T1584.007

Serverless

Adversaries may compromise serverless cloud infrastructure, such as Cloudflare Workers, AWS Lambda functions, or Google Apps Scripts, to proxy command-and-control (C2) communications between implants on victim systems and adversary-controlled backend servers. Because traffic destined for compromised serverless functions originates from subdomains of trusted cloud providers (e.g., *.workers.dev, *.execute-api.amazonaws.com, script.google.com), network-layer defenses relying on domain or IP reputation are largely ineffective. Detection pivots to behavioral analysis of victim-side telemetry: identifying processes on endpoints communicating with serverless platforms in patterns consistent with C2 beaconing (periodic connections, low-variance timing, small symmetric payloads), correlating process context with destination domains, and monitoring cloud audit logs for unauthorized modifications to serverless functions within environments the defender controls.

Microsoft Sentinel / Defender

kusto

let BeaconLookback = 24h;
let MinHourlyBuckets = 3;
let MinTotalConnections = 12;
let ServerlessDomains = dynamic([
    "workers.dev",
    "cloudflareworkers.com",
    "execute-api.amazonaws.com",
    "lambda-url",
    "script.google.com",
    "cloudfunctions.net",
    "run.app",
    "azurewebsites.net",
    "pages.dev",
    "netlify.app",
    "vercel.app",
    "supabase.co",
    "deno.dev"
]);
let SuspiciousParents = dynamic([
    "cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe",
    "mshta.exe", "rundll32.exe", "regsvr32.exe", "svchost.exe"
]);
DeviceNetworkEvents
| where Timestamp > ago(BeaconLookback)
| where RemoteUrl has_any (ServerlessDomains)
| where ActionType == "ConnectionSuccess"
| extend HourBucket = bin(Timestamp, 1h)
| summarize
    TotalConnections = count(),
    HourlyBuckets = dcount(HourBucket),
    TotalBytesSent = sum(SentBytes),
    TotalBytesReceived = sum(ReceivedBytes),
    RemotePorts = make_set(RemotePort, 10),
    FirstSeen = min(Timestamp),
    LastSeen = max(Timestamp)
    by DeviceName, RemoteUrl, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName
| where TotalConnections >= MinTotalConnections
| where HourlyBuckets >= MinHourlyBuckets
| extend AvgConnectionsPerHour = round(toreal(TotalConnections) / toreal(HourlyBuckets), 1)
| extend AvgBytesSentPerConn = iif(TotalConnections > 0, TotalBytesSent / TotalConnections, 0)
| extend AvgBytesReceivedPerConn = iif(TotalConnections > 0, TotalBytesReceived / TotalConnections, 0)
// Beaconing signature: high frequency, small symmetric payloads
| extend BeaconingLikely = (AvgBytesSentPerConn < 4096 and AvgBytesReceivedPerConn < 16384 and AvgConnectionsPerHour >= 2)
| extend SuspiciousInitiator = InitiatingProcessFileName has_any (SuspiciousParents)
| where BeaconingLikely or SuspiciousInitiator
| project
    FirstSeen,
    LastSeen,
    DeviceName,
    InitiatingProcessAccountName,
    InitiatingProcessFileName,
    InitiatingProcessCommandLine,
    RemoteUrl,
    TotalConnections,
    HourlyBuckets,
    AvgConnectionsPerHour,
    AvgBytesSentPerConn,
    AvgBytesReceivedPerConn,
    BeaconingLikely,
    SuspiciousInitiator,
    RemotePorts
| sort by TotalConnections desc

high severity medium confidence

Data Sources

Network Traffic: Network Connection Creation Microsoft Defender for Endpoint DeviceNetworkEvents

Required Tables

DeviceNetworkEvents

False Positives

Legitimate SaaS applications with serverless backends making regular telemetry or heartbeat calls (e.g., Datadog agents, monitoring tools with serverless collectors)
Developer workstations running applications that actively use serverless functions for legitimate business logic (API calls, webhook endpoints)
Browser-based applications using Cloudflare Workers or Vercel edge functions for content delivery, API proxying, or authentication flows
IT automation tools and deployment pipelines (GitHub Actions, CI/CD runners) communicating with serverless orchestration backends
Security tools and EDR agents that may communicate with cloud-hosted processing functions for telemetry or rule updates

