T1584.007 Splunk · SPL

Detect Serverless in Splunk

Adversaries may compromise serverless cloud infrastructure, such as Cloudflare Workers, AWS Lambda functions, or Google Apps Scripts, to proxy command-and-control (C2) communications between implants on victim systems and adversary-controlled backend servers. Because traffic destined for compromised serverless functions originates from subdomains of trusted cloud providers (e.g., *.workers.dev, *.execute-api.amazonaws.com, script.google.com), network-layer defenses relying on domain or IP reputation are largely ineffective. Detection pivots to behavioral analysis of victim-side telemetry: identifying processes on endpoints communicating with serverless platforms in patterns consistent with C2 beaconing (periodic connections, low-variance timing, small symmetric payloads), correlating process context with destination domains, and monitoring cloud audit logs for unauthorized modifications to serverless functions within environments the defender controls.

MITRE ATT&CK

Tactic
Resource Development
Technique
T1584 Compromise Infrastructure
Sub-technique
T1584.007 Serverless
Canonical reference
https://attack.mitre.org/techniques/T1584/007/

SPL Detection Query

Splunk (SPL)
spl 
index=proxy OR index=network sourcetype=proxy OR sourcetype="stream:http" OR sourcetype="pan:traffic" OR sourcetype="cisco:asa"
| eval dest_domain=if(isnotnull(cs_host), cs_host, if(isnotnull(url), replace(url, "https?://([^/]+).*", "\1"), null()))
| where match(dest_domain, "(workers\.dev|cloudflareworkers\.com|execute-api\.[a-z0-9-]+\.amazonaws\.com|lambda-url\.[a-z0-9-]+\.amazonaws\.com|script\.google\.com|cloudfunctions\.net|\.run\.app|azurewebsites\.net|pages\.dev|netlify\.app|vercel\.app|supabase\.co|deno\.dev)")
| eval hour_bucket=strftime(_time, "%Y-%m-%d %H")
| eval bytes_total=if(isnotnull(sc_bytes), tonumber(sc_bytes) + tonumber(cs_bytes), 0)
| stats
    count as connection_count,
    dc(hour_bucket) as hourly_buckets,
    sum(sc_bytes) as total_bytes_received,
    sum(cs_bytes) as total_bytes_sent,
    earliest(_time) as first_seen,
    latest(_time) as last_seen,
    values(dest_domain) as destinations
    by src_ip, cs_username, c_ip
| where connection_count >= 12 AND hourly_buckets >= 3
| eval avg_connections_per_hour=round(connection_count / hourly_buckets, 1)
| eval avg_bytes_sent_per_conn=round(total_bytes_sent / connection_count, 0)
| eval avg_bytes_recv_per_conn=round(total_bytes_received / connection_count, 0)
| eval beaconing_likely=if(avg_bytes_sent_per_conn < 4096 AND avg_bytes_recv_per_conn < 16384 AND avg_connections_per_hour >= 2, 1, 0)
| where beaconing_likely=1
| eval first_seen=strftime(first_seen, "%Y-%m-%d %H:%M:%S")
| eval last_seen=strftime(last_seen, "%Y-%m-%d %H:%M:%S")
| table first_seen, last_seen, src_ip, cs_username, destinations, connection_count, hourly_buckets, avg_connections_per_hour, avg_bytes_sent_per_conn, avg_bytes_recv_per_conn, beaconing_likely
| sort - connection_count
high severity medium confidence

Detects C2 beaconing through compromised serverless infrastructure by analyzing proxy and network flow logs. Matches destination domains against a comprehensive list of serverless hosting platforms and computes per-source-IP connection statistics over a rolling window. Flags sources with connections spread across multiple hourly buckets (indicating sustained, recurring activity rather than a single session) combined with low per-connection byte counts characteristic of automated beaconing protocols. Works with web proxy logs (Blue Coat, Squid, Zscaler), Palo Alto NGFW, and Cisco ASA logs when normalized to standard proxy sourcetypes.

Data Sources

Network Traffic: Network Connection CreationProxy: Web Proxy LogsNetwork Device: Network Traffic Flow

Required Sourcetypes

proxystream:httppan:trafficcisco:asa

False Positives & Tuning

  • Legitimate SaaS applications with serverless backends making regular telemetry or heartbeat calls
  • Developer workstations actively using serverless functions for legitimate application code
  • Browser-based applications using edge computing platforms (Cloudflare Workers, Vercel) for content delivery
  • IT automation and CI/CD tools communicating with cloud-hosted serverless orchestration endpoints
  • Security monitoring tools with cloud-based processing backends
Download portable Sigma rule (.yml)

Other platforms for T1584.007

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate C2 Beacon to Cloudflare Workers Domain

    Expected signal: DeviceNetworkEvents: 15 ConnectionSuccess events from PowerShell.exe to httpbin.org, spaced ~30 seconds apart. Sysmon Event ID 3: Network connections with consistent DestinationPort=443 and DestinationHostname=httpbin.org. Inter-arrival time analysis will show MeanInterval ~30 seconds with low standard deviation (JitterCoefficient < 0.05).

  2. Test 2Non-Browser Process Connecting to AWS Lambda URL

    Expected signal: Sysmon Event ID 3: Network connections with Image=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe making POST requests to httpbin.org:443. DeviceNetworkEvents: InitiatingProcessFileName=powershell.exe, connection count=5 with small SentBytes values. Sysmon Event ID 22: DNS query for httpbin.org from powershell.exe.

  3. Test 3Enumerate and Test Unauthorized AWS Lambda Function (Controlled Lab)

    Expected signal: AWS CloudTrail: ListFunctions and InvokeFunction API calls logged in CloudTrail with sourceIPAddress of the calling machine, userAgent=aws-cli, and requestParameters including the function name. If forwarded to a SIEM via CloudWatch/Kinesis, these appear in your cloud audit log index. EventName=InvokeFunction with errorCode absent indicates successful invocation.

  4. Test 4Deploy Test Cloudflare Worker via wrangler CLI (Simulates Infrastructure Compromise Foothold)

    Expected signal: Cloudflare Audit Log: Worker script deployment event with actor email, source IP, and timestamp. If Cloudflare Logpush is configured to forward audit logs to your SIEM, the event appears as audit_log.action.type=deploy with resources referencing the worker name. Process telemetry: node.exe or cmd.exe spawning wrangler commands visible in Sysmon Event ID 1.

Last updated: 2026-04-13 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1584.007 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1584Compromise Infrastructure

Related Sub-techniques

T1584.001Compromise Infrastructure: DomainsT1584.002DNS ServerT1584.003Virtual Private ServerT1584.004Compromise Infrastructure: ServerT1584.005BotnetT1584.006Web ServicesT1584.008Network Devices

Related Techniques

T1584Compromise InfrastructureT1583.007ServerlessT1090.004Domain FrontingT1090.002External ProxyT1665Hide InfrastructureT1102Web ServiceT1071.001Web ProtocolsT1573.001Symmetric CryptographyT1027Obfuscated Files or InformationT1496Resource Hijacking

Same Tactic: Resource Development

Popular Detections