Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0374: Detection Strategy for Serverless Execution (T1648)

DET0374 is MITRE’s detection strategy object for identifying abuse of Serverless Execution (T1648). The business issue is that serverless, integration, and...

EnterpriseDET0374Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0374 is MITRE’s detection strategy object for identifying abuse of Serverless Execution (T1648). The business issue is that serverless, integration, and automation services can run code inside SaaS, IaaS, and Office Suite environments without looking like traditional host-based execution. Leaders should treat this as a cloud and identity monitoring question: do teams have enough visibility into who created, modified, triggered, and executed serverless or automation resources, and can they distinguish normal business automation from suspicious execution?

Executive priority

Prioritize this where the organization relies on cloud automation, SaaS workflows, office-suite automation, or IaaS serverless services for business operations. The decision value is resilience and accountability: serverless execution can bypass endpoint-centric assumptions, so audit evidence, incident response readiness, and cloud control validation should include execution events from managed cloud services—not just servers and laptops.

Technical view

The supplied ATT&CK object has no official detection text and no platforms of its own, but it detects T1648, which is an execution technique affecting SaaS, IaaS, and Office Suite environments. SOC and detection engineering teams should validate telemetry for serverless resource creation, code or configuration changes, trigger creation, invocation activity, identity context, and unusual automation behavior. IR teams should be prepared to scope execution through cloud control-plane and service logs rather than relying only on endpoint artifacts.

Likely telemetry

  • Cloud control-plane audit logs for serverless, integration, and automation services
  • Serverless function or workflow creation, update, permission, and invocation records
  • Identity and access management events showing principals that create, modify, or trigger serverless resources
  • SaaS and Office Suite audit logs for automation, scripting, workflow, or application-integration activity
  • Network, storage, and downstream service access logs tied to serverless identities or managed service roles

Detection direction

  • Validate that logging is enabled and retained for SaaS, IaaS, and Office Suite services that can execute automation or code.
  • Baseline normal serverless and automation activity by identity, resource, trigger, schedule, region or tenant scope, and downstream services accessed.
  • Look for unusual creation or modification of functions, workflows, triggers, permissions, or service identities, especially by identities that do not normally administer those resources.
  • Correlate execution events with identity events and configuration changes; serverless execution may not produce endpoint process telemetry.
  • Tune detections against known business automation and deployment pipelines to reduce false positives while preserving alerts for unexpected principals, destinations, schedules, or permission changes.

Mitigation priorities

  • Inventory serverless, integration, and automation services in SaaS, IaaS, and Office Suite environments.
  • Ensure audit logging and retention cover creation, modification, permission, trigger, and invocation events for those services.
  • Apply least-privilege access to identities that can create, update, or execute serverless resources and automation workflows.
  • Require change control or deployment governance for production automation and serverless resources.
  • Review service identities, roles, and permissions used by serverless resources for excessive downstream access.
Analyst notes and limits

This take is based on DET0374 and its relationship to T1648 Serverless Execution. The object is a detection strategy in enterprise ATT&CK release 19.1, but the supplied official description and detection fields are empty. The most useful operational context comes from the related technique: adversaries may abuse serverless computing, integration, and automation services to execute arbitrary code in cloud environments.

MITRE supplied no official detection narrative, no tactics, and no platforms directly on DET0374. Platform and tactic context is inferred only from the stated relationship to T1648: execution across SaaS, IaaS, and Office Suite. Local service inventory, cloud provider logging, SaaS audit capabilities, and business automation patterns are required to determine actual coverage.

Official MITRE ATT&CK definition

Detection Strategy for Serverless Execution (T1648)

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1648 Serverless Execution This object detects Serverless Execution.
Relationship explorer

All related ATT&CK context

detects · Technique T1648: Serverless Execution Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
5928847b38d124fd...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 5928847b38d1…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0374
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use