Common Information
| Type | Value |
|---|---|
| Value |
Serverless Execution - T1648 |
| Category | Attack-Pattern |
| Type | Mitre-Attack-Pattern |
| Misp Type | Cluster |
| Description | Adversaries may abuse serverless computing, integration, and automation services to execute arbitrary code in cloud environments. Many cloud providers offer a variety of serverless resources, including compute engines, application integration services, and web servers. Adversaries may abuse these resources in various ways as a means of executing arbitrary commands. For example, adversaries may use serverless functions to execute malicious code, such as crypto-mining malware (i.e. [Resource Hijacking](https://attack.mitre.org/techniques/T1496)).(Citation: Cado Security Denonia) Adversaries may also create functions that enable further compromise of the cloud environment. For example, an adversary may use the `IAM:PassRole` permission in AWS or the `iam.serviceAccounts.actAs` permission in Google Cloud to add [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003) to a serverless cloud function, which may then be able to perform actions the original user cannot.(Citation: Rhino Security Labs AWS Privilege Escalation)(Citation: Rhingo Security Labs GCP Privilege Escalation) Serverless functions can also be invoked in response to cloud events (i.e. [Event Triggered Execution](https://attack.mitre.org/techniques/T1546)), potentially enabling persistent execution over time. For example, in AWS environments, an adversary may create a Lambda function that automatically adds [Additional Cloud Credentials](https://attack.mitre.org/techniques/T1098/001) to a user and a corresponding CloudWatch events rule that invokes that function whenever a new user is created.(Citation: Backdooring an AWS account) Similarly, an adversary may create a Power Automate workflow in Office 365 environments that forwards all emails a user receives or creates anonymous sharing links whenever a user is granted access to a document in SharePoint.(Citation: Varonis Power Automate Data Exfiltration)(Citation: Microsoft DART Case Report 001) |
| Details | Published | Attributes | CTI | Title | ||
|---|---|---|---|---|---|---|
| Details | Website | 2024-11-16 | 27 | KQL KC7 — AzureCrest : Section 4 & 5 | ||
| Details | Website | 2023-11-17 | 46 | Scattered Spider: Leveraging Social Engineering for Extortion - CISA Alert AA23-320A | ||
| Details | Website | 2023-09-29 | 0 | Privacy-preserving measurement and machine learning | ||
| Details | Website | 2023-09-27 | 7 | What AI companies are building with Cloudflare | ||
| Details | Website | 2023-07-11 | 39 | It’s Raining Phish and Scams – How Cloudflare Pages.dev and Workers.dev Domains Get Abused | ||
| Details | Website | 2023-02-28 | 16 | Aligning Falco’s Cloudtrail Rules with MITRE ATT&CK – Sysdig | ||
| Details | Website | 2022-12-14 | 0 | Cloudflare achieves FedRAMP authorization to secure more of the public sector | ||
| Details | Website | 2021-03-17 | 1 | Logz.io Infrastructure Monitoring: Getting Started with Prometheus Metrics |