Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
7 Days |
Required Data |
|
Detection Modules |
Cloud |
Detector Tags |
|
ATT&CK Tactic |
Credential Access (TA0006) |
ATT&CK Technique |
|
Severity |
Informational |
Description
An AWS Lambda's token was used externally of the cloud environment.
Attacker's Goals
Exfiltrate token and abuse it remotely.
Investigative actions
- Check if the role is attached to the Lambda.
- Check if the IAM role was assumed by a different identity.
- Check what API calls were executed by the access-key.
Variations
Remote command line usage of AWS Lambda's token
Synopsis
Description
An AWS Lambda's token was used externally of the cloud environment.
Attacker's Goals
Exfiltrate token and abuse it remotely.
Investigative actions
- Check if the role is attached to the Lambda.
- Check if the IAM role was assumed by a different identity.
- Check what API calls were executed by the access-key.
Suspicious usage of AWS Lambda's role
Synopsis
Description
An AWS Lambda's token was used externally of the cloud environment.
Attacker's Goals
Exfiltrate token and abuse it remotely.
Investigative actions
- Check if the role is attached to the Lambda.
- Check if the IAM role was assumed by a different identity.
- Check what API calls were executed by the access-key.
Suspicious usage of AWS Lambda's role
Synopsis
Description
An AWS Lambda's token was used externally of the cloud environment.
Attacker's Goals
Exfiltrate token and abuse it remotely.
Investigative actions
- Check if the role is attached to the Lambda.
- Check if the IAM role was assumed by a different identity.
- Check what API calls were executed by the access-key.
Suspicious usage of AWS Lambda's token
Synopsis
Description
An AWS Lambda's token was used externally of the cloud environment.
Attacker's Goals
Exfiltrate token and abuse it remotely.
Investigative actions
- Check if the role is attached to the Lambda.
- Check if the IAM role was assumed by a different identity.
- Check what API calls were executed by the access-key.
Usage of AWS Lambda's token from known ASN
Synopsis
Description
An AWS Lambda's token was used externally of the cloud environment.
Attacker's Goals
Exfiltrate token and abuse it remotely.
Investigative actions
- Check if the role is attached to the Lambda.
- Check if the IAM role was assumed by a different identity.
- Check what API calls were executed by the access-key.