security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4989d43ae97015f8113aed2efcd49d288b8fec21
blue-team-tools/rules/cloud/aws/cloudtrail/aws_attached_malicious_lambda_layer.yml
T
Nasreddine Bencherchali 7364ce00b1 Merge PR #4476 from @nasbench - re-organize cloud folder and other things 
fix: Azure Active Directory Hybrid Health AD FS New Server - Update Logsource to align with the rest of the azure rules
fix: Azure Active Directory Hybrid Health AD FS Service Delete - Update Logsource to align with the rest of the azure rules
fix: Number Of Resource Creation Or Deployment Activities - Update Logsource to align with the rest of the azure rules
fix: Granting Of Permissions To An Account - Update Logsource to align with the rest of the azure rules
fix: Rare Subscription-level Operations In Azure - Update Logsource to align with the rest of the azure rules
fix: Google Workspace Application Removed - Update logsource product field to `gcp`
fix: Google Workspace Granted Domain API Access - Update logsource product field to `gcp`
fix: Google Workspace MFA Disabled - Update logsource product field to `gcp`
fix: Google Workspace Role Modified or Deleted - Update logsource product field to `gcp`
fix: Google Workspace Role Privilege Deleted - Update logsource product field to `gcp`
fix: Google Workspace User Granted Admin Privileges - Update logsource product field to `gcp`
2023-10-12 13:32:24 +02:00

26 lines
1.2 KiB
YAML
Raw Blame History

title: AWS Attached Malicious Lambda Layer
id: 97fbabf8-8e1b-47a2-b7d5-a418d2b95e3d
status: test
description: |
Detects when an user attached a Lambda layer to an existing function to override a library that is in use by the function, where their malicious code could utilize the function's IAM role for AWS API calls.
This would give an adversary access to the privileges associated with the Lambda service role that is attached to that function.
references:
- https://docs.aws.amazon.com/lambda/latest/dg/API_UpdateFunctionConfiguration.html
author: Austin Songer
date: 2021/09/23
modified: 2022/10/09
tags:
- attack.privilege_escalation
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: lambda.amazonaws.com
eventName|startswith: 'UpdateFunctionConfiguration'
condition: selection
falsepositives:
- Lambda Layer being attached may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Lambda Layer being attached from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
Reference in New Issue View Git Blame Copy Permalink