Triggers

  • After enumerating Lambda functions and IAM roles, create a Lambda function, and add a new rule to that Lambda function.

Possible Root Causes

  • An attacker is creating a Lambda function that serves as a backdoor into the environment.
  • An administrator is creating a Lambda function with a trigger for legitimate reasons.

Business Impact

  • Lateral movement may indicate that an adversary has established a foothold in the environment and is progressing towards their objective, increasing the risk of material impact.
  • An inserted backdoor may provide hidden access persistence within the environment, allowing attackers to return to the environment after eviction.

Steps to Verify

  • Investigate the account context that performed the action for other signs of malicious activity.
  • Validate that any modifications are authorized, given the purpose and policies governing this resource.
  • If review indicates possible malicious actions or high-risk configuration, revert configuration and disable credentials associated with this alert then perform a comprehensive investigation.