title: Serverless Execution (T1648)
id: df00tech-t1648
status: experimental
description: "This detection identifies adversary abuse of serverless computing platforms — including AWS Lambda, Azure Functions, and Microsoft Power Automate — to execute arbitrary code or automate malicious workflows within cloud environments. Adversaries create or modify serverless functions to run cryptomining payloads, establish persistent backdoors triggered by cloud events, escalate privileges by attaching overprivileged IAM roles (via IAM:PassRole or iam.serviceAccounts.actAs), and exfiltrate data through automated workflows. Key indicators include unexpected serverless function creation by identities with no prior deployment history, attachment of administrative IAM roles to functions, event source mappings that enable persistent trigger-based execution, and Power Automate flows containing email forwarding or external HTTP connector actions. Real-world examples include the Denonia cryptominer (first Lambda-specific malware), Pacu framework Lambda deployment, and adversary-created Power Automate flows forwarding executive email to external addresses."
references:
  - https://attack.mitre.org/techniques/T1648/
  - https://df00tech.com/detections/T1648
author: df00tech
date: 2026/03/20
tags:
  - attack.t1648
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: azure
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate DevOps CI/CD pipelines (GitHub Actions, Jenkins, AWS CodePipeline) using service accounts to regularly deploy Lambda or Azure Function updates as part of normal SDLC workflows"
  - "Infrastructure-as-code tooling (Terraform, AWS CDK, Pulumi, Bicep) creating or updating serverless resources during planned deployments — these typically originate from known CI/CD source IPs with consistent timing patterns"
  - "IT or business teams creating Power Automate flows for approved process automation such as SharePoint approval workflows, Teams notifications, or internal HR onboarding processes"
level: high