Skip to content

Overwrite Lambda Function Code

idempotent

Platform: AWS

MITRE ATT&CK Tactics

  • Persistence

Description

Establishes persistence by overwriting a Lambda function's code. A further, more advanced, use-case could be updating the code to exfiltrate the data processed by the Lambda function at runtime.

Warm-up:

  • Create a Lambda function.

Detonation:

  • Update the Lambda function code.

References: - https://research.splunk.com/cloud/aws_lambda_updatefunctioncode/ - Expel's AWS security mindmap

Instructions

Detonate with Stratus Red Team
stratus detonate aws.persistence.lambda-overwrite-code

Detection

Through CloudTrail's UpdateFunctionCode* event, e.g. UpdateFunctionCode20150331v2.