search

AWS Threat Hunting Ideas: Lambda

hashtag
Overview

The following are ideas for threat hunting that can be done within the Lambda service.

hashtag
1. Unauthorized Lambda Function Creation (CreateFunction)

  • Goal: Detect unauthorized deployment of malicious Lambda functions.

  • CloudTrail Event: CreateFunction

  • Hunting Idea:

    • Identify Lambda functions created by unusual users or outside business hours.

      aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=CreateFunction

    • Look for functions with suspicious runtime environments (e.g., reverse shells disguised as functions).

hashtag
2. Function Modifications (UpdateFunctionConfiguration)

  • Goal: Detect unauthorized configuration changes that could alter function behavior.

  • CloudTrail Event: UpdateFunctionConfiguration

  • Hunting Idea:

    • Hunt for unusual changes in runtime, memory size, or IAM roles associated with Lambda functions.

      aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=UpdateFunctionConfiguration

    • Investigate modifications that change the execution role, as it may indicate privilege escalation attempts.

hashtag
3. Execution Role Abuse (AddPermission/RemovePermission)

  • Goal: Detect attackers adding or removing permissions to manipulate Lambda roles and permissions.

  • CloudTrail Event: AddPermission, RemovePermission

  • Hunting Idea:

    • Monitor AddPermission events that allow invoking the function from external accounts or services.

    • Check for RemovePermission events, which could indicate an attempt to hide malicious activity.

hashtag
4. Suspicious Function Invocation (InvokeFunction)

  • Goal: Detect Lambda functions invoked for unauthorized or suspicious purposes.

  • CloudTrail Event: InvokeFunction

  • Hunting Idea:

    • Monitor for high-frequency invocations or those coming from unexpected sources.

    • Correlate with VPC Flow Logs to detect if the Lambda function is making unexpected outbound network calls.

hashtag
5. Data Exfiltration via Environment Variables (GetFunctionConfiguration)

  • Goal: Detect attempts to access sensitive environment variables configured in Lambda functions.

  • CloudTrail Event: GetFunctionConfiguration

  • Hunting Idea:

    • Identify suspicious GetFunctionConfiguration requests that reveal sensitive configurations, such as API keys or database credentials.

hashtag
6. Snapshot of Lambda Code (GetFunction/UpdateFunctionCode)

  • Goal: Detect attempts to access or tamper with Lambda code.

  • CloudTrail Event: GetFunction, UpdateFunctionCode

  • Hunting Idea:

    • Hunt for GetFunction requests to identify if an attacker is downloading or viewing the code.

    • Monitor for UpdateFunctionCode events where new, unauthorized code is deployed.

hashtag
7. IAM Role Modification for Lambda Functions (AttachRolePolicy/DetachRolePolicy)

  • Goal: Detect role modifications that could increase the privileges of Lambda functions.

  • CloudTrail Event: AttachRolePolicy, DetachRolePolicy

  • Hunting Idea:

    • Look for privileged policies (e.g., AdministratorAccess) attached to Lambda roles.

    • Identify detachment of restrictive policies (DetachRolePolicy) to reduce security controls.

hashtag
8. Event Source Manipulation (UpdateEventSourceMapping)

  • Goal: Detect changes to Lambda's event source that may indicate misuse.

  • CloudTrail Event: UpdateEventSourceMapping

  • Hunting Idea:

    • Monitor for unexpected changes to Lambda event source mappings (e.g., adding S3 buckets or API Gateway triggers).

hashtag
9. Disabling Function Tracing (DeleteFunctionEventInvokeConfig)

  • Goal: Detect attackers disabling tracing or logging to avoid detection.

  • CloudTrail Event: DeleteFunctionEventInvokeConfig

  • Hunting Idea:

    • Hunt for DeleteFunctionEventInvokeConfig events to detect attempts to disable logging.

hashtag
10. Deleting Lambda Functions (DeleteFunction)

  • Goal: Detect attempts to delete functions to remove evidence of malicious activity.

  • CloudTrail Event: DeleteFunction

  • Hunting Idea:

    • Monitor for DeleteFunction requests, especially those targeting critical functions.

    • Cross-reference with other events to see if deletion is part of a broader attack.

PreviousAWS Threat Hunting Ideas: EC2NextAWS Threat Hunting Ideas: SQS

Last updated