T1583.007

Serverless

Adversaries may purchase and configure serverless cloud infrastructure, such as Cloudflare Workers, AWS Lambda functions, or Google Apps Scripts, to use during operations. By routing command-and-control (C2) traffic through serverless platforms, adversaries blend malicious communications with legitimate cloud provider traffic. Traffic from infected endpoints appears to target known cloud provider domains (workers.dev, cloudfunctions.net, lambda-url.amazonaws.com), making it difficult to distinguish from ordinary SaaS or cloud API usage. The serverless runtime proxies requests to adversary-owned infrastructure while the cloud provider absorbs attribution complexity. Detection requires identifying beaconing behavior, non-browser processes connecting to serverless endpoints, and anomalous DNS query patterns to serverless platform domains.

Microsoft Sentinel / Defender

kusto

let ServerlessDomains = dynamic([
  "workers.dev", "pages.dev",
  "cloudfunctions.net",
  "lambda-url",
  "execute-api",
  "azurewebsites.net",
  "azurecontainerapps.io",
  "netlify.app",
  "vercel.app",
  "script.google.com"
]);
let SuspiciousProcesses = dynamic([
  "powershell.exe", "pwsh.exe", "cmd.exe",
  "wscript.exe", "cscript.exe", "mshta.exe",
  "rundll32.exe", "regsvr32.exe", "msbuild.exe",
  "python.exe", "python3.exe", "node.exe",
  "curl.exe", "wget.exe", "wmic.exe", "bitsadmin.exe"
]);
let BrowserProcesses = dynamic([
  "chrome.exe", "firefox.exe", "msedge.exe",
  "iexplore.exe", "opera.exe", "brave.exe", "vivaldi.exe"
]);
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemoteUrl has_any (ServerlessDomains)
| where InitiatingProcessFileName !in~ (BrowserProcesses)
| extend IsSuspiciousProcess = InitiatingProcessFileName in~ (SuspiciousProcesses)
| extend ServerlessPlatform = case(
    RemoteUrl has "workers.dev" or RemoteUrl has "pages.dev", "Cloudflare Workers",
    RemoteUrl has "cloudfunctions.net", "Google Cloud Functions",
    RemoteUrl has "lambda-url" or RemoteUrl has "execute-api", "AWS Lambda/API Gateway",
    RemoteUrl has "azurewebsites.net" or RemoteUrl has "azurecontainerapps.io", "Azure Functions",
    RemoteUrl has "netlify.app", "Netlify Functions",
    RemoteUrl has "vercel.app", "Vercel Serverless",
    RemoteUrl has "script.google.com", "Google Apps Script",
    "Other Serverless"
  )
| project Timestamp, DeviceName, AccountName,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         InitiatingProcessParentFileName,
         RemoteUrl, RemoteIP, RemotePort,
         ServerlessPlatform, IsSuspiciousProcess
| sort by Timestamp desc

medium severity medium confidence

Data Sources

Network Traffic: Network Connection Creation Microsoft Defender for Endpoint DNS: DNS Query Resolution

Required Tables

DeviceNetworkEvents

False Positives

Developer workstations running CI/CD scripts (Node.js, Python) that legitimately invoke AWS Lambda or Azure Functions APIs as part of build and test pipelines
IT automation tools using PowerShell or curl to call serverless-hosted webhook endpoints, monitoring heartbeats, or deployment triggers
Security scanning and vulnerability assessment tools probing cloud service APIs
Build agents and deployment pipeline runners (Jenkins agents, GitHub Actions self-hosted runners) making legitimate Lambda or Cloud Function calls
Monitoring agents and observability tools calling serverless-hosted status pages or synthetic monitoring endpoints
RPA (Robotic Process Automation) tools that interact with web services hosted on serverless platforms

