attack_technique: T1648
display_name: 'Serverless Execution'
atomic_tests:
- name: Lambda Function Hijack
  auto_generated_guid: 87a4a141-c2bb-49d1-a604-8679082d8b91
  description: |
    Modify an existing Lambda function to execute arbitrary code.
  supported_platforms:
  - iaas:aws
  input_arguments:
    access_key:
      description: AWS Access Key
      type: string
      default: ""
    secret_key:
      description: AWS Secret Key
      type: string
      default: ""
    session_token:
      description: AWS Session Token
      type: string
      default: ""
    profile:
      description: AWS profile
      type: string
      default: ""
    region:
      description: AWS region to deploy the EC2 instance
      type: string
      default: us-east-2
  dependency_executor_name: powershell
  dependencies:
  - description: |
      The AWS PowerShell module must be installed.
    prereq_command: |
      try {if (Get-InstalledModule -Name AWSPowerShell -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
    get_prereq_command: |
      Install-Module -Name AWSPowerShell -Force
  - description: |
      Terraform must be installed.
    prereq_command: |
      terraform --version
    get_prereq_command: |
      Write-Host "Terraform is required. Download it from https://www.terraform.io/downloads.html"
  executor:
    command: |
      Import-Module "PathToAtomicsFolder/T1648/src/T1648-1/LambdaAttack.ps1" -Force
      $access_key = "#{access_key}"
      $secret_key = "#{secret_key}"
      $session_token = "#{session_token}"
      $aws_profile = "#{profile}"
      $region = "#{region}"
      Set-AWSAuthentication -AccessKey $access_key -SecretKey $secret_key -SessionToken $session_token -AWSProfile $aws_profile -AWSRegion $region
      Invoke-Terraform -TerraformCommand init -TerraformDirectory "PathToAtomicsFolder/T1648/src/T1648-1"
      Invoke-Terraform -TerraformCommand apply -TerraformDirectory "PathToAtomicsFolder/T1648/src/T1648-1" -TerraformVariables @("profile=T1648-1", "region=$region")
      Invoke-LambdaAttack -AWSProfile "T1648-1" -AWSRegion $region
    cleanup_command: |
      Import-Module "PathToAtomicsFolder/T1648/src/T1648-1/LambdaAttack.ps1" -Force
      $access_key = "#{access_key}"
      $secret_key = "#{secret_key}"
      $session_token = "#{session_token}"
      $aws_profile = "#{profile}"
      $region = "#{region}"
      Set-AWSAuthentication -AccessKey $access_key -SecretKey $secret_key -SessionToken $session_token -AWSProfile $aws_profile -AWSRegion $region
      Invoke-Terraform -TerraformCommand destroy -TerraformDirectory "PathToAtomicsFolder/T1648/src/T1648-1" -TerraformVariables @("profile=T1648-1", "region=$region")
      Remove-MaliciousUser -AWSProfile "T1648-1"
      Remove-TFFiles -Path "PathToAtomicsFolder/T1648/src/T1648-1/"
    name: powershell