T1648 Elastic Security · Elastic

Detect Serverless Execution in Elastic Security

This detection identifies adversary abuse of serverless computing platforms — including AWS Lambda, Azure Functions, and Microsoft Power Automate — to execute arbitrary code or automate malicious workflows within cloud environments. Adversaries create or modify serverless functions to run cryptomining payloads, establish persistent backdoors triggered by cloud events, escalate privileges by attaching overprivileged IAM roles (via IAM:PassRole or iam.serviceAccounts.actAs), and exfiltrate data through automated workflows. Key indicators include unexpected serverless function creation by identities with no prior deployment history, attachment of administrative IAM roles to functions, event source mappings that enable persistent trigger-based execution, and Power Automate flows containing email forwarding or external HTTP connector actions. Real-world examples include the Denonia cryptominer (first Lambda-specific malware), Pacu framework Lambda deployment, and adversary-created Power Automate flows forwarding executive email to external addresses.

MITRE ATT&CK

Tactic
Execution
Technique
T1648 Serverless Execution
Canonical reference
https://attack.mitre.org/techniques/T1648/

Elastic Detection Query

Elastic Security (Elastic)
eql 
any where event.dataset == "aws.cloudtrail" and (
  event.action in (
    "CreateFunction20150331", "UpdateFunctionCode20150331v2",
    "LeaveOrganization", "CreateAccount", "SendCommand"
  ) and event.outcome == "success"
) and not aws.cloudtrail.user_identity.type == "AWSService"
high severity medium confidence

Elastic EQL detection for Serverless Execution (T1648). Identifies serverless execution activity by correlating endpoint telemetry patterns consistent with known adversary techniques.

Data Sources

AWS CloudTrailElastic AWS Integration

Required Tables

logs-aws.cloudtrail-*

False Positives & Tuning

  • Legitimate DevOps CI/CD pipelines (GitHub Actions, Jenkins, AWS CodePipeline) using service accounts to regularly deploy Lambda or Azure Function updates as part of normal SDLC workflows
  • Infrastructure-as-code tooling (Terraform, AWS CDK, Pulumi, Bicep) creating or updating serverless resources during planned deployments — these typically originate from known CI/CD source IPs with consistent timing patterns
  • IT or business teams creating Power Automate flows for approved process automation such as SharePoint approval workflows, Teams notifications, or internal HR onboarding processes
Download portable Sigma rule (.yml)

Other platforms for T1648

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create Malicious AWS Lambda Function via CLI

    Expected signal: AWS CloudTrail: EventName=CreateFunction20150331, EventSource=lambda.amazonaws.com with requestParameters.functionName set to the test function name and requestParameters.role containing the execution role ARN. Appears in AWSCloudTrail Sentinel table within 5-15 minutes of ingestion.

  2. Test 2Attach EventBridge Scheduled Rule to Lambda Function (Persistence)

    Expected signal: AWS CloudTrail: EventName=PutRule and EventName=PutTargets from EventSource=events.amazonaws.com. The PutTargets event requestParameters.targets will contain the Lambda function ARN. Visible in AWSCloudTrail table in Sentinel.

  3. Test 3Create Email-Forwarding Power Automate Flow via Graph API (M365)

    Expected signal: CloudAppEvents table in Microsoft Sentinel: Application='Microsoft Power Automate', ActionType='CreateFlow', AccountUpn identifying the test user, with RawEventData.flowName matching the created flow display name.

Last updated: 2026-03-20 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1648 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1496Resource HijackingT1098.003Additional Cloud RolesT1098.001Additional Cloud CredentialsT1546Event Triggered ExecutionT1567Exfiltration Over Web ServiceT1059.007JavaScriptT1053.007Container Orchestration Job

Same Tactic: Execution

Popular Detections