T1583.007 Splunk · SPL

Detect Serverless in Splunk

Adversaries may purchase and configure serverless cloud infrastructure, such as Cloudflare Workers, AWS Lambda functions, or Google Apps Scripts, to use during operations. By routing command-and-control (C2) traffic through serverless platforms, adversaries blend malicious communications with legitimate cloud provider traffic. Traffic from infected endpoints appears to target known cloud provider domains (workers.dev, cloudfunctions.net, lambda-url.amazonaws.com), making it difficult to distinguish from ordinary SaaS or cloud API usage. The serverless runtime proxies requests to adversary-owned infrastructure while the cloud provider absorbs attribution complexity. Detection requires identifying beaconing behavior, non-browser processes connecting to serverless endpoints, and anomalous DNS query patterns to serverless platform domains.

MITRE ATT&CK

Tactic
Resource Development
Technique
T1583 Acquire Infrastructure
Sub-technique
T1583.007 Serverless
Canonical reference
https://attack.mitre.org/techniques/T1583/007/

SPL Detection Query

Splunk (SPL)
spl 
index=* sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
  (DestinationHostname="*.workers.dev"
   OR DestinationHostname="*.pages.dev"
   OR DestinationHostname="*.cloudfunctions.net"
   OR DestinationHostname="*.execute-api.*.amazonaws.com"
   OR DestinationHostname="*.lambda-url.*.amazonaws.com"
   OR DestinationHostname="*.azurewebsites.net"
   OR DestinationHostname="*.azurecontainerapps.io"
   OR DestinationHostname="*.netlify.app"
   OR DestinationHostname="*.vercel.app"
   OR DestinationHostname="script.google.com")
| eval is_browser=if(match(lower(Image), "chrome\.exe|firefox\.exe|msedge\.exe|iexplore\.exe|opera\.exe|brave\.exe|vivaldi\.exe"), 1, 0)
| where is_browser=0
| eval is_suspicious_process=if(match(lower(Image), "powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|python.*\.exe|node\.exe|curl\.exe|wget\.exe|wmic\.exe|bitsadmin\.exe|regsvr32\.exe|msbuild\.exe"), 1, 0)
| eval serverless_platform=case(
    match(lower(DestinationHostname), "workers\.dev|pages\.dev"), "Cloudflare Workers",
    match(lower(DestinationHostname), "cloudfunctions\.net"), "Google Cloud Functions",
    match(lower(DestinationHostname), "execute-api|lambda-url"), "AWS Lambda",
    match(lower(DestinationHostname), "azurewebsites\.net|azurecontainerapps\.io"), "Azure Functions",
    match(lower(DestinationHostname), "netlify\.app"), "Netlify Functions",
    match(lower(DestinationHostname), "vercel\.app"), "Vercel Serverless",
    match(lower(DestinationHostname), "script\.google\.com"), "Google Apps Script",
    true(), "Other Serverless"
  )
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine,
        DestinationHostname, DestinationIp, DestinationPort,
        serverless_platform, is_suspicious_process
| sort - _time
medium severity medium confidence

Detects non-browser processes connecting to serverless infrastructure using Sysmon Event ID 3 (Network Connection). Identifies scripting engines, command-line tools, and other suspicious processes (PowerShell, Python, wscript, curl) making outbound connections to Cloudflare Workers, AWS Lambda Function URLs, Google Cloud Functions, Azure Functions, Netlify, Vercel, and Google Apps Script endpoints. Browser processes are excluded to reduce noise from legitimate web browsing. The is_suspicious_process field prioritizes events from known-abused processes for analyst triage.

Data Sources

Network Traffic: Network Connection CreationSysmon Event ID 3 (Network Connection)

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Developer workstations running CI/CD scripts (Node.js, Python) that legitimately invoke AWS Lambda or Azure Functions APIs as part of build and test pipelines
  • IT automation tools using PowerShell or curl to call serverless-hosted webhook endpoints, monitoring heartbeats, or deployment triggers
  • Security scanning and vulnerability assessment tools probing cloud service APIs
  • Build agents and deployment pipeline runners (Jenkins agents, GitHub Actions self-hosted runners) making legitimate Lambda or Cloud Function calls
  • Monitoring agents and observability tools calling serverless-hosted status pages or synthetic monitoring endpoints
  • RPA (Robotic Process Automation) tools that interact with web services hosted on serverless platforms
Download portable Sigma rule (.yml)

Other platforms for T1583.007

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1PowerShell Beaconing to Cloudflare Workers Endpoint

    Expected signal: Sysmon Event ID 1: powershell.exe spawned with command line containing Invoke-WebRequest and the workers.dev URL. Sysmon Event ID 22: 5 DNS query events for df00tech-sentinel-test.argustest.workers.dev. Sysmon Event ID 3: 5 Network Connection events from powershell.exe to the Cloudflare IP on port 443. PowerShell ScriptBlock Log Event ID 4104 capturing the full loop script.

  2. Test 2Python Script Polling AWS Lambda Function URL

    Expected signal: Sysmon Event ID 1: python.exe (or python3.exe) process created with command line containing lambda-url and amazonaws.com. Sysmon Event ID 22: DNS query events for the Lambda URL subdomain (abcde12345fghij.lambda-url.us-east-1.amazonaws.com). Sysmon Event ID 3: Network connection events from python.exe to AWS IP ranges on port 443. Connections will fail with connection refused but process and DNS events fire.

  3. Test 3WScript Invoking Google Apps Script Web App (BlackWater Technique)

    Expected signal: Sysmon Event ID 1: cmd.exe spawning echo to create the .js file, then wscript.exe executing df00tech_gapps_test.js. Sysmon Event ID 11: File Create event for df00tech_gapps_test.js in %TEMP%. Sysmon Event ID 22: DNS query for script.google.com. Sysmon Event ID 3: Network connection from wscript.exe to Google IP on port 443 with DestinationHostname=script.google.com.

  4. Test 4cURL Beaconing to Google Cloud Function (Repeated Intervals)

    Expected signal: Sysmon Event ID 1: cmd.exe created with the for loop command, then curl.exe spawned 4 times as child processes with the cloudfunctions.net URL as an argument. Sysmon Event ID 22: DNS query events for us-central1-df00tech-argus-test.cloudfunctions.net. Sysmon Event ID 3: 4 Network Connection events from curl.exe to Google Cloud IP on port 443. Connections will return an error but process and DNS events fire regardless.

Last updated: 2026-04-13 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1583.007 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1583Acquire Infrastructure

Related Sub-techniques

T1583.001DomainsT1583.002DNS ServerT1583.003Virtual Private ServerT1583.004ServerT1583.005BotnetT1583.006Web ServicesT1583.008Malvertising

Related Techniques

T1583Acquire InfrastructureT1583.001DomainsT1090.004Domain FrontingT1090.001Internal ProxyT1102Web ServiceT1102.001Dead Drop ResolverT1071.001Web ProtocolsT1665Hide InfrastructureT1059.001PowerShellT1059.006PythonT1041Exfiltration Over C2 Channel

Same Tactic: Resource Development

Popular Detections