<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Amazon MQ - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/amazon-mq/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 03 Jul 2026 16:18:26 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/amazon-mq/feed.xml" rel="self" type="application/rss+xml"/><item><title>AWS Lambda Event Source Mapping Abuse for Persistence and Data Exfiltration</title><link>https://feed.craftedsignal.io/briefs/2026-07-aws-lambda-event-source-mapping-persistence/</link><pubDate>Fri, 03 Jul 2026 16:18:26 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-aws-lambda-event-source-mapping-persistence/</guid><description>Adversaries can exploit the creation of AWS Lambda event source mappings to establish stealthy persistence and execution, or to continuously siphon records from event sources like Amazon SQS, Kinesis, DynamoDB, MSK, Kafka, or MQ, by mapping an event source to an attacker-controlled Lambda function, enabling durable execution and data exfiltration without requiring further interactive access.</description><content:encoded><![CDATA[<p>Adversaries possessing <code>lambda:CreateEventSourceMapping</code> permissions can abuse this AWS functionality to establish persistent access and facilitate data exfiltration within compromised AWS environments. This technique involves linking an event source, such as an Amazon SQS queue, Amazon Kinesis stream, DynamoDB stream, Amazon MSK, self-managed Apache Kafka topic, or Amazon MQ broker, to a malicious Lambda function. Once configured, the Lambda function is automatically invoked whenever new records arrive at the event source. This grants the attacker durable execution capabilities without requiring further interactive activity, allowing for continuous data siphoning or maintaining a foothold. This method offers a stealthy way to achieve persistence, as the event-driven nature can bypass traditional interactive session monitoring. This threat emphasizes the need for vigilant monitoring of Lambda configuration changes and strict permission management.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access</strong>: An adversary gains initial access to an AWS account, potentially through compromised credentials or exploitation of a vulnerable application.</li>
<li><strong>Privilege Escalation/Reconnaissance</strong>: The adversary identifies or escalates privileges to a role with <code>lambda:CreateEventSourceMapping</code> permissions and <code>lambda:CreateFunction</code>/<code>lambda:UpdateFunctionCode</code> or similar permissions to deploy/modify Lambda functions.</li>
<li><strong>Deploy Malicious Lambda Function</strong>: The adversary deploys a new Lambda function or modifies an existing one to include malicious code designed for persistence or data exfiltration.</li>
<li><strong>Identify Sensitive Event Source</strong>: The adversary identifies an existing event source (e.g., an Amazon SQS queue, Kinesis stream, or DynamoDB stream) containing sensitive data or frequently processed events.</li>
<li><strong>Create Event Source Mapping</strong>: Using <code>lambda:CreateEventSourceMapping</code>, the adversary creates a mapping connecting the identified sensitive event source to their malicious Lambda function.</li>
<li><strong>Event Triggered Execution</strong>: As new records arrive in the event source, the malicious Lambda function is automatically invoked in the background.</li>
<li><strong>Persistence/Data Exfiltration</strong>: The malicious Lambda function executes, maintaining persistence by processing future events, or exfiltrating sensitive data from the event stream to an attacker-controlled destination.</li>
<li><strong>Obfuscation</strong>: The adversary may attempt to obscure the purpose of the mapping or blend it with legitimate system activity to avoid detection.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this technique can lead to severe consequences, including continuous data exfiltration of sensitive information processed by the compromised AWS environment. For instance, if an SQS queue handling customer data or a Kinesis stream processing financial transactions is mapped, adversaries can silently siphon this data over an extended period. This method establishes a highly stealthy and durable persistence mechanism, making it difficult for defenders to detect and eradicate. The event-driven nature of Lambda functions also means the malicious code executes autonomously, requiring minimal further attacker interaction, thus reducing the chances of interactive C2 detection.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;AWS Lambda Event Source Mapping Creation&quot; in this brief to your SIEM and tune for your environment to detect suspicious <code>CreateEventSourceMapping</code> calls.</li>
<li>Restrict <code>lambda:CreateEventSourceMapping</code> permissions to only trusted roles and automated deployment pipelines, referencing the AWS documentation on API permissions.</li>
<li>Investigate all alerts from the &quot;AWS Lambda Event Source Mapping Creation&quot; rule, paying close attention to <code>aws.cloudtrail.user_identity.arn</code>, <code>functionName</code>, and <code>eventSourceArn</code> to determine legitimacy.</li>
<li>Regularly audit existing AWS Lambda event source mappings to identify any unauthorized or suspicious configurations, focusing on the target function and event source involved.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>cloud</category><category>aws</category><category>persistence</category><category>execution</category><category>data-exfiltration</category></item></channel></rss>