Detect Serverless Execution in Splunk
This detection identifies adversary abuse of serverless computing platforms — including AWS Lambda, Azure Functions, and Microsoft Power Automate — to execute arbitrary code or automate malicious workflows within cloud environments. Adversaries create or modify serverless functions to run cryptomining payloads, establish persistent backdoors triggered by cloud events, escalate privileges by attaching overprivileged IAM roles (via IAM:PassRole or iam.serviceAccounts.actAs), and exfiltrate data through automated workflows. Key indicators include unexpected serverless function creation by identities with no prior deployment history, attachment of administrative IAM roles to functions, event source mappings that enable persistent trigger-based execution, and Power Automate flows containing email forwarding or external HTTP connector actions. Real-world examples include the Denonia cryptominer (first Lambda-specific malware), Pacu framework Lambda deployment, and adversary-created Power Automate flows forwarding executive email to external addresses.
MITRE ATT&CK
- Tactic
- Execution
- Technique
- T1648 Serverless Execution
- Canonical reference
- https://attack.mitre.org/techniques/T1648/
SPL Detection Query
(index=* sourcetype="aws:cloudtrail"
eventSource="lambda.amazonaws.com"
eventName IN ("CreateFunction20150331", "UpdateFunctionCode20150331v2",
"AddPermission20150331v2", "CreateEventSourceMapping",
"UpdateFunctionConfiguration20150331v2"))
OR (index=* sourcetype="azure:activity"
(operationName="Create or Update Web App"
OR operationName="Create or Update Site Functions")
status="Succeeded")
OR (index=* sourcetype="o365:management:activity"
Workload="MicrosoftFlow"
Operation IN ("CreateFlow", "UpdateFlow", "EnableFlow", "ShareFlow"))
| eval platform=case(
sourcetype=="aws:cloudtrail", "AWS Lambda",
sourcetype=="azure:activity", "Azure Functions",
sourcetype=="o365:management:activity", "Power Automate",
1=1, "Unknown"
)
| eval actor=coalesce('userIdentity.arn', 'userIdentity.userName', caller, UserId, "unknown")
| eval source_ip=coalesce(sourceIPAddress, callerIpAddress, ClientIP, "unknown")
| eval function_name=coalesce('requestParameters.functionName', resourceId, flowName, "unknown")
| eval function_role=coalesce('requestParameters.role', "N/A")
| eval action=coalesce(eventName, operationName, Operation, "unknown")
| eval risk_score=case(
action=="AddPermission20150331v2", 80,
action=="CreateEventSourceMapping", 75,
action=="UpdateFunctionCode20150331v2", 70,
match(function_role, "(?i)(admin|poweruser|fullaccess|administrator)"), 90,
action=="ShareFlow", 75,
action IN ("CreateFunction20150331", "CreateFlow"), 65,
1=1, 50
)
| table _time, platform, actor, source_ip, action, function_name, function_role, risk_score, awsRegion, recipientAccountId
| sort -risk_score, -_timeSearches AWS CloudTrail, Azure Activity, and Microsoft 365 management activity logs for serverless function lifecycle events including creation, code updates, permission grants, event source mappings, and Power Automate flow operations. Applies risk scoring based on operation type and role privilege level. Covers multi-cloud environments in a single query by normalizing fields across sourcetypes.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Automated CI/CD service accounts (AWS CodeBuild roles, Azure DevOps service principals) that regularly perform Lambda UpdateFunctionCode or Azure Function deployments as part of normal release pipelines
- AWS SAM CLI or Serverless Framework deployments that create multiple Lambda functions, IAM roles, and event source mappings simultaneously during a single stack deployment
- Power Automate flows created by IT-approved service accounts in the Default environment for standard enterprise automation tasks such as Teams channel notifications or SharePoint document routing
Other platforms for T1648
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create Malicious AWS Lambda Function via CLI
Expected signal: AWS CloudTrail: EventName=CreateFunction20150331, EventSource=lambda.amazonaws.com with requestParameters.functionName set to the test function name and requestParameters.role containing the execution role ARN. Appears in AWSCloudTrail Sentinel table within 5-15 minutes of ingestion.
- Test 2Attach EventBridge Scheduled Rule to Lambda Function (Persistence)
Expected signal: AWS CloudTrail: EventName=PutRule and EventName=PutTargets from EventSource=events.amazonaws.com. The PutTargets event requestParameters.targets will contain the Lambda function ARN. Visible in AWSCloudTrail table in Sentinel.
- Test 3Create Email-Forwarding Power Automate Flow via Graph API (M365)
Expected signal: CloudAppEvents table in Microsoft Sentinel: Application='Microsoft Power Automate', ActionType='CreateFlow', AccountUpn identifying the test user, with RawEventData.flowName matching the created flow display name.
References (10)
- https://attack.mitre.org/techniques/T1648/
- https://www.cadosecurity.com/cado-discovers-denonia-the-first-malware-specifically-targeting-lambda/
- https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
- https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/
- https://github.com/RhinoSecurityLabs/pacu
- https://www.varonis.com/blog/power-automate-data-exfiltration
- https://www.microsoft.com/en-us/security/blog/2020/03/09/real-life-cybercrime-stories-dart-microsoft-detection-and-response-team/
- https://cloud.hacktricks.xyz/pentesting-cloud/gcp-security/gcp-services/gcp-apps-script-abuse
- https://docs.aws.amazon.com/lambda/latest/dg/security-iam.html
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-record-contents.html
Unlock Pro Content
Get the full detection package for T1648 including response playbook, investigation guide, and atomic red team tests.