Overwrite Lambda Function Code
idempotent
Platform: AWS
MITRE ATT&CK Tactics
- Persistence
Description
Establishes persistence by overwriting a Lambda function's code. A further, more advanced, use-case could be updating the code to exfiltrate the data processed by the Lambda function at runtime.
Warm-up:
- Create a Lambda function.
Detonation:
- Update the Lambda function code.
References: - https://research.splunk.com/cloud/aws_lambda_updatefunctioncode/ - Expel's AWS security mindmap
Instructions
Detection
Through CloudTrail's UpdateFunctionCode*
event, e.g. UpdateFunctionCode20150331v2
.