Add a Malicious Lambda Extension
idempotent
Platform: AWS
MITRE ATT&CK Tactics
- Persistence
- Privilege Escalation
Description
Establishes persistence by adding a malicious lambda extension.
Warm-up:
- Create a Lambda function and a lambda extension (layer).
Detonation:
- Add the extension as a layer to the Lambda function.
References:
Instructions
Detection
Through CloudTrail's UpdateFunctionConfiguration20150331v2
event.
While matching this event may be impractical and prone to false positives in most environments, the following can help to craft more precise detections:
- Identify calls to
UpdateFunctionConfiguration20150331v2
where theresponseElements
field containslayer
, indicating that the function's layers were modified. - Identify calls to
UpdateFunctionConfiguration20150331v2
whereresponseElements.layers
includes a layer that's from a different AWS account.'