Skip to content

Backdoor Lambda Function Through Resource-Based Policy

Platform: AWS

MITRE ATT&CK Tactics

  • Persistence

Description

Establishes persistence by backdooring a lambda function to allow its invocation from an external AWS account.

Warm-up:

  • Create a Lambda function.

Detonation:

  • Modify the Lambda function resource-base policy to allow lambda:InvokeFunction from an external, fictitious AWS account.

Instructions

Detonate with Stratus Red Team
stratus detonate aws.persistence.lambda-backdoor-function

Detection

  • Using CloudTrail's AddPermission20150331 and AddPermission20150331v2 events.

  • Through IAM Access Analyzer, which triggers a finding when permissions are added to a Lambda function making it public or accessible from another account.