AWS New Lambda Layer Attached
Detects when a user attached a Lambda layer to an existing Lambda function. A malicious Lambda layer could execute arbitrary code in the context of the function's IAM role. This would give an adversary access to resources that the function has access to.
Sigma rule (View on GitHub)
1title: AWS New Lambda Layer Attached
2id: 97fbabf8-8e1b-47a2-b7d5-a418d2b95e3d
3status: test
4description: |
5 Detects when a user attached a Lambda layer to an existing Lambda function.
6 A malicious Lambda layer could execute arbitrary code in the context of the function's IAM role.
7 This would give an adversary access to resources that the function has access to.
8references:
9 - https://docs.aws.amazon.com/lambda/latest/dg/API_UpdateFunctionConfiguration.html
10 - https://github.com/clearvector/lambda-spy
11author: Austin Songer
12date: 2021-09-23
13modified: 2025-03-17
14tags:
15 - attack.privilege-escalation
16logsource:
17 product: aws
18 service: cloudtrail
19detection:
20 selection:
21 eventSource: lambda.amazonaws.com
22 eventName|startswith: 'UpdateFunctionConfiguration'
23 requestParameters.layers|contains: '*'
24 condition: selection
25falsepositives:
26 - Lambda Layer being attached may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
27 - Lambda Layer being attached from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
28level: low
yaml
References
Related rules
- Elevated System Shell Spawned From Uncommon Parent Location
- QBot process creation from scheduled task REGSVR32 (regsvr32.exe), -s flag and SYSTEM in the command line
- QBot scheduled task REGSVR32 with C$ image path
- Suspicious Commands by SQL Server
- Kubernetes Unauthorized or Unauthenticated Access