Techniques
Sample rules
AWS Lambda Layer Added to Existing Function
- source: elastic
- technicques:
- T1648
Description
Identifies when an Lambda Layer is added to an existing Lambda function. AWS layers are a way to share code and data across multiple functions. By adding a layer to an existing function, an attacker can persist or execute code in the context of the function.
Detection logic
event.dataset: aws.cloudtrail
and event.provider: lambda.amazonaws.com
and event.outcome: success
and event.action: (PublishLayerVersion* or UpdateFunctionConfiguration)