Captured by Cado

Investigating Serverless and Container Attacks with Cado Community Edition

Captured by Cado is a Capture the Flag (CTF) challenge series designed to educate incident responders on how to investigate attacks on cloud-based systems. This challenge is specifically focused on investigating three attack scenarios in Lambda serverless functions and ECS container systems.

In this webinar,
you’ll learn:

  • How to leverage key features in the Cado Community Edition to speed up investigation and response
  • How bad actors are compromising serverless and container environments
  • How to analyze various evidence captured from Lambda functions and its associated logs and ECS container instances

View On Demand

Want to flex your skills?

See if you can solve the CTF challenge using the Cado Community Edition before the webinar.

Step 1

Install the Cado Community Edition

Step 3

Upload the files to the S3 bucket for your deployment (you can find the identifier in the AWS Console under CloudFormation – Stacks – <stack name> – Outputs – S3Bucket)

Step 5

In each project, click Import – Artifacts from S3, and import the following files into their respective projects

Step 2

Download the files in the GitHub repository

Step 4

Create two projects – named Lambda CTF and ECS CTF
Cado-Captured by Cado Webinar-Project Table@2x

Lambda CTF

Looking in the AWS Console, you discover a Lambda function that nobody knows anything about.

You use the Cado platform to acquire the Lambda function and its associated logs and immediately find that it’s a cryptominer running in Lambda.

Questions to answer

  • What are the three URLs embedded in the script?
  • When was the first time this function was run?


The AWS Console also shows some containers that request way more vCPU resources than your standard containers do.

You use the Cado platform to acquire the container, and again, you find that someone installed a cryptominer.

Questions to answer

  • What users did the attacker create?
  • What command did the attacker run from
  • How did the attacker find out what the external IP address of the system was?
  • BONUS: What might be some additional data you want to collect to understand more?