Overwrite Lambda Function Code

idempotent

Platform: AWS

MITRE ATT&CK Tactics

• Persistence

Description

Establishes persistence by overwriting a Lambda function's code. A further, more advanced, use-case could be updating the code to exfiltrate the data processed by the Lambda function at runtime.

Warm-up:

• Create a Lambda function.

Detonation:

• Update the Lambda function code.

References:

• https://research.splunk.com/cloud/aws_lambda_updatefunctioncode/
• Expel's AWS security mindmap

Instructions

Detonate with Stratus Red Team

stratus detonate aws.persistence.lambda-overwrite-code

Detection

Through CloudTrail's UpdateFunctionCode* event, e.g. UpdateFunctionCode20150331v2.