{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/amazon-mq/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AWS Lambda","Amazon SQS","Amazon Kinesis","Amazon DynamoDB","Amazon MSK","Apache Kafka","Amazon MQ"],"_cs_severities":["medium"],"_cs_tags":["cloud","aws","persistence","execution","data-exfiltration"],"_cs_type":"advisory","_cs_vendors":["Amazon","Apache"],"content_html":"\u003cp\u003eAdversaries possessing \u003ccode\u003elambda:CreateEventSourceMapping\u003c/code\u003e permissions can abuse this AWS functionality to establish persistent access and facilitate data exfiltration within compromised AWS environments. This technique involves linking an event source, such as an Amazon SQS queue, Amazon Kinesis stream, DynamoDB stream, Amazon MSK, self-managed Apache Kafka topic, or Amazon MQ broker, to a malicious Lambda function. Once configured, the Lambda function is automatically invoked whenever new records arrive at the event source. This grants the attacker durable execution capabilities without requiring further interactive activity, allowing for continuous data siphoning or maintaining a foothold. This method offers a stealthy way to achieve persistence, as the event-driven nature can bypass traditional interactive session monitoring. This threat emphasizes the need for vigilant monitoring of Lambda configuration changes and strict permission management.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access\u003c/strong\u003e: An adversary gains initial access to an AWS account, potentially through compromised credentials or exploitation of a vulnerable application.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation/Reconnaissance\u003c/strong\u003e: The adversary identifies or escalates privileges to a role with \u003ccode\u003elambda:CreateEventSourceMapping\u003c/code\u003e permissions and \u003ccode\u003elambda:CreateFunction\u003c/code\u003e/\u003ccode\u003elambda:UpdateFunctionCode\u003c/code\u003e or similar permissions to deploy/modify Lambda functions.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeploy Malicious Lambda Function\u003c/strong\u003e: The adversary deploys a new Lambda function or modifies an existing one to include malicious code designed for persistence or data exfiltration.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eIdentify Sensitive Event Source\u003c/strong\u003e: The adversary identifies an existing event source (e.g., an Amazon SQS queue, Kinesis stream, or DynamoDB stream) containing sensitive data or frequently processed events.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCreate Event Source Mapping\u003c/strong\u003e: Using \u003ccode\u003elambda:CreateEventSourceMapping\u003c/code\u003e, the adversary creates a mapping connecting the identified sensitive event source to their malicious Lambda function.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEvent Triggered Execution\u003c/strong\u003e: As new records arrive in the event source, the malicious Lambda function is automatically invoked in the background.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence/Data Exfiltration\u003c/strong\u003e: The malicious Lambda function executes, maintaining persistence by processing future events, or exfiltrating sensitive data from the event stream to an attacker-controlled destination.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eObfuscation\u003c/strong\u003e: The adversary may attempt to obscure the purpose of the mapping or blend it with legitimate system activity to avoid detection.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this technique can lead to severe consequences, including continuous data exfiltration of sensitive information processed by the compromised AWS environment. For instance, if an SQS queue handling customer data or a Kinesis stream processing financial transactions is mapped, adversaries can silently siphon this data over an extended period. This method establishes a highly stealthy and durable persistence mechanism, making it difficult for defenders to detect and eradicate. The event-driven nature of Lambda functions also means the malicious code executes autonomously, requiring minimal further attacker interaction, thus reducing the chances of interactive C2 detection.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;AWS Lambda Event Source Mapping Creation\u0026quot; in this brief to your SIEM and tune for your environment to detect suspicious \u003ccode\u003eCreateEventSourceMapping\u003c/code\u003e calls.\u003c/li\u003e\n\u003cli\u003eRestrict \u003ccode\u003elambda:CreateEventSourceMapping\u003c/code\u003e permissions to only trusted roles and automated deployment pipelines, referencing the AWS documentation on API permissions.\u003c/li\u003e\n\u003cli\u003eInvestigate all alerts from the \u0026quot;AWS Lambda Event Source Mapping Creation\u0026quot; rule, paying close attention to \u003ccode\u003eaws.cloudtrail.user_identity.arn\u003c/code\u003e, \u003ccode\u003efunctionName\u003c/code\u003e, and \u003ccode\u003eeventSourceArn\u003c/code\u003e to determine legitimacy.\u003c/li\u003e\n\u003cli\u003eRegularly audit existing AWS Lambda event source mappings to identify any unauthorized or suspicious configurations, focusing on the target function and event source involved.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T16:18:26Z","date_published":"2026-07-03T16:18:26Z","id":"https://feed.craftedsignal.io/briefs/2026-07-aws-lambda-event-source-mapping-persistence/","summary":"Adversaries can exploit the creation of AWS Lambda event source mappings to establish stealthy persistence and execution, or to continuously siphon records from event sources like Amazon SQS, Kinesis, DynamoDB, MSK, Kafka, or MQ, by mapping an event source to an attacker-controlled Lambda function, enabling durable execution and data exfiltration without requiring further interactive access.","title":"AWS Lambda Event Source Mapping Abuse for Persistence and Data Exfiltration","url":"https://feed.craftedsignal.io/briefs/2026-07-aws-lambda-event-source-mapping-persistence/"}],"language":"en","title":"CraftedSignal Threat Feed - Amazon MQ","version":"https://jsonfeed.org/version/1.1"}