rules/cloud/aws/aws_attached_malicious_lambda_layer.yml

title: AWS Attached Malicious Lambda Layer
id: 97fbabf8-8e1b-47a2-b7d5-a418d2b95e3d
status: test
description: |
  Detects when an user attached a Lambda layer to an existing function to override a library that is in use by the function, where their malicious code could utilize the function's IAM role for AWS API calls.
  This would give an adversary access to the privileges associated with the Lambda service role that is attached to that function.
references:
    - https://docs.aws.amazon.com/lambda/latest/dg/API_UpdateFunctionConfiguration.html
author: Austin Songer
date: 2021/09/23
modified: 2022/10/09
tags:
    - attack.privilege_escalation
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventSource: lambda.amazonaws.com
        eventName|startswith: 'UpdateFunctionConfiguration'
    condition: selection
falsepositives:
    - Lambda Layer being attached may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
    - Lambda Layer being attached from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
Create aws_attached_malicious_lambda_layer.yml 2021-09-23 08:38:02 -05:00			`title: AWS Attached Malicious Lambda Layer`
Update aws_attached_malicious_lambda_layer.yml 2021-09-23 08:40:26 -05:00			`id: 97fbabf8-8e1b-47a2-b7d5-a418d2b95e3d`
$frack113$ old experimental rule promotion 2022-10-09 16:54:04 +02:00			`status: test`
$frack113$ Order yaml field 2022-10-25 07:34:10 +02:00			`description: \|`
			`Detects when an user attached a Lambda layer to an existing function to override a library that is in use by the function, where their malicious code could utilize the function's IAM role for AWS API calls.`
			`This would give an adversary access to the privileges associated with the Lambda service role that is attached to that function.`
Create aws_attached_malicious_lambda_layer.yml 2021-09-23 08:38:02 -05:00			`references:`
			`- https://docs.aws.amazon.com/lambda/latest/dg/API_UpdateFunctionConfiguration.html`
$frack113$ old experimental rule promotion 2022-10-09 16:54:04 +02:00			`author: Austin Songer`
			`date: 2021/09/23`
			`modified: 2022/10/09`
			`tags:`
			`- attack.privilege_escalation`
Create aws_attached_malicious_lambda_layer.yml 2021-09-23 08:38:02 -05:00			`logsource:`
$frack113$ Add product aws 2021-11-14 09:56:59 +01:00			`product: aws`
Create aws_attached_malicious_lambda_layer.yml 2021-09-23 08:38:02 -05:00			`service: cloudtrail`
			`detection:`
			`selection:`
			`eventSource: lambda.amazonaws.com`
Added quotes to strings 2022-09-01 15:22:26 +02:00			`eventName\|startswith: 'UpdateFunctionConfiguration'`
Use startswith for eventName selection 2021-10-05 17:52:52 +01:00			`condition: selection`
Create aws_attached_malicious_lambda_layer.yml 2021-09-23 08:38:02 -05:00			`falsepositives:`
$frack113$ old experimental rule promotion 2022-10-09 16:54:04 +02:00			`- Lambda Layer being attached may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.`
			`- Lambda Layer being attached from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.`
			`level: medium`