Modify Lambda Function Code
An attacker may attempt to modify the code that a lambda function executes in order to gain a foothold in the environment
|functionname||str||Name of the function to be targeted||example-function|
|zipfile||str||Filename of the zip file of code to be uploaded||file.zip|
aws lambda update-function-code --function-name example-function --zip-file file.zip --publish
When logs are ingested into ELK, the following Lucene query can be used to identify relevant events.
eventName:None AND eventSource:None
--- title: Modify Lambda Function Code id: 7890b11c-19b3-4fb9-bbec-cae87db769ca status: experimental author: Nick Jones date: 2020-06-18 description: An attacker may attempt to modify the code that a lambda function executes in order to gain a foothold in the environment logsource: service: cloudtrail detection: selection_source: - eventSource: "None" events: - eventName: "None" condition: selection_source AND events level: low tags: - attack.t1089