| ID | Name |
|---|---|
| T1584.001 | Domains |
| T1584.002 | DNS Server |
| T1584.003 | Virtual Private Server |
| T1584.004 | Server |
| T1584.005 | Botnet |
| T1584.006 | Web Services |
| T1584.007 | Serverless |
Adversaries may compromise serverless cloud infrastructure, such as Cloudflare Workers or AWS Lambda functions, that can be used during targeting. By utilizing serverless infrastructure, adversaries can make it more difficult to attribute infrastructure used during operations back to them.
攻撃者は、Cloudflare WorkersやAWS Lambda関数など、攻撃中に使用することができるサーバーレスクラウドインフラを侵害する可能性があります。攻撃者は、サーバーレスインフラを利用することで、作戦中に使用されたインフラで攻撃者を特定することを困難にすることができます。
Once compromised, the serverless runtime environment can be leveraged to either respond directly to infected machines or to Proxy traffic to an
adversary-owned command and control server.[1][2] As traffic
generated by these functions will appear to come from subdomains of common cloud providers, it may be difficult to distinguish from ordinary traffic to these
providers.[3][1]
一旦侵害されると、サーバレス実行環境は、感染したマシンに直接応答するか、攻撃者の所有するコマンド&コントロールサーバにトラフィックをプロキシするために利用することができます[1][2]。これらの機能によって生成されたトラフィックは、一般的なクラウド事業者のサブドメインから来るように見え、これらの事業者への通常のトラフィックと見分けることが困難な場合があります[3][1]。
| ID | Mitigation | Description |
|---|---|---|
| M1056 | Pre-compromise |
This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0035 | Internet Scan | Response Content |
Once adversaries leverage serverless functions as infrastructure (ex: for command and control), it may be possible to look for unique characteristics associated with adversary software, if known.[4] Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle. |