T1648 Sumo Logic CSE · Sumo

Detect Serverless Execution in Sumo Logic CSE

This detection identifies adversary abuse of serverless computing platforms — including AWS Lambda, Azure Functions, and Microsoft Power Automate — to execute arbitrary code or automate malicious workflows within cloud environments. Adversaries create or modify serverless functions to run cryptomining payloads, establish persistent backdoors triggered by cloud events, escalate privileges by attaching overprivileged IAM roles (via IAM:PassRole or iam.serviceAccounts.actAs), and exfiltrate data through automated workflows. Key indicators include unexpected serverless function creation by identities with no prior deployment history, attachment of administrative IAM roles to functions, event source mappings that enable persistent trigger-based execution, and Power Automate flows containing email forwarding or external HTTP connector actions. Real-world examples include the Denonia cryptominer (first Lambda-specific malware), Pacu framework Lambda deployment, and adversary-created Power Automate flows forwarding executive email to external addresses.

MITRE ATT&CK

Tactic
Execution
Technique
T1648 Serverless Execution
Canonical reference
https://attack.mitre.org/techniques/T1648/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory=aws/cloudtrail
| json auto
| where event_name in ("LeaveOrganization","CreateAccount","SendCommand","MoveAccount",
    "CreateFunction20150331","UpdateFunctionCode20150331v2","AddPermission20150331v2")
| where !(error_code matches /.+/)
| if(event_name = "LeaveOrganization", 100,
    if(event_name matches /(Delete|Remove)/i, 85,
    if(event_name = "CreateAccount", 70, 60))) as risk_score
| if(user_identity_type = "AssumedRole", "true", "false") as assumed_role
| where risk_score >= 60
| count by user_identity_arn, event_name, aws_region, source_ip_address, risk_score
| sort - risk_score
high severity medium confidence

Sumo Logic detection for Serverless Execution (T1648). Identifies adversary serverless execution behaviors using Sumo Logic's search pipeline with field extraction and anomaly classification.

Data Sources

Sumo Logic Cloud SIEMWindows Event LogsEndpoint Telemetry

Required Tables

_sourceCategory=aws/cloudtrail

False Positives & Tuning

  • Legitimate DevOps CI/CD pipelines (GitHub Actions, Jenkins, AWS CodePipeline) using service accounts to regularly deploy Lambda or Azure Function updates as part of normal SDLC workflows
  • Infrastructure-as-code tooling (Terraform, AWS CDK, Pulumi, Bicep) creating or updating serverless resources during planned deployments — these typically originate from known CI/CD source IPs with consistent timing patterns
  • IT or business teams creating Power Automate flows for approved process automation such as SharePoint approval workflows, Teams notifications, or internal HR onboarding processes
Download portable Sigma rule (.yml)

Other platforms for T1648

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create Malicious AWS Lambda Function via CLI

    Expected signal: AWS CloudTrail: EventName=CreateFunction20150331, EventSource=lambda.amazonaws.com with requestParameters.functionName set to the test function name and requestParameters.role containing the execution role ARN. Appears in AWSCloudTrail Sentinel table within 5-15 minutes of ingestion.

  2. Test 2Attach EventBridge Scheduled Rule to Lambda Function (Persistence)

    Expected signal: AWS CloudTrail: EventName=PutRule and EventName=PutTargets from EventSource=events.amazonaws.com. The PutTargets event requestParameters.targets will contain the Lambda function ARN. Visible in AWSCloudTrail table in Sentinel.

  3. Test 3Create Email-Forwarding Power Automate Flow via Graph API (M365)

    Expected signal: CloudAppEvents table in Microsoft Sentinel: Application='Microsoft Power Automate', ActionType='CreateFlow', AccountUpn identifying the test user, with RawEventData.flowName matching the created flow display name.

Last updated: 2026-03-20 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1648 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1496Resource HijackingT1098.003Additional Cloud RolesT1098.001Additional Cloud CredentialsT1546Event Triggered ExecutionT1567Exfiltration Over Web ServiceT1059.007JavaScriptT1053.007Container Orchestration Job

Same Tactic: Execution

Popular Detections