Rachel Rice
4ae3ece314
Use correct case for `AssumeRoleWithSAML` event name. `UpdateFunctionConfiguration`, `UpdateFunctionConfiguration20150331` and `UpdateFunctionConfiguration20150331v2` are all valid event names for updating Lambda function configuration, added selection condition for any of these.
27 lines
1.3 KiB
YAML
27 lines
1.3 KiB
YAML
title: AWS Attached Malicious Lambda Layer
|
|
id: 97fbabf8-8e1b-47a2-b7d5-a418d2b95e3d
|
|
description: Detects when an user attached a Lambda layer to an existing function to override a library that is in use by the function, where their malicious code could utilize the function's IAM role for AWS API calls. This would give an adversary access to the privileges associated with the Lambda service role that is attached to that function.
|
|
author: Austin Songer
|
|
status: experimental
|
|
date: 2021/09/23
|
|
references:
|
|
- https://docs.aws.amazon.com/lambda/latest/dg/API_UpdateFunctionConfiguration.html
|
|
logsource:
|
|
service: cloudtrail
|
|
detection:
|
|
selection:
|
|
eventSource: lambda.amazonaws.com
|
|
filter1:
|
|
eventName: UpdateFunctionConfiguration
|
|
filter2:
|
|
eventName: UpdateFunctionConfiguration20150331
|
|
filter3:
|
|
eventName: UpdateFunctionConfiguration20150331v2
|
|
condition: selection and (filter1 or filter2 or filter3)
|
|
level: medium
|
|
tags:
|
|
- attack.privilege_escalation
|
|
falsepositives:
|
|
- Lambda Layer being attached may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
|
|
- Lambda Layer being attached from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
|