☁️
CTHFM: AWS
  • Welcome
  • Getting Started
    • Account Setup
  • AWS CLI
    • AWS CLI Overview
    • Installation
  • AWS Fundamentals
    • AWS Documentation
    • AWS Shared Responsibility Model
    • Organizational Hierarchy
    • AWS Principals
    • IAM Fundamentals
      • IAM Policy Components
      • IAM Documentation References
    • AWS Security Services Overview
    • AWS Core Services
    • AWS Frameworks
    • Regions and Availability Zones
  • SQL
    • SQL Refresher for Threat Hunting
  • Logging Reference
    • Cloudtrail
      • What is Cloudtrail?
      • Setting Up Cloudtrail
      • Cloudtrail Events Structure
      • Filtering and Searching CloudTrail Logs
      • IAM ID Prefixes
      • Additional Resources
      • API References
    • VPCFlow Logs
    • GuardDuty
      • Multi-Account Setup
      • GuardDuty Concepts
      • GuardDuty Finding References
      • S3 Protection
      • Malware Protection
        • EC2 Malware Protection
          • EC2 Protection Resources
          • Monitoring Scans
          • EC2 Malware Protection Events: CloudWatch
        • S3 Malware Protection
          • Enabling S3 Malware Protection
          • After Enabling S3 Malware Protection
          • S3 Malware Resource Plan Status
          • S3 Malware Protection Quotas
      • RDS Protection Enablement
      • Lambda Protection Enablement
      • Trusted IP Lists and Threat Lists in Amazon GuardDuty
      • Remediation Recommendations
      • GuardDuty API Reference
      • GuardDuty Quotas
    • Access Analyzer
      • Setup
      • External Access and Unused Access Analyzer Findings
      • Review Findings
      • Access Analyzer Resources
      • Access Analyzer API Reference
    • AWS Network Firewall
      • Permissions
      • Firewall Log Contents
      • Logging Destinations
      • CloudWatch Firewall Metrics
    • AWS Config
      • Resource Management in AWS Config
      • AWS Config Integrations
      • AWS Config Resources
      • Configuration Item
      • Config Rules
        • Evaluation Modes
  • CloudWatch
    • Amazon CloudWatch
      • CloudWatch Concepts
      • CloudWatch Metrics
        • Filter Pattern Syntax
      • CloudWatch Alarms
        • Alarm Recommendations
      • Subscriptions
      • CloudWatch Agent
      • CloudWatch Insights
        • Supported Logs and Discovered Fields
        • CloudWatch Insights Query Syntax
      • Anomaly Detection
        • Create Anomaly Detector
        • Alarms for Anomaly Detections
      • CloudWatch Filter Syntax
      • CloudWatch Service Quota
  • Athena For Threat Hunting
    • Introduction to Athena
    • Setting Up Athena
    • SQL For Threat Hunters
    • Automated Response
    • Query Best Practices
  • AWS Security Research and Resources
    • AWS Security Blog
    • AWS Goat
    • Cloud Goat
    • Pacu
    • Prowler
    • Scout Suite
  • Threat Hunting in AWS
    • Threat Hunting in AWS
    • Threat Hunting Introduction
    • Threat Hunting Process
      • Hypothesis Generation
      • Investigation
      • Identification
      • Resolution & Follow Up
    • Pyramid of Pain
    • MITRE Att&ck
      • MITRE Att&ck Concepts
      • MITRE Att&CK Data Sources
      • MITRE Att&CK Mitigations
    • MITRE Att&ck: AWS
      • MITRE Att&CK Matrix
      • Amazon Web Services Security Control Mappings
    • AWS Threat Hunting Ideas
      • AWS Threat Hunting Ideas: EC2
      • AWS Threat Hunting Ideas: Lambda
      • AWS Threat Hunting Ideas: SQS
      • AWS Threat Hunting Ideas: SNS
      • AWS Threat Hunting Ideas: RDS
Powered by GitBook
On this page
  • Overview
  • 1. Unauthorized Lambda Function Creation (CreateFunction)
  • 2. Function Modifications (UpdateFunctionConfiguration)
  • 3. Execution Role Abuse (AddPermission/RemovePermission)
  • 4. Suspicious Function Invocation (InvokeFunction)
  • 5. Data Exfiltration via Environment Variables (GetFunctionConfiguration)
  • 6. Snapshot of Lambda Code (GetFunction/UpdateFunctionCode)
  • 7. IAM Role Modification for Lambda Functions (AttachRolePolicy/DetachRolePolicy)
  • 8. Event Source Manipulation (UpdateEventSourceMapping)
  • 9. Disabling Function Tracing (DeleteFunctionEventInvokeConfig)
  • 10. Deleting Lambda Functions (DeleteFunction)
  1. Threat Hunting in AWS
  2. AWS Threat Hunting Ideas

AWS Threat Hunting Ideas: Lambda

Overview

The following are ideas for threat hunting that can be done within the Lambda service.

