Modify Lambda Function Code (aws)
| Platform | Author | Last Update |
|---|---|---|
| aws | Nick Jones | 2024-12-02 |
An attacker may attempt to modify the code that a lambda function executes in order to gain a foothold in the environment
MITRE IDs
Required Permissions
- lambda:UpdateFunctionCode
Required Parameters
| Name | Type | Description | Example Value |
|---|---|---|---|
| functionname | str | Name of the function to be targeted | example-function |
| zipfile | str | Filename of the zip file of code to be uploaded | file.zip |
Attacker Action
aws lambda update-function-code --function-name example-function --zip-file file.zip --publishDetection Case
ELK query
When logs are ingested into ELK, the following Lucene query can be used to identify relevant events.
eventName:None AND eventSource:NoneSigma Definition
---title: Modify Lambda Function Codeid: 7890b11c-19b3-4fb9-bbec-cae87db769castatus: experimentalauthor: Nick Jonesdate: 2024-12-02description: An attacker may attempt to modify the code that a lambda function executes in order to gain a foothold in the environmentlogsource: service: cloudtraildetection: selection_source: - eventSource: "None" events: - eventName: "None" condition: selection_source and eventslevel: lowtags: - attack.T1059