Add a Malicious Lambda Extension

idempotent

Platform: AWS

MITRE ATT&CK Tactics

• Persistence
• Privilege Escalation

Description

Establishes persistence by adding a malicious lambda extension.

Warm-up:

• Create a Lambda function and a lambda extension (layer).

Detonation:

• Add the extension as a layer to the Lambda function.

References:

• https://www.clearvector.com/blog/lambda-spy/

Instructions

Detonate with Stratus Red Team

stratus detonate aws.persistence.lambda-layer-extension

Detection

Through CloudTrail's UpdateFunctionConfiguration20150331v2 event.

While matching this event may be impractical and prone to false positives in most environments, the following can help to craft more precise detections:

• Identify calls to UpdateFunctionConfiguration20150331v2 where the responseElements field contains layer, indicating that the function's layers were modified.
• Identify calls to UpdateFunctionConfiguration20150331v2 where responseElements.layers includes a layer that's from a different AWS account.'