Splunk

spl

index=* sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
  (DestinationHostname="*.workers.dev"
   OR DestinationHostname="*.pages.dev"
   OR DestinationHostname="*.cloudfunctions.net"
   OR DestinationHostname="*.execute-api.*.amazonaws.com"
   OR DestinationHostname="*.lambda-url.*.amazonaws.com"
   OR DestinationHostname="*.azurewebsites.net"
   OR DestinationHostname="*.azurecontainerapps.io"
   OR DestinationHostname="*.netlify.app"
   OR DestinationHostname="*.vercel.app"
   OR DestinationHostname="script.google.com")
| eval is_browser=if(match(lower(Image), "chrome\.exe|firefox\.exe|msedge\.exe|iexplore\.exe|opera\.exe|brave\.exe|vivaldi\.exe"), 1, 0)
| where is_browser=0
| eval is_suspicious_process=if(match(lower(Image), "powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|python.*\.exe|node\.exe|curl\.exe|wget\.exe|wmic\.exe|bitsadmin\.exe|regsvr32\.exe|msbuild\.exe"), 1, 0)
| eval serverless_platform=case(
    match(lower(DestinationHostname), "workers\.dev|pages\.dev"), "Cloudflare Workers",
    match(lower(DestinationHostname), "cloudfunctions\.net"), "Google Cloud Functions",
    match(lower(DestinationHostname), "execute-api|lambda-url"), "AWS Lambda",
    match(lower(DestinationHostname), "azurewebsites\.net|azurecontainerapps\.io"), "Azure Functions",
    match(lower(DestinationHostname), "netlify\.app"), "Netlify Functions",
    match(lower(DestinationHostname), "vercel\.app"), "Vercel Serverless",
    match(lower(DestinationHostname), "script\.google\.com"), "Google Apps Script",
    true(), "Other Serverless"
  )
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine,
        DestinationHostname, DestinationIp, DestinationPort,
        serverless_platform, is_suspicious_process
| sort - _time

medium severity medium confidence

Data Sources

Network Traffic: Network Connection Creation Sysmon Event ID 3 (Network Connection)

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Developer workstations running CI/CD scripts (Node.js, Python) that legitimately invoke AWS Lambda or Azure Functions APIs as part of build and test pipelines
IT automation tools using PowerShell or curl to call serverless-hosted webhook endpoints, monitoring heartbeats, or deployment triggers
Security scanning and vulnerability assessment tools probing cloud service APIs
Build agents and deployment pipeline runners (Jenkins agents, GitHub Actions self-hosted runners) making legitimate Lambda or Cloud Function calls
Monitoring agents and observability tools calling serverless-hosted status pages or synthetic monitoring endpoints
RPA (Robotic Process Automation) tools that interact with web services hosted on serverless platforms

