Detect Serverless Execution in Google Chronicle
This detection identifies adversary abuse of serverless computing platforms — including AWS Lambda, Azure Functions, and Microsoft Power Automate — to execute arbitrary code or automate malicious workflows within cloud environments. Adversaries create or modify serverless functions to run cryptomining payloads, establish persistent backdoors triggered by cloud events, escalate privileges by attaching overprivileged IAM roles (via IAM:PassRole or iam.serviceAccounts.actAs), and exfiltrate data through automated workflows. Key indicators include unexpected serverless function creation by identities with no prior deployment history, attachment of administrative IAM roles to functions, event source mappings that enable persistent trigger-based execution, and Power Automate flows containing email forwarding or external HTTP connector actions. Real-world examples include the Denonia cryptominer (first Lambda-specific malware), Pacu framework Lambda deployment, and adversary-created Power Automate flows forwarding executive email to external addresses.
MITRE ATT&CK
- Tactic
- Execution
- Technique
- T1648 Serverless Execution
- Canonical reference
- https://attack.mitre.org/techniques/T1648/
YARA-L Detection Query
rule detection_t1648 {
meta:
author = "Argus Detection Platform"
description = "Detects Serverless Execution AWS activity - T1648"
severity = "HIGH"
mitre_attack = "T1648"
reference = "https://attack.mitre.org/techniques/T1648/"
events:
$e.metadata.event_type = "RESOURCE_CREATION"
$e.principal.user.userid = $actor
$e.principal.ip = $source_ip
$e.target.resource.name = $resource
(
$e.metadata.product_event_type in
("LeaveOrganization", "CreateAccount", "SendCommand",
"CreateFunction20150331", "UpdateFunctionCode20150331v2") and
$e.metadata.vendor_name = "AMAZON"
)
condition:
$e
}Google Chronicle YARA-L 2.0 rule for detecting Serverless Execution (T1648). Uses Chronicle UDM event model to identify serverless execution behaviors across endpoint and cloud telemetry.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate DevOps CI/CD pipelines (GitHub Actions, Jenkins, AWS CodePipeline) using service accounts to regularly deploy Lambda or Azure Function updates as part of normal SDLC workflows
- Infrastructure-as-code tooling (Terraform, AWS CDK, Pulumi, Bicep) creating or updating serverless resources during planned deployments — these typically originate from known CI/CD source IPs with consistent timing patterns
- IT or business teams creating Power Automate flows for approved process automation such as SharePoint approval workflows, Teams notifications, or internal HR onboarding processes
Other platforms for T1648
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create Malicious AWS Lambda Function via CLI
Expected signal: AWS CloudTrail: EventName=CreateFunction20150331, EventSource=lambda.amazonaws.com with requestParameters.functionName set to the test function name and requestParameters.role containing the execution role ARN. Appears in AWSCloudTrail Sentinel table within 5-15 minutes of ingestion.
- Test 2Attach EventBridge Scheduled Rule to Lambda Function (Persistence)
Expected signal: AWS CloudTrail: EventName=PutRule and EventName=PutTargets from EventSource=events.amazonaws.com. The PutTargets event requestParameters.targets will contain the Lambda function ARN. Visible in AWSCloudTrail table in Sentinel.
- Test 3Create Email-Forwarding Power Automate Flow via Graph API (M365)
Expected signal: CloudAppEvents table in Microsoft Sentinel: Application='Microsoft Power Automate', ActionType='CreateFlow', AccountUpn identifying the test user, with RawEventData.flowName matching the created flow display name.
References (10)
- https://attack.mitre.org/techniques/T1648/
- https://www.cadosecurity.com/cado-discovers-denonia-the-first-malware-specifically-targeting-lambda/
- https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
- https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/
- https://github.com/RhinoSecurityLabs/pacu
- https://www.varonis.com/blog/power-automate-data-exfiltration
- https://www.microsoft.com/en-us/security/blog/2020/03/09/real-life-cybercrime-stories-dart-microsoft-detection-and-response-team/
- https://cloud.hacktricks.xyz/pentesting-cloud/gcp-security/gcp-services/gcp-apps-script-abuse
- https://docs.aws.amazon.com/lambda/latest/dg/security-iam.html
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-record-contents.html
Unlock Pro Content
Get the full detection package for T1648 including response playbook, investigation guide, and atomic red team tests.