PutTargets
Event
Attaches execution targets to an EventBridge rule, connecting event triggers to attacker-controlled compute.
Security Context
- Adding targets to an EventBridge rule completes the persistence chain by connecting event patterns to execution endpoints such as Lambda functions, ECS tasks, or cross-account event buses.
- This event is often paired with PutRule — an adversary creates a rule to match specific events and then attaches a target that executes their payload whenever the rule triggers.
Log Source
CloudTrail
Sample Event
MITRE ATT&CK Mapping
Tactics: Persistence
Techniques:
- T1546 — Event Triggered Execution — Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries.