AWS - Lambda Persistence

Reading time: 7 minutes

Lambda

Pour plus d'informations, voir :

AWS - Lambda Enum

Lambda Layer Persistence

It's possible to introduce/backdoor a layer to execute arbitrary code when the lambda is executed in a stealthy way:

AWS - Lambda Layers Persistence

Lambda Extension Persistence

En abusant des Lambda Layers il est aussi possible d'abuser des extensions pour persister dans la lambda mais aussi de voler et modifier des requêtes.

AWS - Abusing Lambda Extensions

Via resource policies

Il est possible d'accorder l'accès à différentes actions de lambda (such as invoke or update code) à des comptes externes :

Versions, Aliases & Weights

A Lambda can have different versions (with different code each version).
Then, you can create different aliases with different versions of the lambda and set different weights to each.
This way an attacker could create a backdoored version 1 and a version 2 with only the legit code and only execute the version 1 in 1% of the requests to remain stealth.

Version Backdoor + API Gateway

1. Copy the original code of the Lambda
2. Create a new version backdooring the original code (or just with malicious code). Publish and deploy that version to $LATEST
3. Call the API gateway related to the lambda to execute the code
4. Create a new version with the original code, Publish and deploy that version to $LATEST.
5. This will hide the backdoored code in a previous version
6. Go to the API Gateway and create a new POST method (or choose any other method) that will execute the backdoored version of the lambda: arn:aws:lambda:us-east-1:<acc_id>:function:<func_name>:1
7. Note the final :1 of the arn indicating the version of the function (version 1 will be the backdoored one in this scenario).
8. Select the POST method created and in Actions select Deploy API
9. Now, when you call the function via POST your Backdoor will be invoked

Cron/Event actuator

Le fait que vous puissiez faire exécuter des fonctions lambda quand quelque chose se produit ou après un certain temps rend lambda un moyen courant et efficace pour obtenir de la persistance et éviter la détection.
Voici quelques idées pour rendre votre présence dans AWS plus furtive en créant des lambdas.

• Every time a new user is created lambda generates a new user key and send it to the attacker.
• Every time a new role is created lambda gives assume role permissions to compromised users.
• Every time new cloudtrail logs are generated, delete/alter them

RCE abusing AWS_LAMBDA_EXEC_WRAPPER + Lambda Layers

Abuse the environment variable AWS_LAMBDA_EXEC_WRAPPER to execute an attacker-controlled wrapper script before the runtime/handler starts. Deliver the wrapper via a Lambda Layer at /opt/bin/htwrap, set AWS_LAMBDA_EXEC_WRAPPER=/opt/bin/htwrap, and then invoke the function. The wrapper runs inside the function runtime process, inherits the function execution role, and finally execs the real runtime so the original handler still executes normally.

AWS - Lambda Exec Wrapper Persistence

AWS - Lambda Function URL Public Exposure

Abuse Lambda asynchronous destinations together with the Recursion configuration to make a function continually re-invoke itself with no external scheduler (no EventBridge, cron, etc.). By default, Lambda terminates recursive loops, but setting the recursion config to Allow re-enables them. Destinations deliver on the service side for async invokes, so a single seed invoke creates a stealthy, code-free heartbeat/backdoor channel. Optionally throttle with reserved concurrency to keep noise low.

AWS - Lambda Async Self Loop Persistence

AWS - Lambda Alias-Scoped Resource Policy Backdoor

Create a hidden Lambda version with attacker logic and scope a resource-based policy to that specific version (or alias) using the --qualifier parameter in lambda add-permission. Grant only lambda:InvokeFunction on arn:aws:lambda:REGION:ACCT:function:FN:VERSION to an attacker principal. Normal invocations via the function name or primary alias remain unaffected, while the attacker can directly invoke the backdoored version ARN.

This is stealthier than exposing a Function URL and doesn’t change the primary traffic alias.

AWS - Lambda Alias Version Policy Backdoor

Freezing AWS Lambda Runtimes

Un attaquant disposant des permissions lambda:InvokeFunction, logs:FilterLogEvents, lambda:PutRuntimeManagementConfig, et lambda:GetRuntimeManagementConfig peut modifier la configuration de runtime management d'une fonction. Cette attaque est particulièrement efficace lorsque l'objectif est de maintenir une fonction Lambda sur une version de runtime vulnérable ou de préserver la compatibilité avec des layers malveillants qui pourraient être incompatibles avec des runtimes plus récents.

L'attaquant modifie la runtime management configuration pour épingler la version du runtime :

# Invoke the function to generate runtime logs
aws lambda invoke \
--function-name $TARGET_FN \
--payload '{}' \
--region us-east-1 /tmp/ping.json

sleep 5

# Freeze automatic runtime updates on function update
aws lambda put-runtime-management-config \
--function-name $TARGET_FN \
--update-runtime-on FunctionUpdate \
--region us-east-1

Vérifiez la configuration appliquée :

aws lambda get-runtime-management-config \
--function-name $TARGET_FN \
--region us-east-1

Optionnel : verrouiller sur une version spécifique du runtime

# Extract Runtime Version ARN from INIT_START logs
RUNTIME_ARN=$(aws logs filter-log-events \
--log-group-name /aws/lambda/$TARGET_FN \
--filter-pattern "INIT_START" \
--query 'events[0].message' \
--output text | grep -o 'Runtime Version ARN: [^,]*' | cut -d' ' -f4)

Épingler une version de runtime spécifique :

aws lambda put-runtime-management-config \
--function-name $TARGET_FN \
--update-runtime-on Manual \
--runtime-version-arn $RUNTIME_ARN \
--region us-east-1