1. Unauthorized Lambda Function Creation (CreateFunction)

  • Goal: Detect unauthorized deployment of malicious Lambda functions.

  • CloudTrail Event: CreateFunction

  • Hunting Idea:

    • Identify Lambda functions created by unusual users or outside business hours.

      aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=CreateFunction

    • Look for functions with suspicious runtime environments (e.g., reverse shells disguised as functions).

2. Function Modifications (UpdateFunctionConfiguration)

  • Goal: Detect unauthorized configuration changes that could alter function behavior.

  • CloudTrail Event: UpdateFunctionConfiguration

  • Hunting Idea:

    • Hunt for unusual changes in runtime, memory size, or IAM roles associated with Lambda functions.

      aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=UpdateFunctionConfiguration

    • Investigate modifications that change the execution role, as it may indicate privilege escalation attempts.

3. Execution Role Abuse (AddPermission/RemovePermission)

  • Goal: Detect attackers adding or removing permissions to manipulate Lambda roles and permissions.

  • CloudTrail Event: AddPermission, RemovePermission

  • Hunting Idea:

    • Monitor AddPermission events that allow invoking the function from external accounts or services.

      aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=AddPermission

    • Check for RemovePermission events, which could indicate an attempt to hide malicious activity.

4. Suspicious Function Invocation (InvokeFunction)

  • Goal: Detect Lambda functions invoked for unauthorized or suspicious purposes.

  • CloudTrail Event: InvokeFunction

  • Hunting Idea:

    • Monitor for high-frequency invocations or those coming from unexpected sources.

      aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=InvokeFunction

    • Correlate with VPC Flow Logs to detect if the Lambda function is making unexpected outbound network calls.

5. Data Exfiltration via Environment Variables (GetFunctionConfiguration)

  • Goal: Detect attempts to access sensitive environment variables configured in Lambda functions.

  • CloudTrail Event: GetFunctionConfiguration

  • Hunting Idea:

    • Identify suspicious GetFunctionConfiguration requests that reveal sensitive configurations, such as API keys or database credentials.

      aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=GetFunctionConfiguration

6. Snapshot of Lambda Code (GetFunction/UpdateFunctionCode)

  • Goal: Detect attempts to access or tamper with Lambda code.

  • CloudTrail Event: GetFunction, UpdateFunctionCode

  • Hunting Idea:

    • Hunt for GetFunction requests to identify if an attacker is downloading or viewing the code.

      aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=GetFunction

    • Monitor for UpdateFunctionCode events where new, unauthorized code is deployed.

7. IAM Role Modification for Lambda Functions (AttachRolePolicy/DetachRolePolicy)

  • Goal: Detect role modifications that could increase the privileges of Lambda functions.

  • CloudTrail Event: AttachRolePolicy, DetachRolePolicy

  • Hunting Idea:

    • Look for privileged policies (e.g., AdministratorAccess) attached to Lambda roles.

      aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=AttachRolePolicy

    • Identify detachment of restrictive policies (DetachRolePolicy) to reduce security controls.

8. Event Source Manipulation (UpdateEventSourceMapping)

  • Goal: Detect changes to Lambda's event source that may indicate misuse.

  • CloudTrail Event: UpdateEventSourceMapping

  • Hunting Idea:

    • Monitor for unexpected changes to Lambda event source mappings (e.g., adding S3 buckets or API Gateway triggers).

      aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=UpdateEventSourceMapping

9. Disabling Function Tracing (DeleteFunctionEventInvokeConfig)

  • Goal: Detect attackers disabling tracing or logging to avoid detection.

  • CloudTrail Event: DeleteFunctionEventInvokeConfig

  • Hunting Idea:

    • Hunt for DeleteFunctionEventInvokeConfig events to detect attempts to disable logging.

      aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=DeleteFunctionEventInvokeConfig

10. Deleting Lambda Functions (DeleteFunction)

  • Goal: Detect attempts to delete functions to remove evidence of malicious activity.

  • CloudTrail Event: DeleteFunction

  • Hunting Idea:

    • Monitor for DeleteFunction requests, especially those targeting critical functions.

      aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=DeleteFunction

    • Cross-reference with other events to see if deletion is part of a broader attack.

PreviousAWS Threat Hunting Ideas: EC2NextAWS Threat Hunting Ideas: SQS

Last updated 8 months ago