Skip to content

UpdateFunctionCode20150331v2

AWS

UpdateFunctionCode20150331v2

service: AWS - Lambda
techniques:

Event

Updates the code of an existing Lambda function with a new deployment package or container image URI.

Security Context

  • Serverless function invocation can be abused to execute arbitrary code within the cloud environment without provisioning persistent infrastructure.

Log Source

CloudTrail

Sample Event

Adversarial. Draco overwrites the code of occamy-log-processor (an existing legitimate Lambda) with a malicious zip that exfils any incoming events to 203.0.113.77 and still calls the legitimate handler so detection stays quiet. He uploads via S3 (fantasticlogs-niffler-archivestaging/lambda-deploys/occamy-log-processor.zip) — the bucket already has S3 events flowing, so the upload itself is camouflaged. T1059 + T1546.

{
"eventVersion": "1.09",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDADRAC0MALF0YBADGY",
"arn": "arn:aws:iam::555123456789:user/draco",
"accountId": "555123456789",
"accessKeyId": "AKIADRAC0MALF0YEXAMP5",
"userName": "draco",
"sessionContext": {
"attributes": {
"creationDate": "2026-04-15T18:51:02Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2026-04-15T21:42:19Z",
"eventSource": "lambda.amazonaws.com",
"eventName": "UpdateFunctionCode20150331v2",
"awsRegion": "us-east-1",
"sourceIPAddress": "203.0.113.66",
"userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6",
"requestParameters": {
"functionName": "occamy-log-processor",
"s3Bucket": "fantasticlogs-niffler-archive",
"s3Key": "staging/lambda-deploys/occamy-log-processor.zip",
"publish": false
},
"responseElements": {
"functionName": "occamy-log-processor",
"functionArn": "arn:aws:lambda:us-east-1:555123456789:function:occamy-log-processor",
"runtime": "python3.11",
"role": "arn:aws:iam::555123456789:role/OccamyPipelineRole",
"handler": "handler.lambda_handler",
"codeSize": 4827193,
"description": "OCCAMY ingest log processor",
"timeout": 60,
"memorySize": 512,
"lastModified": "2026-04-15T21:42:19.512+0000",
"codeSha256": "DracoBackd00rH4sh0000000000000000000000000=",
"version": "$LATEST",
"tracingConfig": {"mode": "PassThrough"},
"revisionId": "90000000-0000-4000-8000-0001f0e0d0c0",
"state": "Active",
"lastUpdateStatus": "InProgress"
},
"requestID": "90000000-0000-4000-8000-000111001010",
"eventID": "90000000-0000-4000-8000-000111001011",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "555123456789",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "lambda.us-east-1.amazonaws.com"
}
}

MITRE ATT&CK Mapping

Tactics: Persistence Execution

Techniques:
  • T1059 — Command and Scripting Interpreter — Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface a...
  • T1546 — Event Triggered Execution — Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. Cl...