title: Serverless (T1584.007)
id: df00tech-t1584-007
status: experimental
description: "Adversaries may compromise serverless cloud infrastructure, such as Cloudflare Workers, AWS Lambda functions, or Google Apps Scripts, to proxy command-and-control (C2) communications between implants on victim systems and adversary-controlled backend servers. Because traffic destined for compromised serverless functions originates from subdomains of trusted cloud providers (e.g., *.workers.dev, *.execute-api.amazonaws.com, script.google.com), network-layer defenses relying on domain or IP reputation are largely ineffective. Detection pivots to behavioral analysis of victim-side telemetry: identifying processes on endpoints communicating with serverless platforms in patterns consistent with C2 beaconing (periodic connections, low-variance timing, small symmetric payloads), correlating process context with destination domains, and monitoring cloud audit logs for unauthorized modifications to serverless functions within environments the defender controls."
references:
  - https://attack.mitre.org/techniques/T1584/007/
  - https://df00tech.com/detections/T1584.007
author: df00tech
date: 2026/04/13
tags:
  - attack.t1584.007
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: network_connection
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate SaaS applications with serverless backends making regular telemetry or heartbeat calls (e.g., Datadog agents, monitoring tools with serverless collectors)"
  - "Developer workstations running applications that actively use serverless functions for legitimate business logic (API calls, webhook endpoints)"
  - "Browser-based applications using Cloudflare Workers or Vercel edge functions for content delivery, API proxying, or authentication flows"
  - "IT automation tools and deployment pipelines (GitHub Actions, CI/CD runners) communicating with serverless orchestration backends"
  - Security tools and EDR agents that may communicate with cloud-hosted processing functions for telemetry or rule updates
level: high