From fdc45505e009654b00d4a3d7c801dac3fc5ed14c Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Thu, 23 Sep 2021 08:38:02 -0500 Subject: [PATCH 1/3] Create aws_attached_malicious_lambda_layer.yml --- .../aws_attached_malicious_lambda_layer.yml | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 rules/cloud/aws/aws_attached_malicious_lambda_layer.yml diff --git a/rules/cloud/aws/aws_attached_malicious_lambda_layer.yml b/rules/cloud/aws/aws_attached_malicious_lambda_layer.yml new file mode 100644 index 000000000..a57e61df1 --- /dev/null +++ b/rules/cloud/aws/aws_attached_malicious_lambda_layer.yml @@ -0,0 +1,21 @@ +title: AWS Attached Malicious Lambda Layer +id: 97fbabf8-8e1b-47a2-b7d5-a418d2b95e3d +description: Detects when an user attached a Lambda layer to an existing function to override a library that is in use by the function, where their malicious code could utilize the function's IAM role for AWS API calls. This would give an adversary access to the privileges associated with the Lambda service role that is attached to that function. +author: Austin Songer +status: experimental +date: 2021/09/23 +references: + - https://docs.aws.amazon.com/lambda/latest/dg/API_UpdateFunctionConfiguration.html +logsource: + service: cloudtrail +detection: + selection: + eventSource: lambda.amazonaws.com + eventName: UpdateFunctionConfiguration + condition: selection +level: low +tags: + - attack.privilege_escalation +falsepositives: + - Lambda Layer being attached may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Lambda Layer being attached from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From 8203a2d5f2f1736d3471bee9f48e4ed51cad35e3 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Thu, 23 Sep 2021 08:40:26 -0500 Subject: [PATCH 2/3] Update aws_attached_malicious_lambda_layer.yml --- rules/cloud/aws/aws_attached_malicious_lambda_layer.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/aws/aws_attached_malicious_lambda_layer.yml b/rules/cloud/aws/aws_attached_malicious_lambda_layer.yml index a57e61df1..39c92d704 100644 --- a/rules/cloud/aws/aws_attached_malicious_lambda_layer.yml +++ b/rules/cloud/aws/aws_attached_malicious_lambda_layer.yml @@ -1,5 +1,5 @@ title: AWS Attached Malicious Lambda Layer -id: 97fbabf8-8e1b-47a2-b7d5-a418d2b95e3d +id: 97fbabf8-8e1b-47a2-b7d5-a418d2b95e3d description: Detects when an user attached a Lambda layer to an existing function to override a library that is in use by the function, where their malicious code could utilize the function's IAM role for AWS API calls. This would give an adversary access to the privileges associated with the Lambda service role that is attached to that function. author: Austin Songer status: experimental From 0d07a78a2da137412d14baf921a4653f0121cf5b Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 27 Sep 2021 23:41:19 -0500 Subject: [PATCH 3/3] Update aws_attached_malicious_lambda_layer.yml --- rules/cloud/aws/aws_attached_malicious_lambda_layer.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/aws/aws_attached_malicious_lambda_layer.yml b/rules/cloud/aws/aws_attached_malicious_lambda_layer.yml index 39c92d704..7c97e8d2c 100644 --- a/rules/cloud/aws/aws_attached_malicious_lambda_layer.yml +++ b/rules/cloud/aws/aws_attached_malicious_lambda_layer.yml @@ -13,7 +13,7 @@ detection: eventSource: lambda.amazonaws.com eventName: UpdateFunctionConfiguration condition: selection -level: low +level: medium tags: - attack.privilege_escalation falsepositives: