AWS Lambda UpdateFunctionCode

Original Source: [splunk source]
Name:AWS Lambda UpdateFunctionCode
id:211b80d3-6340-4345-11ad-212bf3d0d111
version:4
date:2024-10-22
author:Bhavin Patel, Splunk
status:production
type:Hunting
Description:The following analytic identifies IAM users attempting to update or modify AWS Lambda code via the AWS CLI. It leverages CloudTrail logs to detect successful `UpdateFunctionCode` events initiated by IAM users. This activity is significant as it may indicate an attempt to gain persistence, further access, or plant backdoors within your AWS environment. If confirmed malicious, an attacker could upload and execute malicious code automatically when the Lambda function is triggered, potentially compromising the integrity and security of your AWS infrastructure.
Data_source:
  • -AWS CloudTrail
search:`cloudtrail` eventSource=lambda.amazonaws.com eventName=UpdateFunctionCode* errorCode = success user_type=IAMUser
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.functionName) as function_updated by src_ip user_arn user_agent user_type eventName aws_account_id |`aws_lambda_updatefunctioncode_filter`

how_to_implement:You must install Splunk AWS Add on and enable Cloudtrail logs in your AWS Environment.
known_false_positives:While this search has no known false positives, it is possible that an AWS admin or an autorized IAM user has updated the lambda fuction code legitimately.
References:
  -http://detectioninthe.cloud/execution/modify_lambda_function_code/
   -https://sysdig.com/blog/exploit-mitigate-aws-lambdas-mitre/
 drilldown_searches:
  :
tags:
  analytic_story:
    - 'Suspicious Cloud User Activities'
  asset_type:AWS Account
  confidence:90
  impact:70
  message:User $user_arn$ is attempting to update the lambda function code of $function_updated$ from this IP $src_ip$
  mitre_attack_id:
    - 'T1204'
  observable:
    name:'src_ip'
    type:'IP Address'
    - role:
      - 'Attacker'
    name:'user_arn'
    type:'User'
    - role:
      - 'Attacker'
  product:
    - 'Splunk Enterprise'
    - 'Splunk Enterprise Security'
    - 'Splunk Cloud'
  required_fields:
    - '_time'
    - 'eventName'
    - 'userAgent'
    - 'errorCode'
  risk_score:63
  security_domain:threat

tests:
name:'True Positive Test'
 attack_data:
  data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204/aws_updatelambdafunctioncode/aws_cloudtrail_events.json
  sourcetype: aws:cloudtrail
  source: aws_cloudtrail
  update_timestamp: True
manual_test:None

Related Analytic Stories


Suspicious Cloud User Activities

© 2024 DetectionCode Website. All Rights Reserved.