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS "Event Time",
  sourceip AS "Source IP",
  destinationip AS "Destination IP",
  destinationport AS "Destination Port",
  "Destination Hostname",
  username AS "Username",
  "Process Image" AS "Process Name",
  "Command" AS "Command Line",
  "Parent Process Image" AS "Parent Process",
  QIDNAME(qid) AS "Event Name",
  CATEGORYNAME(category) AS "Category",
  logsourceid AS "Log Source ID",
  CASE
    WHEN LOWER("Destination Hostname") MATCHES '.*\.(workers|pages)\.dev$'                           THEN 'Cloudflare Workers'
    WHEN LOWER("Destination Hostname") MATCHES '.*\.cloudfunctions\.net$'                           THEN 'Google Cloud Functions'
    WHEN LOWER("Destination Hostname") MATCHES '.*\.(execute-api|lambda-url)\..*\.amazonaws\.com$'  THEN 'AWS Lambda'
    WHEN LOWER("Destination Hostname") MATCHES '.*\.(azurewebsites\.net|azurecontainerapps\.io)$'   THEN 'Azure Functions'
    WHEN LOWER("Destination Hostname") MATCHES '.*\.netlify\.app$'                                  THEN 'Netlify Functions'
    WHEN LOWER("Destination Hostname") MATCHES '.*\.vercel\.app$'                                   THEN 'Vercel Serverless'
    WHEN LOWER("Destination Hostname") = 'script.google.com'                                         THEN 'Google Apps Script'
    ELSE 'Other Serverless'
  END AS "Serverless Platform",
  CASE
    WHEN LOWER("Process Image") MATCHES '.*(powershell|pwsh|cmd|wscript|cscript|mshta|rundll32|regsvr32|msbuild|python|node|curl|wget|wmic|bitsadmin)\.exe$'
    THEN 'true'
    ELSE 'false'
  END AS "Is Suspicious Process"
FROM events
WHERE
  (
    LOWER("Destination Hostname") MATCHES '.*\.workers\.dev$'
    OR LOWER("Destination Hostname") MATCHES '.*\.pages\.dev$'
    OR LOWER("Destination Hostname") MATCHES '.*\.cloudfunctions\.net$'
    OR LOWER("Destination Hostname") MATCHES '.*\.execute-api\..*\.amazonaws\.com$'
    OR LOWER("Destination Hostname") MATCHES '.*\.lambda-url\..*\.amazonaws\.com$'
    OR LOWER("Destination Hostname") MATCHES '.*\.azurewebsites\.net$'
    OR LOWER("Destination Hostname") MATCHES '.*\.azurecontainerapps\.io$'
    OR LOWER("Destination Hostname") MATCHES '.*\.netlify\.app$'
    OR LOWER("Destination Hostname") MATCHES '.*\.vercel\.app$'
    OR LOWER("Destination Hostname") = 'script.google.com'
  )
  AND NOT LOWER("Process Image") MATCHES '.*(chrome|firefox|msedge|iexplore|opera|brave|vivaldi)\.exe$'
LAST 24 HOURS
ORDER BY "Event Time" DESC

high severity medium confidence

Data Sources

IBM QRadar SIEM Windows Sysmon via WinCollect or Syslog (EventID 3 - Network Connection) QRadar Windows DSM with custom properties for process and network fields

Required Tables

events

False Positives

Enterprise build pipelines where msbuild.exe or node.exe resolve serverless function URLs as part of artifact retrieval, deployment hooks, or webhook notifications
IT operations teams using PowerShell runbooks that invoke Azure Functions or AWS Lambda for configuration management, inventory collection, or automated remediation
Third-party endpoint management agents that use scripting runtimes to phone home to cloud-hosted control planes deployed on serverless infrastructure

Sumo Logic CSE

sql

(_sourceCategory="WinEvents/Sysmon" OR _sourceCategory="windows/sysmon" OR _sourceCategory="*sysmon*")
| parse "<EventID>*</EventID>" as event_id
| where event_id = "3"
| parse "<Image>*</Image>" as process_image
| parse "<DestinationHostname>*</DestinationHostname>" as dest_hostname
| parse "<DestinationIp>*</DestinationIp>" as dest_ip
| parse "<DestinationPort>*</DestinationPort>" as dest_port
| parse "<User>*</User>" as username
| parse "<CommandLine>*</CommandLine>" as command_line
| parse "<ParentImage>*</ParentImage>" as parent_image
| where dest_hostname matches "*workers.dev"
    OR dest_hostname matches "*pages.dev"
    OR dest_hostname matches "*cloudfunctions.net"
    OR dest_hostname matches "*.execute-api.*.amazonaws.com"
    OR dest_hostname matches "*.lambda-url.*.amazonaws.com"
    OR dest_hostname matches "*azurewebsites.net"
    OR dest_hostname matches "*azurecontainerapps.io"
    OR dest_hostname matches "*netlify.app"
    OR dest_hostname matches "*vercel.app"
    OR dest_hostname = "script.google.com"
| where !(process_image matches /(?i)(chrome|firefox|msedge|iexplore|opera|brave|vivaldi)\.exe/)
| eval is_suspicious = if(process_image matches /(?i)(powershell|pwsh|cmd|wscript|cscript|mshta|rundll32|regsvr32|msbuild|python.*|node|curl|wget|wmic|bitsadmin)\.exe/, 1, 0)
| eval serverless_platform = if(dest_hostname matches "*workers.dev" OR dest_hostname matches "*pages.dev", "Cloudflare Workers",
    if(dest_hostname matches "*cloudfunctions.net", "Google Cloud Functions",
    if(dest_hostname matches "*execute-api*" OR dest_hostname matches "*lambda-url*", "AWS Lambda",
    if(dest_hostname matches "*azurewebsites.net" OR dest_hostname matches "*azurecontainerapps.io", "Azure Functions",
    if(dest_hostname matches "*netlify.app", "Netlify Functions",
    if(dest_hostname matches "*vercel.app", "Vercel Serverless",
    if(dest_hostname = "script.google.com", "Google Apps Script", "Other Serverless")))))))
| fields _messageTime, _sourceHost, username, process_image, command_line, parent_image, dest_hostname, dest_ip, dest_port, serverless_platform, is_suspicious
| sort by _messageTime desc

