AWS Lambda and API Gateway Persistence
If the user has sufficient rights in the lambda function, its possible to download the source code, add a backdoor to it and upload. Everytime the lambda executes, the malicious code will also execute.
Always try to update the code of layers (dependencies) instead of the actual lambda code, this way our backdoor will be difficult to detect.
1) Checking which user is executing
aws sts get-caller-identity 2) Checking all managed policies attached to the user
aws iam list-attached-user-policies --user-name USER_NAME 3) Checking information about a specific policy
aws iam get-policy-version --policy-arn ARN --version-id ID 4) Listing all lambda functions
aws lambda list-functions --region REGION 5) Listing information about the specified lambda
aws lambda get-function --function-name NAME Download and analyze the code, then:
aws lambda get-policy --function-name NAME --profile PROFILE --region REGIONWe can grab informations like id, who can invoke and other details with this command (Helps to build the query to execute the lambda function).
6) Listing Rest APIs
7) Listing information about a specific API
8) Listing information about endpoints
9) Listing information about a specific endpoint
10) Listing method information for the endpoint (Test various methods to see if the API supports it)
11) List all versions of a rest API
12) Getting information about a specific version
13) Uploading the backdoor code to aws lambda function
14) Invoke the function
Where:
1. API-ID -> uj3948ie
2. Region -> us-east-2
3. Resource (Endpoint) -> EXAMPLE
4. Method -> Get
5. Stage (Version) -> default
6. API-Key -> None
All these details are gathered during enumeration
Last updated