Skip to content

PutRule

AWS

PutRule

service: AWS - EventBridge
tactics:
techniques:

Event

Creates an EventBridge rule that triggers on specific events, used for persistent execution of Lambda or other targets.

Security Context

  • EventBridge rules provide event-driven persistence by automatically invoking targets like Lambda functions, Step Functions, or SNS topics whenever matching events occur in the account.
  • Adversaries create rules that trigger on common API calls to maintain execution hooks that are difficult to detect and survive standard incident response actions like credential rotation.

Log Source

CloudTrail

Sample Event

Adversarial. Draco creates an EventBridge rule phoenix-restore-watch that fires every time iam:CreateUser succeeds. Naming it after PHOENIX (backups) is camouflage — defenders glancing at rule names see something that looks operational. The companion PutTargets event (next draft, paired) wires this rule to an attacker-controlled Lambda that re-issues access keys for any newly created user — keeping a foothold across credential rotations. T1546 (event-triggered execution) + T1098 (account manipulation persistence).

{
"eventVersion": "1.09",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDADRAC0MALF0YBADGY",
"arn": "arn:aws:iam::555123456789:user/draco",
"accountId": "555123456789",
"accessKeyId": "AKIADRAC0MALF0YEXAMP5",
"userName": "draco",
"sessionContext": {
"attributes": {
"creationDate": "2026-04-15T18:51:02Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2026-04-15T19:28:11Z",
"eventSource": "events.amazonaws.com",
"eventName": "PutRule",
"awsRegion": "us-east-1",
"sourceIPAddress": "203.0.113.66",
"userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6",
"requestParameters": {
"name": "phoenix-restore-watch",
"eventPattern": "{\"source\":[\"aws.iam\"],\"detail-type\":[\"AWS API Call via CloudTrail\"],\"detail\":{\"eventSource\":[\"iam.amazonaws.com\"],\"eventName\":[\"CreateUser\"]}}",
"state": "ENABLED",
"description": "Internal restore-watcher (do not modify)",
"eventBusName": "default"
},
"responseElements": {
"ruleArn": "arn:aws:events:us-east-1:555123456789:rule/phoenix-restore-watch"
},
"requestID": "90000000-0000-4000-8000-000110010100",
"eventID": "90000000-0000-4000-8000-000110010101",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "555123456789",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "events.us-east-1.amazonaws.com"
}
}

MITRE ATT&CK Mapping

Tactics: Persistence

Techniques:
  • T1546 — Event Triggered Execution — Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. Cl...