T1583.007 Serverless
Adversaries may purchase and configure serverless cloud infrastructure, such as Cloudflare Workers or AWS Lambda functions, that can be used during targeting. By utilizing serverless infrastructure, adversaries can make it more difficult to attribute infrastructure used during operations back to them.
Once acquired, the serverless runtime environment can be leveraged to either respond directly to infected machines or to Proxy traffic to an adversary-owned command and control server.31 As traffic generated by these functions will appear to come from subdomains of common cloud providers, it may be difficult to distinguish from ordinary traffic to these providers.23
| Item | Value |
|---|---|
| ID | T1583.007 |
| Sub-techniques | T1583.001, T1583.002, T1583.003, T1583.004, T1583.005, T1583.006, T1583.007, T1583.008 |
| Tactics | TA0042 |
| Platforms | PRE |
| Version | 1.0 |
| Created | 08 July 2022 |
| Last Modified | 20 October 2022 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1056 | Pre-compromise | This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0035 | Internet Scan | Response Content |
References
-
Adam Chester. (2020, February 25). AWS Lambda Redirector. Retrieved July 8, 2022. ↩
-
Gary Golomb. (n.d.). Threat Hunting Series: Detecting Command & Control in the Cloud. Retrieved July 8, 2022. ↩
-
Lawrence Abrams. (2020, March 14). BlackWater Malware Abuses Cloudflare Workers for C2 Communication. Retrieved July 8, 2022. ↩↩
-
ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021. ↩