifecycle, PutLifecycleConfiguration, SetBucketLifecycle, storage.buckets.update
AWS:CloudTrail	PutObject (with SSE-C), UploadPart (SSE-C)
AWS:CloudTrail	PutBucketPolicy
m365:unified	SharingSet
saas:googledrive	drive.permission.add

Detection Strategy

ID	Name	Technique Detected
DET0573	Cross-Platform Detection of Data Transfer to Cloud Account	T1537
DET0041	Detection of Lifecycle Policy Modifications for Triggered Deletion in IaaS Cloud Storage	T1485.001
DET0215	Detection of Multi-Platform File Encryption for Impact	T1486