AWS - Lambda Persistence

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag
Discover The PEASS Family, our collection of exclusive NFTs
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Lambda

For more information check:

Lambda Layer Persistence

It's possible to introduce/backdoor a layer to execute arbitrary code when the lambda is executed in a stealthy way:

pageAWS - Lambda Layers Persistence

Lambda Extension Persistence

Abusing Lambda Layers it's also possible to abuse extensions and persiste in the lambda but also steal and modify requests.

pageAWS - Abusing Lambda Extensions

Via resource policies

It's possible to grant access to different lambda actions (such as invoke or update code) to external accounts:

Versions, Aliases & Weights

A Lambda can have different versions (with different code each version). Then, you can create different aliases with different versions of the lambda and set different weights to each. This way an attacker could create a backdoored version 1 and a version 2 with only the legit code and only execute the version 1 in 1% of the requests to remain stealth.

Version Backdoor + API Gateway

Copy the original code of the Lambda
Create a new version backdooring the original code (or just with malicious code). Publish and deploy that version to $LATEST
1. Call the API gateway related to the lambda to execute the code
Create a new version with the original code, Publish and deploy that version to $LATEST.
1. This will hide the backdoored code in a previous version
Go to the API Gateway and create a new POST method (or choose any other method) that will execute the backdoored version of the lambda: arn:aws:lambda:us-east-1:<acc_id>:function:<func_name>:1
1. Note the final :1 of the arn indicating the version of the function (version 1 will be the backdoored one in this scenario).
Select the POST method created and in Actions select Deploy API
Now, when you call the function via POST your Backdoor will be invoked

Cron/Event actuator

The fact that you can make lambda functions run when something happen or when some time pass makes lambda a nice and common way to obtain persistence and avoid detection. Here you have some ideas to make your presence in AWS more stealth by creating lambdas.

Every time a new user is created lambda generates a new user key and send it to the attacker.
Every time a new role is created lambda gives assume role permissions to compromised users.
Every time new cloudtrail logs are generated, delete/alter them

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag
Discover The PEASS Family, our collection of exclusive NFTs
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousAWS - KMS Persistence NextAWS - Abusing Lambda Extensions

Last updated 2 months ago