high severity high confidence

Data Sources

Sumo Logic Hosted Collector ingesting Windows Sysmon XML event logs Sysmon EventID 3 (Network Connection Detected)

Required Tables

_sourceCategory=WinEvents/Sysmon _sourceCategory=windows/sysmon

False Positives

Development machines where node.exe or python.exe make frequent outbound DNS and HTTP connections to serverless APIs as part of front-end build tooling, serverless framework deployments (Serverless Framework, AWS SAM), or integration test suites
PowerShell-based IT automation or DSC (Desired State Configuration) scripts that trigger Azure Functions for provisioning tasks, alerting pipelines, or configuration drift remediation
Endpoint security agents or SOAR connectors implemented as Python or Node services that contact cloud-hosted enrichment functions for threat intelligence or automated response actions

Google Chronicle / SecOps

yaral

rule T1583_007_Serverless_C2_Non_Browser_Egress {
  meta:
    author          = "Detection Engineering"
    description     = "Detects non-browser processes making outbound network connections to serverless cloud platform endpoints (Cloudflare Workers, AWS Lambda, Google Cloud Functions, Azure Functions, Netlify, Vercel, Google Apps Script). Adversaries route C2 traffic through these platforms to blend with legitimate cloud provider egress and obscure attribution."
    mitre_attack_tactic    = "Resource Development"
    mitre_attack_technique = "T1583.007"
    reference       = "https://attack.mitre.org/techniques/T1583/007/"
    severity        = "HIGH"
    priority        = "HIGH"
    false_positives = "Developer tooling, IT automation scripts, SOAR connectors calling legitimate serverless APIs"

  events:
    $net.metadata.event_type = "NETWORK_CONNECTION"
    (
      re.regex($net.target.hostname, `(?i).*\.workers\.dev$`)                        or
      re.regex($net.target.hostname, `(?i).*\.pages\.dev$`)                          or
      re.regex($net.target.hostname, `(?i).*\.cloudfunctions\.net$`)                 or
      re.regex($net.target.hostname, `(?i).*\.execute-api\..*\.amazonaws\.com$`)    or
      re.regex($net.target.hostname, `(?i).*\.lambda-url\..*\.amazonaws\.com$`)     or
      re.regex($net.target.hostname, `(?i).*\.azurewebsites\.net$`)                  or
      re.regex($net.target.hostname, `(?i).*\.azurecontainerapps\.io$`)              or
      re.regex($net.target.hostname, `(?i).*\.netlify\.app$`)                        or
      re.regex($net.target.hostname, `(?i).*\.vercel\.app$`)                         or
      $net.target.hostname = "script.google.com"
    )
    not re.regex(
      $net.principal.process.file.full_path,
      `(?i)(chrome|firefox|msedge|iexplore|opera|brave|vivaldi)\.exe$`
    )

  condition:
    $net
}

high severity high confidence

Data Sources

Google Chronicle UDM (Unified Data Model) Chronicle forwarder ingesting Windows Sysmon EventID 3 CrowdStrike Falcon telemetry normalised to UDM Carbon Black Cloud events normalised to UDM

