Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
This analytic is designed to detect an IAM user updating AWS lambda code via AWS CLI to gain persistent, further access into your AWS environment and to facilitate panting backdoors. An attacker may upload malicious code/binary to a lambda function which will be executed automatically when the function is triggered.
| Attribute | Value |
|---|---|
| Type | Hunting Query |
| Solution | Amazon Web Services |
| ID | 2dd2143b-6667-4a7a-b04f-98d22caeffac |
| Severity | Medium |
| Tactics | Execution |
| Techniques | T1204 |
| Required Connectors | AWS |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Selection Criteria | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|---|
AWSCloudTrail |
EventName startswith "UpdateFunctionCode" |
✓ | ✓ | ? |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