Lambda Forensics & Incident Response

--

Welcome to the next episode of our Cloud Forensics training — this time on responding to compromises in AWS Lambda:

What logging is there of Lambda functions?

https://docs.aws.amazon.com/lambda/latest/operatorguide/parse-logs.html

Lambda Malware

Denonia Lambda Malware

  • Named “python”
  • DNS over HTTPs
  • Custom Monero server 116.203.4.0:3333
  • Run XMRig from memory
  • Writes config to hidden file at /tmp/.config.json

https://www.cadosecurity.com/cado-discovers-denonia-the-first-malware-specifically-targeting-lambda/

How do you Acquire a Lambda function in Cado?

How do you analyze Lambda in Cado?

https://www.cadosecurity.com/aws-lambda-incident-response/

Lambda in Cado

https://www.cadosecurity.com/aws-lambda-incident-response/

How do you use Lambda for Incident Response?

https://www.cadosecurity.com/automated-analysis-of-critical-cloud-infrastructure-with-cado-and-aws-lambda/

--

--