Splunk

spl

index=proxy OR index=network sourcetype=proxy OR sourcetype="stream:http" OR sourcetype="pan:traffic" OR sourcetype="cisco:asa"
| eval dest_domain=if(isnotnull(cs_host), cs_host, if(isnotnull(url), replace(url, "https?://([^/]+).*", "\1"), null()))
| where match(dest_domain, "(workers\.dev|cloudflareworkers\.com|execute-api\.[a-z0-9-]+\.amazonaws\.com|lambda-url\.[a-z0-9-]+\.amazonaws\.com|script\.google\.com|cloudfunctions\.net|\.run\.app|azurewebsites\.net|pages\.dev|netlify\.app|vercel\.app|supabase\.co|deno\.dev)")
| eval hour_bucket=strftime(_time, "%Y-%m-%d %H")
| eval bytes_total=if(isnotnull(sc_bytes), tonumber(sc_bytes) + tonumber(cs_bytes), 0)
| stats
    count as connection_count,
    dc(hour_bucket) as hourly_buckets,
    sum(sc_bytes) as total_bytes_received,
    sum(cs_bytes) as total_bytes_sent,
    earliest(_time) as first_seen,
    latest(_time) as last_seen,
    values(dest_domain) as destinations
    by src_ip, cs_username, c_ip
| where connection_count >= 12 AND hourly_buckets >= 3
| eval avg_connections_per_hour=round(connection_count / hourly_buckets, 1)
| eval avg_bytes_sent_per_conn=round(total_bytes_sent / connection_count, 0)
| eval avg_bytes_recv_per_conn=round(total_bytes_received / connection_count, 0)
| eval beaconing_likely=if(avg_bytes_sent_per_conn < 4096 AND avg_bytes_recv_per_conn < 16384 AND avg_connections_per_hour >= 2, 1, 0)
| where beaconing_likely=1
| eval first_seen=strftime(first_seen, "%Y-%m-%d %H:%M:%S")
| eval last_seen=strftime(last_seen, "%Y-%m-%d %H:%M:%S")
| table first_seen, last_seen, src_ip, cs_username, destinations, connection_count, hourly_buckets, avg_connections_per_hour, avg_bytes_sent_per_conn, avg_bytes_recv_per_conn, beaconing_likely
| sort - connection_count

high severity medium confidence

Data Sources

Network Traffic: Network Connection Creation Proxy: Web Proxy Logs Network Device: Network Traffic Flow

Required Sourcetypes

proxy stream:http pan:traffic cisco:asa

False Positives

Legitimate SaaS applications with serverless backends making regular telemetry or heartbeat calls
Developer workstations actively using serverless functions for legitimate application code
Browser-based applications using edge computing platforms (Cloudflare Workers, Vercel) for content delivery
IT automation and CI/CD tools communicating with cloud-hosted serverless orchestration endpoints
Security monitoring tools with cloud-based processing backends

IBM QRadar (AQL)

sql

SELECT
  sourceip,
  username,
  destinationhostname,
  COUNT(*) AS connection_count,
  COUNT(DISTINCT DATEFORMAT(starttime, 'yyyy-MM-dd HH')) AS hourly_buckets,
  SUM(LONG(eventpayload)) AS total_bytes,
  MIN(starttime) AS first_seen,
  MAX(starttime) AS last_seen
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Palo Alto Networks Firewall', 'Check Point Firewall', 'Cisco ASA', 'Juniper Networks Firewall', 'Squid Proxy', 'Bluecoat Proxy')
  AND (
    destinationhostname MATCHES '.*\.workers\.dev'
    OR destinationhostname MATCHES '.*\.cloudflareworkers\.com'
    OR destinationhostname MATCHES '.*\.execute-api\.[a-z0-9-]+\.amazonaws\.com'
    OR destinationhostname MATCHES '.*\.lambda-url\.[a-z0-9-]+\.amazonaws\.com'
    OR destinationhostname = 'script.google.com'
    OR destinationhostname MATCHES '.*\.cloudfunctions\.net'
    OR destinationhostname MATCHES '.*\.run\.app'
    OR destinationhostname MATCHES '.*\.azurewebsites\.net'
    OR destinationhostname MATCHES '.*\.pages\.dev'
    OR destinationhostname MATCHES '.*\.netlify\.app'
    OR destinationhostname MATCHES '.*\.vercel\.app'
    OR destinationhostname MATCHES '.*\.supabase\.co'
    OR destinationhostname MATCHES '.*\.deno\.dev'
  )
  AND starttime > NOW() - 86400000
GROUP BY sourceip, username, destinationhostname
HAVING
  connection_count >= 12
  AND hourly_buckets >= 3
  AND (total_bytes / connection_count) < 20480
ORDER BY connection_count DESC

high severity medium confidence

Data Sources

Palo Alto Networks Firewall Check Point Firewall Cisco ASA Squid Proxy Bluecoat Proxy

Required Tables

events

False Positives

Internal developer tooling that regularly calls AWS Lambda or Google Cloud Functions for automation workflows
Browser-based applications with polling mechanisms targeting Supabase or Vercel-hosted APIs on behalf of many users sharing a NAT IP
Security products or SOAR platforms that probe cloud function endpoints as part of playbook execution or health monitoring

Sumo Logic CSE

sql

_sourceCategory=network/proxy OR _sourceCategory=network/firewall OR _sourceCategory=network/paloalto
| parse "*" as raw_log nodrop
| parse field=raw_log "host=*" as dest_host nodrop
| parse field=raw_log "cs-host: *" as cs_host nodrop
| parse field=raw_log "destinationhostname=*" as fw_host nodrop
| if (!isNull(dest_host), dest_host, if (!isNull(cs_host), cs_host, fw_host)) as destination
| where destination matches "*.workers.dev"
  OR destination matches "*.cloudflareworkers.com"
  OR destination matches "*.execute-api.*.amazonaws.com"
  OR destination matches "*.lambda-url.*.amazonaws.com"
  OR destination = "script.google.com"
  OR destination matches "*.cloudfunctions.net"
  OR destination matches "*.run.app"
  OR destination matches "*.azurewebsites.net"
  OR destination matches "*.pages.dev"
  OR destination matches "*.netlify.app"
  OR destination matches "*.vercel.app"
  OR destination matches "*.supabase.co"
  OR destination matches "*.deno.dev"
| parse field=raw_log "src=*" as src_ip nodrop
| parse field=raw_log "bytes_sent=*" as bytes_sent nodrop
| parse field=raw_log "bytes_received=*" as bytes_recv nodrop
| timeslice 1h
| stats
    count as connection_count,
    dcount(_timeslice) as hourly_buckets,
    sum(bytes_sent) as total_bytes_sent,
    sum(bytes_recv) as total_bytes_received,
    min(_messageTime) as first_seen,
    max(_messageTime) as last_seen
    by src_ip, destination
| where connection_count >= 12 AND hourly_buckets >= 3
| total_bytes_sent / connection_count as avg_bytes_sent
| total_bytes_received / connection_count as avg_bytes_recv
| where avg_bytes_sent < 4096 AND avg_bytes_recv < 16384
| connection_count / hourly_buckets as avg_conn_per_hour
| where avg_conn_per_hour >= 2
| fields first_seen, last_seen, src_ip, destination, connection_count, hourly_buckets, avg_conn_per_hour, avg_bytes_sent, avg_bytes_recv
| sort by connection_count desc

high severity medium confidence

Data Sources

Sumo Logic Installed Collector (proxy logs) Palo Alto Networks App for Sumo Logic Cisco ASA App for Sumo Logic

Required Tables

network/proxy network/firewall network/paloalto

False Positives

Shared office NAT IPs where multiple developers are regularly accessing serverless-hosted internal tools simultaneously
Automated testing infrastructure running integration tests against staging environments hosted on Vercel, Netlify, or Supabase
Employee laptops running Electron apps backed by serverless APIs that poll frequently for real-time updates

Google Chronicle / SecOps

yaral

rule t1584_007_serverless_c2_beaconing {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects potential C2 beaconing over compromised serverless infrastructure (T1584.007). Identifies hosts making repeated low-volume connections to serverless cloud domains across multiple hours, consistent with implant check-in behavior."
    mitre_attack_tactic = "Command and Control"
    mitre_attack_technique = "T1584.007"
    severity = "HIGH"
    priority = "HIGH"

  events:
    $e.metadata.event_type = "NETWORK_CONNECTION"
    $e.network.direction = "OUTBOUND"
    (
      re.regex($e.target.hostname, `(?i)(.*\.workers\.dev|.*\.cloudflareworkers\.com|.*\.execute-api\.[a-z0-9-]+\.amazonaws\.com|.*\.lambda-url\.[a-z0-9-]+\.amazonaws\.com|script\.google\.com|.*\.cloudfunctions\.net|.*\.run\.app|.*\.azurewebsites\.net|.*\.pages\.dev|.*\.netlify\.app|.*\.vercel\.app|.*\.supabase\.co|.*\.deno\.dev)`) = true
    )
    $e.principal.ip = $src_ip
    $e.target.hostname = $dest_host
    $e.principal.process.file.full_path = $proc_path

