AWS - DynamoDB Persistence
DynamoDB
For more information access:
pageAWS - DynamoDB EnumDynamoDB Triggers with Lambda Backdoor
Using DynamoDB triggers, an attacker can create a stealthy backdoor by associating a malicious Lambda function with a table. The Lambda function can be triggered when an item is added, modified, or deleted, allowing the attacker to execute arbitrary code within the AWS account.
To maintain persistence, the attacker can create or modify items in the DynamoDB table, which will trigger the malicious Lambda function. This allows the attacker to execute code within the AWS account without direct interaction with the Lambda function.
DynamoDB as a C2 Channel
An attacker can use a DynamoDB table as a command and control (C2) channel by creating items containing commands and using compromised instances or Lambda functions to fetch and execute these commands.
The compromised instances or Lambda functions can periodically check the C2 table for new commands, execute them, and optionally report the results back to the table. This allows the attacker to maintain persistence and control over the compromised resources.
Last updated