Serverless Execution

Adversaries may abuse serverless computing, integration, and automation services to execute arbitrary code in cloud environments. Many cloud providers offer a variety of serverless resources, including compute engines, application integration services, and web servers.


Adversaries may abuse these resources in various ways as a means of executing arbitrary commands. For example, adversaries may use serverless functions to execute malicious code, such as crypto-mining malware (i.e. Resource Hijacking).[1] Adversaries may also create functions that enable further compromise of the cloud environment. For example, an adversary may use the IAM:PassRole permission in AWS or the iam.serviceAccounts.actAs permission in Google Cloud to add Additional Cloud Roles to a serverless cloud function, which may then be able to perform actions the original user cannot.[2][3]

攻撃者は、任意のコマンドを実行する手段として、これらのリソースを様々な方法で悪用することがあります。例えば、攻撃者はサーバーレス機能を利用して、クリプトマイニングマルウェアなどの悪意のあるコードを実行する(=Resource Hijacking)可能性があります[1]。また、攻撃者はクラウド環境をさらに侵害できるような機能を作成することもあります。例えば、攻撃者は AWS の IAM:PassRole 権限や Google Cloud の iam.serviceAccounts.actAs 権限を使って、サーバーレスクラウド機能に Cloud Role を追加し、本来のユーザーにはできない操作を実行できるようにすることが可能です。

Serverless functions can also be invoked in response to cloud events (i.e. Event Triggered Execution), potentially enabling persistent execution over time. For example, in AWS environments, an adversary may create a Lambda function that automatically adds Additional Cloud Credentials to a user and a corresponding CloudWatch events rule that invokes that function whenever a new user is created.[4] Similarly, an adversary may create a Power Automate workflow in Office 365 environments that forwards all emails a user receives or creates anonymous sharing links whenever a user is granted access to a document in SharePoint.[5][6]

サーバーレス関数は、クラウドイベントに応答して呼び出すこともできるため(i.e. Event Triggered Execution)、長期間にわたる持続的な実行が可能になる可能性があります。例えば、AWS環境では、攻撃者は、Cloud Credentialsをユーザーに自動的に追加するLambda関数と、新しいユーザーが作成されるたびにその関数を呼び出す対応するCloudWatchイベントルールを作成できます[4]。同様に、Office 365環境では、ユーザーが受け取るすべてのメールを転送するPower Automateワークフローや、SharePointのドキュメントへのアクセスがユーザーに付与されると匿名の共有リンクを作成するアクションを攻撃者が作成することがあります[5][6]。(メール転送の話は[7])

ID: T1648
Sub-techniques:  No sub-techniques
Tactic: Execution
Platforms: IaaS, Office 365, SaaS
Contributors: Alex Soler, AttackIQ; Cisco; Oleg Kolesnikov, Securonix; Praetorian; Shailesh Tiwary (Indian Army); Varonis Threat Labs
Version: 1.0
Created: 27 May 2022
Last Modified: 24 October 2022


ID Mitigation Description
M1018 User Account Management

Remove permissions to create, modify, or run serverless resources from users that do not explicitly require them.


ID Data Source Data Component Detects
DS0015 Application Log Application Log Content

Monitor logs generated by serverless execution for unusual activity. For example, in Exchange environments emails sent by Power Automate via the Outlook 365 connector include the phrase ‘Power App’ or ‘Power Automate’ in the SMTP header 'x-ms-mail-application.'[7]

DS0025 Cloud Service Cloud Service Modification

Monitor the creation and modification of serverless resources such as functions and workflows.