AWS Lambda Layer Added to Existing Function

 1[metadata]
 2creation_date = "2024/04/30"
 3integration = ["aws"]
 4maturity = "production"
 5updated_date = "2024/07/23"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies when an Lambda Layer is added to an existing Lambda function. AWS layers are a way to share code and data
11across multiple functions. By adding a layer to an existing function, an attacker can persist or execute code in the
12context of the function.
13"""
14false_positives = ["Lambda function owners may add layers to their functions for legitimate purposes."]
15from = "now-60m"
16index = ["filebeat-*", "logs-aws.cloudtrail-*"]
17interval = "10m"
18language = "kuery"
19license = "Elastic License v2"
20name = "AWS Lambda Layer Added to Existing Function"
21note = """
22## Triage and Analysis
23
24### Investigating AWS Lambda Layer Added to Existing Function
25
26This rule detects when a Lambda layer is added to an existing Lambda function. AWS Lambda layers are a mechanism for sharing code and data across multiple functions. By adding a layer to an existing function, an attacker can persist or execute code in the context of the function. Understanding the context and legitimacy of such changes is crucial to determine if the action is benign or malicious.
27
28#### Possible Investigation Steps:
29
30- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who made the change. Verify if this actor typically performs such actions and if they have the necessary permissions.
31- **Review the Request Details**: Examine the `aws.cloudtrail.request_parameters` to understand the specific layer added to the Lambda function. Look for any unusual parameters that could suggest unauthorized or malicious modifications.
32- **Analyze the Source of the Request**: Investigate the `source.ip` and `source.geo` fields to determine the geographical origin of the request. An external or unexpected location might indicate compromised credentials or unauthorized access.
33- **Contextualize with Timestamp**: Use the `@timestamp` field to check when the change occurred. Modifications during non-business hours or outside regular maintenance windows might require further scrutiny.
34- **Correlate with Other Activities**: Search for related CloudTrail events before and after this change to see if the same actor or IP address engaged in other potentially suspicious activities.
35
36### False Positive Analysis:
37
38- **Legitimate Administrative Actions**: Confirm if the addition of the Lambda layer aligns with scheduled updates, development activities, or legitimate administrative tasks documented in change management systems.
39- **Consistency Check**: Compare the action against historical data of similar actions performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm.
40- **Verify through Outcomes**: Check the `aws.cloudtrail.response_elements` and the `event.outcome` to confirm if the change was successful and intended according to policy.
41
42### Response and Remediation:
43
44- **Immediate Review and Reversal if Necessary**: If the change was unauthorized, remove the added layer from the Lambda function to mitigate any unintended code execution or persistence.
45- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar actions, especially those involving sensitive functions or layers.
46- **Educate and Train**: Provide additional training to users with administrative rights on the importance of security best practices concerning Lambda function management and the use of layers.
47- **Audit Lambda Functions and Policies**: Conduct a comprehensive audit of all Lambda functions and associated policies to ensure they adhere to the principle of least privilege.
48- **Incident Response**: If there's an indication of malicious intent or a security breach, initiate the incident response protocol to mitigate any damage and prevent future occurrences.
49
50### Additional Information:
51
52For further guidance on managing Lambda functions and securing AWS environments, refer to the [AWS Lambda documentation](https://docs.aws.amazon.com/lambda/latest/dg/welcome.html) and AWS best practices for security. Additionally, consult the following resources for specific details on Lambda layers and persistence techniques:
53- [AWS Lambda Layers Persistence](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-lambda-layers-persistence)
54- [AWS API PublishLayerVersion](https://docs.aws.amazon.com/lambda/latest/api/API_PublishLayerVersion.html)
55- [AWS API UpdateFunctionConfiguration](https://docs.aws.amazon.com/lambda/latest/api/API_UpdateFunctionConfiguration.html)
56
57"""
58references = [
59    "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-lambda-layers-persistence",
60    "https://docs.aws.amazon.com/lambda/latest/api/API_PublishLayerVersion.html",
61    "https://docs.aws.amazon.com/lambda/latest/api/API_UpdateFunctionConfiguration.html",
62]
63risk_score = 21
64rule_id = "7d091a76-0737-11ef-8469-f661ea17fbcc"
65severity = "low"
66tags = [
67    "Domain: Cloud",
68    "Data Source: AWS",
69    "Data Source: Amazon Web Services",
70    "Data Source: AWS Lambda",
71    "Use Case: Threat Detection",
72    "Tactic: Execution",
73]
74timestamp_override = "event.ingested"
75type = "query"
76
77query = '''
78event.dataset: aws.cloudtrail
79    and event.provider: lambda.amazonaws.com
80    and event.outcome: success
81    and event.action: (PublishLayerVersion* or UpdateFunctionConfiguration)
82'''
83
84
85[[rule.threat]]
86framework = "MITRE ATT&CK"
87[[rule.threat.technique]]
88id = "T1648"
89name = "Serverless Execution"
90reference = "https://attack.mitre.org/techniques/T1648/"
91
92
93[rule.threat.tactic]
94id = "TA0002"
95name = "Execution"
96reference = "https://attack.mitre.org/tactics/TA0002/"