Detect Serverless in IBM QRadar
Adversaries may purchase and configure serverless cloud infrastructure, such as Cloudflare Workers, AWS Lambda functions, or Google Apps Scripts, to use during operations. By routing command-and-control (C2) traffic through serverless platforms, adversaries blend malicious communications with legitimate cloud provider traffic. Traffic from infected endpoints appears to target known cloud provider domains (workers.dev, cloudfunctions.net, lambda-url.amazonaws.com), making it difficult to distinguish from ordinary SaaS or cloud API usage. The serverless runtime proxies requests to adversary-owned infrastructure while the cloud provider absorbs attribution complexity. Detection requires identifying beaconing behavior, non-browser processes connecting to serverless endpoints, and anomalous DNS query patterns to serverless platform domains.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1583 Acquire Infrastructure
- Sub-technique
- T1583.007 Serverless
- Canonical reference
- https://attack.mitre.org/techniques/T1583/007/
QRadar Detection Query
SELECT
DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS "Event Time",
sourceip AS "Source IP",
destinationip AS "Destination IP",
destinationport AS "Destination Port",
"Destination Hostname",
username AS "Username",
"Process Image" AS "Process Name",
"Command" AS "Command Line",
"Parent Process Image" AS "Parent Process",
QIDNAME(qid) AS "Event Name",
CATEGORYNAME(category) AS "Category",
logsourceid AS "Log Source ID",
CASE
WHEN LOWER("Destination Hostname") MATCHES '.*\.(workers|pages)\.dev$' THEN 'Cloudflare Workers'
WHEN LOWER("Destination Hostname") MATCHES '.*\.cloudfunctions\.net$' THEN 'Google Cloud Functions'
WHEN LOWER("Destination Hostname") MATCHES '.*\.(execute-api|lambda-url)\..*\.amazonaws\.com$' THEN 'AWS Lambda'
WHEN LOWER("Destination Hostname") MATCHES '.*\.(azurewebsites\.net|azurecontainerapps\.io)$' THEN 'Azure Functions'
WHEN LOWER("Destination Hostname") MATCHES '.*\.netlify\.app$' THEN 'Netlify Functions'
WHEN LOWER("Destination Hostname") MATCHES '.*\.vercel\.app$' THEN 'Vercel Serverless'
WHEN LOWER("Destination Hostname") = 'script.google.com' THEN 'Google Apps Script'
ELSE 'Other Serverless'
END AS "Serverless Platform",
CASE
WHEN LOWER("Process Image") MATCHES '.*(powershell|pwsh|cmd|wscript|cscript|mshta|rundll32|regsvr32|msbuild|python|node|curl|wget|wmic|bitsadmin)\.exe$'
THEN 'true'
ELSE 'false'
END AS "Is Suspicious Process"
FROM events
WHERE
(
LOWER("Destination Hostname") MATCHES '.*\.workers\.dev$'
OR LOWER("Destination Hostname") MATCHES '.*\.pages\.dev$'
OR LOWER("Destination Hostname") MATCHES '.*\.cloudfunctions\.net$'
OR LOWER("Destination Hostname") MATCHES '.*\.execute-api\..*\.amazonaws\.com$'
OR LOWER("Destination Hostname") MATCHES '.*\.lambda-url\..*\.amazonaws\.com$'
OR LOWER("Destination Hostname") MATCHES '.*\.azurewebsites\.net$'
OR LOWER("Destination Hostname") MATCHES '.*\.azurecontainerapps\.io$'
OR LOWER("Destination Hostname") MATCHES '.*\.netlify\.app$'
OR LOWER("Destination Hostname") MATCHES '.*\.vercel\.app$'
OR LOWER("Destination Hostname") = 'script.google.com'
)
AND NOT LOWER("Process Image") MATCHES '.*(chrome|firefox|msedge|iexplore|opera|brave|vivaldi)\.exe$'
LAST 24 HOURS
ORDER BY "Event Time" DESCIBM QRadar AQL detection using Windows Sysmon EventID 3 (Network Connection) log source data. Requires QRadar DSM custom properties for 'Destination Hostname', 'Process Image', 'Command', and 'Parent Process Image' to be extracted from Sysmon XML payloads. Identifies non-browser processes contacting serverless platform domains and classifies the targeted provider. Operator MATCHES uses Java-compatible regex.
Data Sources
Required Tables
False Positives & Tuning
- Enterprise build pipelines where msbuild.exe or node.exe resolve serverless function URLs as part of artifact retrieval, deployment hooks, or webhook notifications
- IT operations teams using PowerShell runbooks that invoke Azure Functions or AWS Lambda for configuration management, inventory collection, or automated remediation
- Third-party endpoint management agents that use scripting runtimes to phone home to cloud-hosted control planes deployed on serverless infrastructure
Other platforms for T1583.007
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1PowerShell Beaconing to Cloudflare Workers Endpoint
Expected signal: Sysmon Event ID 1: powershell.exe spawned with command line containing Invoke-WebRequest and the workers.dev URL. Sysmon Event ID 22: 5 DNS query events for df00tech-sentinel-test.argustest.workers.dev. Sysmon Event ID 3: 5 Network Connection events from powershell.exe to the Cloudflare IP on port 443. PowerShell ScriptBlock Log Event ID 4104 capturing the full loop script.
- Test 2Python Script Polling AWS Lambda Function URL
Expected signal: Sysmon Event ID 1: python.exe (or python3.exe) process created with command line containing lambda-url and amazonaws.com. Sysmon Event ID 22: DNS query events for the Lambda URL subdomain (abcde12345fghij.lambda-url.us-east-1.amazonaws.com). Sysmon Event ID 3: Network connection events from python.exe to AWS IP ranges on port 443. Connections will fail with connection refused but process and DNS events fire.
- Test 3WScript Invoking Google Apps Script Web App (BlackWater Technique)
Expected signal: Sysmon Event ID 1: cmd.exe spawning echo to create the .js file, then wscript.exe executing df00tech_gapps_test.js. Sysmon Event ID 11: File Create event for df00tech_gapps_test.js in %TEMP%. Sysmon Event ID 22: DNS query for script.google.com. Sysmon Event ID 3: Network connection from wscript.exe to Google IP on port 443 with DestinationHostname=script.google.com.
- Test 4cURL Beaconing to Google Cloud Function (Repeated Intervals)
Expected signal: Sysmon Event ID 1: cmd.exe created with the for loop command, then curl.exe spawned 4 times as child processes with the cloudfunctions.net URL as an argument. Sysmon Event ID 22: DNS query events for us-central1-df00tech-argus-test.cloudfunctions.net. Sysmon Event ID 3: 4 Network Connection events from curl.exe to Google Cloud IP on port 443. Connections will return an error but process and DNS events fire regardless.
References (8)
- https://attack.mitre.org/techniques/T1583/007/
- https://www.bleepingcomputer.com/news/security/blackwater-malware-abuses-cloudflare-workers-for-c2-communication/
- https://blog.xpnsec.com/aws-lambda-redirector/
- https://awakesecurity.com/blog/threat-hunting-series-detecting-command-control-in-the-cloud/
- https://www.bleepingcomputer.com/news/security/hackers-abuse-google-apps-script-to-steal-credit-cards-bypass-csp/
- https://developers.cloudflare.com/workers/
- https://docs.aws.amazon.com/lambda/latest/dg/lambda-urls.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1583.007/T1583.007.md
Unlock Pro Content
Get the full detection package for T1583.007 including response playbook, investigation guide, and atomic red team tests.