AWS Threat Hunting Ideas: Lambda

Overview

The following are ideas for threat hunting that can be done within the Lambda service.

1. Unauthorized Lambda Function Creation (CreateFunction)

  • Goal: Detect unauthorized deployment of malicious Lambda functions.

  • CloudTrail Event: CreateFunction

  • Hunting Idea:

    • Identify Lambda functions created by unusual users or outside business hours.

      aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=CreateFunction

    • Look for functions with suspicious runtime environments (e.g., reverse shells disguised as functions).

2. Function Modifications (UpdateFunctionConfiguration)

  • Goal: Detect unauthorized configuration changes that could alter function behavior.

  • CloudTrail Event: UpdateFunctionConfiguration

  • Hunting Idea:

    • Hunt for unusual changes in runtime, memory size, or IAM roles associated with Lambda functions.

      aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=UpdateFunctionConfiguration

    • Investigate modifications that change the execution role, as it may indicate privilege escalation attempts.

3. Execution Role Abuse (AddPermission/RemovePermission)

  • Goal: Detect attackers adding or removing permissions to manipulate Lambda roles and permissions.

  • CloudTrail Event: AddPermission, RemovePermission

  • Hunting Idea:

    • Monitor AddPermission events that allow invoking the function from external accounts or services.

      aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=AddPermission

    • Check for RemovePermission events, which could indicate an attempt to hide malicious activity.

4. Suspicious Function Invocation (InvokeFunction)

  • Goal: Detect Lambda functions invoked for unauthorized or suspicious purposes.

  • CloudTrail Event: InvokeFunction

  • Hunting Idea:

    • Monitor for high-frequency invocations or those coming from unexpected sources.

      aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=InvokeFunction

    • Correlate with VPC Flow Logs to detect if the Lambda function is making unexpected outbound network calls.

5. Data Exfiltration via Environment Variables (GetFunctionConfiguration)

  • Goal: Detect attempts to access sensitive environment variables configured in Lambda functions.

  • CloudTrail Event: GetFunctionConfiguration

  • Hunting Idea:

    • Identify suspicious GetFunctionConfiguration requests that reveal sensitive configurations, such as API keys or database credentials.

      aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=GetFunctionConfiguration

6. Snapshot of Lambda Code (GetFunction/UpdateFunctionCode)

  • Goal: Detect attempts to access or tamper with Lambda code.

  • CloudTrail Event: GetFunction, UpdateFunctionCode

  • Hunting Idea:

    • Hunt for GetFunction requests to identify if an attacker is downloading or viewing the code.

      aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=GetFunction

    • Monitor for UpdateFunctionCode events where new, unauthorized code is deployed.

7. IAM Role Modification for Lambda Functions (AttachRolePolicy/DetachRolePolicy)

  • Goal: Detect role modifications that could increase the privileges of Lambda functions.

  • CloudTrail Event: AttachRolePolicy, DetachRolePolicy

  • Hunting Idea:

    • Look for privileged policies (e.g., AdministratorAccess) attached to Lambda roles.

      aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=AttachRolePolicy

    • Identify detachment of restrictive policies (DetachRolePolicy) to reduce security controls.

8. Event Source Manipulation (UpdateEventSourceMapping)

  • Goal: Detect changes to Lambda's event source that may indicate misuse.

  • CloudTrail Event: UpdateEventSourceMapping

  • Hunting Idea:

    • Monitor for unexpected changes to Lambda event source mappings (e.g., adding S3 buckets or API Gateway triggers).

      aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=UpdateEventSourceMapping

9. Disabling Function Tracing (DeleteFunctionEventInvokeConfig)

  • Goal: Detect attackers disabling tracing or logging to avoid detection.

  • CloudTrail Event: DeleteFunctionEventInvokeConfig

  • Hunting Idea:

    • Hunt for DeleteFunctionEventInvokeConfig events to detect attempts to disable logging.

      aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=DeleteFunctionEventInvokeConfig

10. Deleting Lambda Functions (DeleteFunction)

  • Goal: Detect attempts to delete functions to remove evidence of malicious activity.

  • CloudTrail Event: DeleteFunction

  • Hunting Idea:

    • Monitor for DeleteFunction requests, especially those targeting critical functions.

      aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=DeleteFunction

    • Cross-reference with other events to see if deletion is part of a broader attack.

PreviousAWS Threat Hunting Ideas: EC2NextAWS Threat Hunting Ideas: SQS

Last updated