title: Serverless (T1583.007)
id: df00tech-t1583-007
status: experimental
description: "Adversaries may purchase and configure serverless cloud infrastructure, such as Cloudflare Workers, AWS Lambda functions, or Google Apps Scripts, to use during operations. By routing command-and-control (C2) traffic through serverless platforms, adversaries blend malicious communications with legitimate cloud provider traffic. Traffic from infected endpoints appears to target known cloud provider domains (workers.dev, cloudfunctions.net, lambda-url.amazonaws.com), making it difficult to distinguish from ordinary SaaS or cloud API usage. The serverless runtime proxies requests to adversary-owned infrastructure while the cloud provider absorbs attribution complexity. Detection requires identifying beaconing behavior, non-browser processes connecting to serverless endpoints, and anomalous DNS query patterns to serverless platform domains."
references:
  - https://attack.mitre.org/techniques/T1583/007/
  - https://df00tech.com/detections/T1583.007
author: df00tech
date: 2026/04/13
tags:
  - attack.t1583.007
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: network_connection
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Developer workstations running CI/CD scripts (Node.js, Python) that legitimately invoke AWS Lambda or Azure Functions APIs as part of build and test pipelines"
  - "IT automation tools using PowerShell or curl to call serverless-hosted webhook endpoints, monitoring heartbeats, or deployment triggers"
  - Security scanning and vulnerability assessment tools probing cloud service APIs
  - "Build agents and deployment pipeline runners (Jenkins agents, GitHub Actions self-hosted runners) making legitimate Lambda or Cloud Function calls"
  - Monitoring agents and observability tools calling serverless-hosted status pages or synthetic monitoring endpoints
  - RPA (Robotic Process Automation) tools that interact with web services hosted on serverless platforms
level: medium