196. Hunting for AWS Lambda URLs Abuse
Hello everyone!
Adversaries always experiment with C2 channels to evade defenses. And often abuse legitimate services, as you know. Let's look at another interesting example.
Unit42 has published a report on activity cluster CL-STA-1020. The adversary leveraged quite common technique, DLL sideloading, to deploy the HazyBeacon backdoor. But at the same time, the threat actors chose a very interesting C2 channel - AWS Lambda URLs.
Of course, these URLs may be a part of absolutely legitimate activity, but we still can hunt for suspicious processes communicating with it, excluding known good, of course. For example:
dns_rname.keyword:/.*lambda-url.*/
AND NOT
proc_file_path: ("svchost.exe" OR "networkservice.exe" OR "msmpeng.exe")
Exclusion list may be different - it depend on your infrastructure!
See you tomorrow!
Comments
Post a Comment