Skip to content

DET0374 Detection Strategy for Serverless Execution (T1648)

Item Value
ID DET0374
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1648 (Serverless Execution)

Analytics

IaaS

AN1053

Correlate creation or modification of serverless functions (e.g., AWS Lambda, GCP Cloud Functions, Azure Functions) with anomalous IAM role assignments or permissions escalation events. Detect subsequent executions of newly created functions that perform unexpected actions such as spawning outbound network connections, accessing sensitive resources, or creating additional credentials.

Log Sources
Data Component Name Channel
Cloud Service Modification (DC0069) AWS:CloudTrail CreateFunction / UpdateFunctionConfiguration: Function creation, role assignment, or configuration change events
Application Log Content (DC0038) AWS:CloudTrail InvokeFunction: Unexpected or repeated invocation of functions not tied to known workflows
Mutable Elements
Field Description
RoleScope Which IAM roles or privileges are considered sensitive when applied to functions
AllowedFunctions Known baseline list of approved serverless functions to reduce false positives
TimeWindow Temporal threshold for correlating function creation with anomalous execution

Office Suite

AN1054

Monitor for creation of new Power Automate flows or equivalent automation scripts that trigger on user or file events. Detect anomalous actions performed by these automations, such as email forwarding, anonymous link creation, or unexpected API calls to external endpoints.

Log Sources
Data Component Name Channel
Cloud Service Modification (DC0069) m365:unified AddFlow / UpdateFlow: New automation or workflow creation events
Application Log Content (DC0038) m365:exchange New-InboxRule: Automation that triggers abnormal forwarding or external link generation
Mutable Elements
Field Description
UserContext Business units or users where automation creation is expected (developers, admins)
FlowActions Specific automation actions (email forwarding, file sharing) that should be considered suspicious

SaaS

AN1055

Track creation or update of SaaS automation scripts (e.g., Google Workspace Apps Script). Detect when these scripts are bound to user events such as file opens or account modifications, and correlate with subsequent abnormal API calls that exfiltrate or modify user data.

Log Sources
Data Component Name Channel
Cloud Service Modification (DC0069) saas:appsscript Create / Update: Deployment of scripts with event-driven triggers
Application Log Content (DC0038) saas:googledrive FileOpen / FileAccess: Event-driven script triggering on user file actions
Mutable Elements
Field Description
ScriptScope Which SaaS apps or APIs can be legitimately automated in the environment
TriggerTypes Event-driven triggers (e.g., on file open, on user creation) considered suspicious