Too Long; Didn't Read
The latest installation of the Cloud Threat Hunting: Attack and Investigation Series, we present the most involved attack flow yet. We break down all of the steps a threat actor took to successfully exfiltrate data out of an AWS account. This attack began with a compromised pair of AWS access keys. The actor learns that the AWS name for a Lambda function (the name for this function) is identical to the name in the victim’s account. Once they assume the role and move laterally, they will be able to execute those same commands. Abusing the function's code to be malicious and retrieving environmental variables could break the functionality of the function and alert the victim of an attacker.