StartBuild
Event
Starts a CodeBuild build, executing arbitrary code with the build project’s IAM role credentials.
Security Context
- CodeBuild executes buildspec commands with the full permissions of the build project’s IAM role, allowing an attacker to run arbitrary code with potentially elevated privileges in an isolated compute environment.
- Adversaries abuse CodeBuild to execute commands, exfiltrate credentials from the build environment, or pivot to other services using the build role’s permissions without leaving traces on production instances.
Log Source
CloudTrail
Sample Event
MITRE ATT&CK Mapping
Tactics: Execution
Techniques:
- T1059 — Command and Scripting Interpreter — Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms.