{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/service-stop/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AWS Lambda"],"_cs_severities":["medium"],"_cs_tags":["cloud","aws","lambda","impact","data-destruction","service-stop"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eThis brief details the potential malicious deletion of AWS Lambda functions, a critical cloud impact technique. Threat actors, after gaining unauthorized access to an AWS environment, may delete Lambda functions to achieve several objectives: disrupt critical business operations and automated workflows, destroy attacker-deployed backdoors to remove evidence of their activities, or inhibit incident response by eliminating essential components of the victim's infrastructure. Such deletions are destructive and often irreversible without meticulous redeployment, making them a significant concern for defenders. While legitimate deletions occur during application decommissioning or infrastructure-as-code cycles, unauthorized deletions represent a significant compromise and indicate a severe impact on the targeted organization's cloud resources and operational continuity.\u003c/p\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe unauthorized deletion of AWS Lambda functions can lead to severe operational disruptions, causing outages for serverless applications, breaking automated workflows, and rendering essential services inoperable. If attackers delete functions that were part of their command and control infrastructure or persistence mechanisms, it serves to destroy evidence of their presence, complicating forensic analysis and incident recovery efforts. Furthermore, the deletion of critical infrastructure components or security-related functions can actively inhibit incident response teams from effectively containing or remediating a breach, prolonging the attacker's dwell time and increasing potential damages.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect \u003ccode\u003eDeleteFunction\u003c/code\u003e calls in AWS CloudTrail logs and ensure immediate alerting for unauthorized activity.\u003c/li\u003e\n\u003cli\u003eInvestigate the \u003ccode\u003eaws.cloudtrail.user_identity.arn\u003c/code\u003e, \u003ccode\u003esource.ip\u003c/code\u003e, and \u003ccode\u003euser_agent.original\u003c/code\u003e fields from the Sigma rule's log source to identify the principal performing the deletion and the method used.\u003c/li\u003e\n\u003cli\u003eInspect \u003ccode\u003eaws.cloudtrail.request_parameters.functionName\u003c/code\u003e (as seen in the rule's positive test data) to understand which specific function was deleted and its associated application or environment.\u003c/li\u003e\n\u003cli\u003eCorrelate \u003ccode\u003eaws.cloudtrail\u003c/code\u003e events with your organization's change management records to determine if a deletion aligns with an approved maintenance or deployment window.\u003c/li\u003e\n\u003cli\u003eImplement filtering within your SIEM for known and approved deployment roles or CI/CD pipelines (e.g., specific \u003ccode\u003eaws.cloudtrail.user_identity.arn\u003c/code\u003e values) that legitimately perform Lambda function deletions to reduce false positives.\u003c/li\u003e\n\u003cli\u003eIf an unauthorized deletion is confirmed, restore the affected Lambda function from a known-good source or infrastructure-as-code definition and verify its configuration and execution role.\u003c/li\u003e\n\u003cli\u003eRotate or restrict credentials for the compromised principal if illicit activity is suspected, and enforce the principle of least privilege by limiting \u003ccode\u003elambda:DeleteFunction\u003c/code\u003e permissions to a minimal set of trusted roles.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T16:17:38Z","date_published":"2026-07-03T16:17:38Z","id":"https://feed.craftedsignal.io/briefs/2026-07-aws-lambda-function-deletion/","summary":"Adversaries may delete AWS Lambda functions to disrupt business operations, remove evidence of their presence, or impede incident response, an action detectable by monitoring for `DeleteFunction` calls in `aws.cloudtrail` logs and correlating with expected change windows.","title":"AWS Lambda Function Deletion","url":"https://feed.craftedsignal.io/briefs/2026-07-aws-lambda-function-deletion/"}],"language":"en","title":"CraftedSignal Threat Feed - Service-Stop","version":"https://jsonfeed.org/version/1.1"}