PutRule
Event
Creates an EventBridge rule that triggers on specific events, used for persistent execution of Lambda or other targets.
Security Context
- EventBridge rules provide event-driven persistence by automatically invoking targets like Lambda functions, Step Functions, or SNS topics whenever matching events occur in the account.
- Adversaries create rules that trigger on common API calls to maintain execution hooks that are difficult to detect and survive standard incident response actions like credential rotation.
Log Source
CloudTrail
Sample Event
MITRE ATT&CK Mapping
Tactics: Persistence
Techniques:
- T1546 — Event Triggered Execution — Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries.