AWS Lambda Layer Added to Existing Function
Detection of a Lambda layer being added to an existing AWS Lambda function, potentially indicating malicious activity such as persistence, unauthorized code execution, or data interception by an attacker with the ability to modify function configurations.
This detection identifies when a Lambda layer is added to an existing AWS Lambda function. Lambda layers enable shared code, dependencies, or runtime modifications to be injected into a function’s execution environment. Threat actors with the ability to update function configurations may add a malicious layer to establish persistence, execute unauthorized code, or intercept data handled by the function. The activity is detected via CloudTrail logs that record PublishLayerVersion* or UpdateFunctionConfiguration* events. Reviewing these actions is important to ensure that all modifications are expected and authorized. This activity can be used for initial access, persistence and defense evasion.
Attack Chain
- An attacker gains unauthorized access to an AWS account with sufficient permissions to modify Lambda function configurations.
- The attacker identifies a target Lambda function to compromise.
- The attacker creates a malicious Lambda layer containing malicious code or dependencies.
- The attacker uses the
PublishLayerVersionAPI call to publish the malicious layer to AWS. - The attacker uses the
UpdateFunctionConfigurationAPI call to add the newly published layer to the target Lambda function's configuration. - The Lambda function is invoked, triggering the execution of the malicious code within the added layer.
- The malicious code performs unauthorized actions, such as data exfiltration or establishing a reverse shell.
Impact
Successful exploitation can lead to unauthorized code execution within the Lambda function's execution environment. This can compromise sensitive data, disrupt services, or establish persistence within the AWS environment. The modification of Lambda functions can be difficult to detect without proper monitoring.
Recommendation
- Deploy the Sigma rule "AWS Lambda Layer Added to Existing Function" to detect suspicious modifications to Lambda function configurations (see rules section).
- Monitor AWS CloudTrail logs for
PublishLayerVersion*andUpdateFunctionConfiguration*events to identify potentially malicious layer additions. - Implement strict IAM policies to limit the ability to modify Lambda function configurations and publish new layers.
- Regularly review Lambda function configurations to ensure that all layers are authorized and legitimate.
- Investigate any modifications to Lambda function configurations that do not align with approved changes or expected CI/CD behavior, referencing the investigation fields from the original source.
Detection coverage 2
AWS Lambda Layer Added to Existing Function
lowDetects when a Lambda layer is added to an existing AWS Lambda function, indicating potential malicious activity.
AWS Lambda Publish Layer Version
infoDetects when a Lambda Layer Version is published.
Detection queries are available on the platform. Get full rules →