1. Home
  2. ATT&CK Techniques
  3. T1648 Serverless Execution

T1648 Serverless Execution

Adversaries may abuse serverless computing, integration, and automation services to execute arbitrary code in cloud environments. Many cloud providers offer a variety of serverless resources, including compute engines, application integration services, and web servers.

Adversaries may abuse these resources in various ways as a means of executing arbitrary commands. For example, adversaries may use serverless functions to execute malicious code, such as crypto-mining malware (i.e. Resource Hijacking).(Citation: Cado Security Denonia) Adversaries may also create functions that enable further compromise of the cloud environment. For example, an adversary may use the IAM:PassRole permission in AWS or the iam.serviceAccounts.actAs permission in Google Cloud to add Additional Cloud Roles to a serverless cloud function, which may then be able to perform actions the original user cannot.(Citation: Rhino Security Labs AWS Privilege Escalation)(Citation: Rhingo Security Labs GCP Privilege Escalation)

Serverless functions can also be invoked in response to cloud events (i.e. Event Triggered Execution), potentially enabling persistent execution over time. For example, in AWS environments, an adversary may create a Lambda function that automatically adds Additional Cloud Credentials to a user and a corresponding CloudWatch events rule that invokes that function whenever a new user is created.(Citation: Backdooring an AWS account) This is also possible in many cloud-based office application suites. For example, in Microsoft 365 environments, an adversary may create a Power Automate workflow that forwards all emails a user receives or creates anonymous sharing links whenever a user is granted access to a document in SharePoint.(Citation: Varonis Power Automate Data Exfiltration)(Citation: Microsoft DART Case Report 001) In Google Workspace environments, they may instead create an Apps Script that exfiltrates a user's data when they open a file.(Citation: Cloud Hack Tricks GWS Apps Script)(Citation: OWN-CERT Google App Script 2024)

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.IR-01.05 Remote access protection Mitigates T1648 Serverless Execution
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
References
    PR.AA-01.01 Identity and credential management Mitigates T1648 Serverless Execution
    Comments
    This diagnostic statement protects against Serverless Execution through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
    References

      NIST 800-53 Mappings

      Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
      CM-06 Configuration Settings mitigates T1648 Serverless Execution
      IA-02 Identification and Authentication (Organizational Users) mitigates T1648 Serverless Execution
      CM-07 Least Functionality mitigates T1648 Serverless Execution
      SI-04 System Monitoring mitigates T1648 Serverless Execution
      AC-02 Account Management mitigates T1648 Serverless Execution
      AC-03 Access Enforcement mitigates T1648 Serverless Execution
      AC-06 Least Privilege mitigates T1648 Serverless Execution
      SC-07 Boundary Protection mitigates T1648 Serverless Execution

      Azure Mappings

      Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
      defender_for_app_service Microsoft Defender for Cloud: Defender for App Service technique_scores T1648 Serverless Execution
      Comments
      This capability can protect against abuse of Azure Functions.
      References
      1. https://learn.microsoft.com/en-us/azure/azure-functions/security-concepts

      GCP Mappings

      Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
      google_secops Google Security Operations technique_scores T1648 Serverless Execution
      Comments
      Google Security Operations can be configured to detect on Google App Scripts.
      References
      1. ['https://cloud.google.com/security/products/security-operations'
      2. 'https://cloud.google.com/chronicle/docs/secops/secops-overview'
      3. 'https://github.com/chronicle/detection-rules']
      identity_and_access_management Identity and Access Management technique_scores T1648 Serverless Execution
      Comments
      GCP Identity and Access Management allows admins to set permissions based on accounts and account types.
      References
      1. ['https://cloud.google.com/iam']

      AWS Mappings

      Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
      aws_identity_and_access_management AWS Identity and Access Management technique_scores T1648 Serverless Execution
      Comments
      AWS Identity and Access Management variables can be used to allow or deny malicious severless execution behavior based on variables like aws:SourceIp and aws:username.
      References
      1. https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html