MaxPatrol SIEM

Detects cyberincidents that undermine cyber resilience of a company

T1648: Serverless Execution

Adversaries may abuse serverless computing, integration, and automation services to execute arbitrary code in cloud environments. Many cloud providers offer a variety of serverless resources, including compute engines, application integration services, and web servers.

Adversaries may abuse these resources in various ways as a means of executing arbitrary commands. For example, adversaries may use serverless functions to execute malicious code, such as crypto-mining malware (i.e. Resource Hijacking). Adversaries may also create functions that enable further compromise of the cloud environment. For example, an adversary may use the IAM:PassRole permission in AWS or the iam.serviceAccounts.actAs permission in Google Cloud to add Additional Cloud Roles to a serverless cloud function, which may then be able to perform actions the original user cannot.

Serverless functions can also be invoked in response to cloud events (i.e. Event Triggered Execution), potentially enabling persistent execution over time. For example, in AWS environments, an adversary may create a Lambda function that automatically adds Additional Cloud Credentials to a user and a corresponding CloudWatch events rule that invokes that function whenever a new user is created. Similarly, an adversary may create a Power Automate workflow in Office 365 environments that forwards all emails a user receives or creates anonymous sharing links whenever a user is granted access to a document in SharePoint.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

Monitoring of unwanted emails in Exchange environments sent by Power Automate or Power Apps via the Microsoft 365 Outlook connector, which include the phrase 'Microsoft Power Automate' or 'Microsoft Power Apps' in the SMTP header 'x-ms-mail-application.'

Expert Required. The technique is detected only with the combination of «PT Product + Expert»

Detection

IDDS0025Data source and componentCloud Service: Cloud Service ModificationDescription

Monitor the creation and modification of serverless resources such as functions and workflows.

IDDS0015Data source and componentApplication Log: Application Log ContentDescription

Monitor logs generated by serverless execution for unusual activity. For example, in Exchange environments emails sent by Power Automate via the Outlook 365 connector include the phrase ‘Power App’ or ‘Power Automate’ in the SMTP header 'x-ms-mail-application.'

Mitigation

IDM1018NameUser Account ManagementDescription

Remove permissions to create, modify, or run serverless resources from users that do not explicitly require them.