  match:
    $src_ip, $dest_host, $proc_path over 24h

  outcome:
    $event_count = count_distinct($e.metadata.id)
    $hour_buckets = count_distinct(timestamp.get_hour($e.metadata.event_timestamp))
    $total_bytes_sent = sum($e.network.sent_bytes)
    $total_bytes_received = sum($e.network.received_bytes)
    $avg_bytes_sent = math.floor(sum($e.network.sent_bytes) / count_distinct($e.metadata.id))
    $avg_bytes_received = math.floor(sum($e.network.received_bytes) / count_distinct($e.metadata.id))
    $process_name = array_distinct($e.principal.process.file.full_path)

  condition:
    $event_count >= 12 and
    $hour_buckets >= 3 and
    $avg_bytes_sent < 4096 and
    $avg_bytes_received < 16384
}

high severity medium confidence

Data Sources

Google Chronicle UDM (network events) Endpoint telemetry via Chronicle forwarder Firewall/proxy logs normalized to UDM

Required Tables

udm_events (NETWORK_CONNECTION type)

False Positives

Corporate developer workstations where engineers frequently test or deploy to personal AWS Lambda or Cloudflare Workers projects during business hours
Legitimate SaaS integrations where a business application backend regularly calls out to third-party serverless functions for data processing
Browser-based applications that maintain persistent polling connections to Supabase realtime subscriptions or Vercel Edge Functions

CrowdStrike LogScale (CQL)

cql

// T1584.007 - Serverless C2 Beaconing Detection
// Requires: Network telemetry from Falcon sensor
#event_simpleName = "NetworkConnectIP4" OR #event_simpleName = "DnsRequest"
| eval serverless_domain = if(
    DomainName = /(?i)(workers\.dev|cloudflareworkers\.com|execute-api\.[a-z0-9-]+\.amazonaws\.com|lambda-url\.[a-z0-9-]+\.amazonaws\.com|script\.google\.com|cloudfunctions\.net|\.run\.app|azurewebsites\.net|pages\.dev|netlify\.app|vercel\.app|supabase\.co|deno\.dev)/,
    DomainName,
    null()
  )
| where isnotnull(serverless_domain)
| eval hour_bucket = formatTime("%Y-%m-%d %H", @timestamp)
| groupBy([ComputerName, ImageFileName, serverless_domain], function=[
    count(aid, as=connection_count),
    dcount(hour_bucket, as=hourly_buckets),
    sum(BytesSent, as=total_bytes_sent),
    sum(BytesReceived, as=total_bytes_received),
    min(@timestamp, as=first_seen),
    max(@timestamp, as=last_seen),
    collect(ContextProcessId, as=pids)
  ])
| where connection_count >= 12 AND hourly_buckets >= 3
| eval avg_bytes_sent = total_bytes_sent / connection_count
| eval avg_bytes_received = total_bytes_received / connection_count
| eval avg_conn_per_hour = connection_count / hourly_buckets
| where avg_bytes_sent < 4096 AND avg_bytes_received < 16384 AND avg_conn_per_hour >= 2
| eval beaconing_likely = true()
| table([first_seen, last_seen, ComputerName, ImageFileName, serverless_domain, connection_count, hourly_buckets, avg_conn_per_hour, avg_bytes_sent, avg_bytes_received, pids])
| sort(connection_count, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Sensor (NetworkConnectIP4) CrowdStrike Falcon DNS telemetry (DnsRequest)

Required Tables

NetworkConnectIP4 DnsRequest

False Positives

Security tools and EDR agents themselves that communicate with cloud-hosted analysis backends or threat intel APIs on serverless infrastructure
Developer endpoints with active cloud IDE plugins or remote development tools that poll AWS Lambda or Cloudflare Workers for code execution results
Managed endpoint backup or sync clients that stage data through serverless intermediaries on a frequent schedule

Last updated: 2026-04-13 Research depth: deep

References (9)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1584.007 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1584Compromise Infrastructure

Related Sub-techniques

T1584.001Compromise Infrastructure: Domains T1584.002DNS Server T1584.003Virtual Private Server T1584.004Compromise Infrastructure: Server T1584.005Botnet T1584.006Web Services T1584.008Network Devices

Serverless

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Resource Development

Popular Detections