AWS Attached Malicious Lambda Layer
Detects when an user attached a Lambda layer to an existing function to override a library that is in use by the function, where their malicious code could utilize the function's IAM role for AWS API calls. This would give an adversary access to the privileges associated with the Lambda service role that is attached to that function.
Sigma rule (View on GitHub)
1title: AWS Attached Malicious Lambda Layer
2id: 97fbabf8-8e1b-47a2-b7d5-a418d2b95e3d
3status: test
4description: |
5 Detects when an user attached a Lambda layer to an existing function to override a library that is in use by the function, where their malicious code could utilize the function's IAM role for AWS API calls.
6 This would give an adversary access to the privileges associated with the Lambda service role that is attached to that function.
7references:
8 - https://docs.aws.amazon.com/lambda/latest/dg/API_UpdateFunctionConfiguration.html
9author: Austin Songer
10date: 2021/09/23
11modified: 2022/10/09
12tags:
13 - attack.privilege_escalation
14logsource:
15 product: aws
16 service: cloudtrail
17detection:
18 selection:
19 eventSource: lambda.amazonaws.com
20 eventName|startswith: 'UpdateFunctionConfiguration'
21 condition: selection
22falsepositives:
23 - Lambda Layer being attached may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
24 - Lambda Layer being attached from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
25level: medium
References
Related rules
- AWS Root Credentials
- AWS STS AssumeRole Misuse
- AWS STS GetSessionToken Misuse
- AWS Suspicious SAML Activity
- Google Cloud Kubernetes CronJob