Required Tables

NETWORK_CONNECTION UDM event stream

False Positives

Scripting runtimes (python.exe, node.exe, perl.exe) on developer workstations regularly querying company-owned serverless APIs, CDN functions, or third-party SaaS webhooks implemented on serverless platforms
Corporate RPA (Robotic Process Automation) software that uses wscript.exe or cscript.exe to invoke Azure Functions or Google Apps Scripts as part of business workflow automation
Authorised red team or penetration testing infrastructure using scripted C2 beacon simulations against lab serverless endpoints during scheduled exercises

CrowdStrike LogScale (CQL)

cql

#event_simpleName=DnsRequest
| regex(field=DomainName, regex="(?i)(\.workers\.dev|\.pages\.dev|\.cloudfunctions\.net|\.execute-api\..*\.amazonaws\.com|\.lambda-url\..*\.amazonaws\.com|\.azurewebsites\.net|\.azurecontainerapps\.io|\.netlify\.app|\.vercel\.app|^script\.google\.com)$")
| regex(field=ImageFileName, regex="(?i)(chrome|firefox|msedge|iexplore|opera|brave|vivaldi)\.exe$", negate=true)
| eval(is_suspicious_process=if(
    match(field=ImageFileName, regex="(?i)(powershell|pwsh|cmd|wscript|cscript|mshta|rundll32|regsvr32|msbuild|python.*|node|curl|wget|wmic|bitsadmin)\.exe$"),
    "true", "false"
  ))
| eval(serverless_platform=case(
    match(field=DomainName, regex="(?i)(workers\.dev|pages\.dev)"),                       "Cloudflare Workers",
    match(field=DomainName, regex="(?i)cloudfunctions\.net"),                              "Google Cloud Functions",
    match(field=DomainName, regex="(?i)(execute-api|lambda-url).*amazonaws\.com"),         "AWS Lambda",
    match(field=DomainName, regex="(?i)(azurewebsites\.net|azurecontainerapps\.io)"),      "Azure Functions",
    match(field=DomainName, regex="(?i)netlify\.app"),                                     "Netlify Functions",
    match(field=DomainName, regex="(?i)vercel\.app"),                                      "Vercel Serverless",
    match(field=DomainName, regex="(?i)script\.google\.com"),                              "Google Apps Script",
    default="Other Serverless"
  ))
| table([_time, ComputerName, UserName, ImageFileName, CommandLine, DomainName, serverless_platform, is_suspicious_process])
| sort(field=_time, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon EDR (DnsRequest event stream) CrowdStrike Falcon EDR (NetworkConnectIP4 event stream — for IP correlation) CrowdStrike Falcon EDR (ProcessRollup2 — for parent process enrichment)

Required Tables

DnsRequest NetworkConnectIP4

False Positives

Developer endpoints where node.exe or python.exe routinely resolve serverless function domains during application development, serverless framework hot-reload cycles, or npm/pip package installs that phone back to cloud-hosted registries
Endpoint management and patch orchestration tools that use PowerShell or wmic.exe to query AWS Lambda or Azure Function endpoints for update manifests or agent configuration payloads
Automated red team tooling or breach-and-attack simulation (BAS) platforms that resolve and connect to operator-controlled serverless C2 simulators during scheduled purple-team exercises

Last updated: 2026-04-13 Research depth: deep

References (8)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1583.007 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1583Acquire Infrastructure

Related Sub-techniques

T1583.001Domains T1583.002DNS Server T1583.003Virtual Private Server T1583.004Server T1583.005Botnet T1583.006Web Services T1583.008Malvertising

Serverless

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Resource Development

Popular Detections