/serverless-prey

Serverless Functions for establishing Reverse Shells to Lambda, Azure Functions, and Google Cloud Functions

Primary LanguageHCLMozilla Public License 2.0MPL-2.0

Puma Security Serverless Prey

Serverless Prey is a collection of serverless functions (FaaS), that, once launched to a cloud environment and invoked, establish a TCP reverse shell, enabling the user to introspect the underlying container:

  • Panther: AWS Lambda written in Node.js
  • Cougar: Azure Function written in C#
  • Cheetah: Google Cloud Function written in Go

This repository also contains research performed using these functions, including documentation on where secrets are stored, how to extract sensitive data, and identify monitoring / incident response data points.

Diagram

Disclaimer

Serverless Prey functions are intended for research purposes only and should not be deployed to production accounts. By their nature, they provide shell access to your runtime environment, which can be abused by a malicious actor to exfiltrate sensitive data or gain unauthorized access to related cloud services.

Contributors

Eric Johnson - Principal Security Engineer, Puma Security

Brandon Evans - Certified Instructor, SANS Institute

Learning More

Featured At

RSA Conference 2020 serverlessDays Nashville 2020 SANS@Mic 03/25/2020
Defending Serverless Infrastructure in the Cloud - Eric Johnson Attacking Serverless Servers - Brandon Evans SANS CyberCast - SANS@Mic -Attacking Serverless Servers: Reverse Engineering the AWS, Azure, and GCP Function Runtimes
Video - Slide Deck Video - Slide Deck SANS.org