DET0864: Detection of Serverless
DET0864 is a detection strategy entry for identifying adversary use of compromised serverless infrastructure tied to ATT&CK technique T1584.007, Serverless...
Analyst context for executives and security teams
DET0864 is a detection strategy entry for identifying adversary use of compromised serverless infrastructure tied to ATT&CK technique T1584.007, Serverless. For leaders, the practical issue is that serverless resources can be used during pre-compromise targeting and may obscure who controls the infrastructure behind suspicious activity. This makes cloud visibility, threat intelligence context, and incident triage discipline important before an intrusion is fully underway.
Executive priority
Treat this as a cloud and threat-intelligence readiness question: can the organization recognize when serverless infrastructure such as Cloudflare Workers, AWS Lambda functions, or Google Apps Scripts is involved in targeting or suspicious communications, and can analysts preserve evidence for attribution-neutral decision-making? Because the ATT&CK object provides no official detection logic, priority should be on validating telemetry coverage, cloud governance, and IR playbooks rather than assuming an out-of-the-box analytic exists.
Technical view
This detection strategy detects T1584.007 Serverless under resource development, with related platform context listed as PRE. SOC and IR teams should validate whether they can observe serverless-related infrastructure indicators in network, DNS, proxy, cloud, and threat-intelligence workflows. Detection engineering should focus on correlating suspicious external communications or targeting infrastructure with known serverless service patterns, while avoiding overbroad alerts because legitimate use of serverless services is common.
Likely telemetry
- DNS query and resolution logs involving serverless service domains or endpoints
- Web proxy, secure web gateway, or firewall logs showing connections to serverless-hosted resources
- Cloud audit logs for internally managed serverless services where applicable
- Threat intelligence enrichment for infrastructure indicators associated with serverless providers
- Incident response case evidence linking suspicious traffic, targeting activity, or proxy-like behavior to serverless-hosted infrastructure
Detection direction
- Confirm whether existing detections can retain and enrich indicators that resolve to or are hosted on serverless infrastructure.
- Tune carefully for business-approved serverless usage to reduce false positives; serverless provider presence alone is not suspicious.
- Correlate serverless infrastructure observations with targeting-stage context, suspicious communications, or other ATT&CK behaviors rather than alerting on provider names alone.
- Validate that analysts can distinguish internally authorized serverless deployments from externally controlled or compromised serverless resources.
- Document blind spots where network egress, DNS, or cloud audit logging is unavailable or not retained long enough for investigation.
Mitigation priorities
- Inventory legitimate organizational use of serverless services and ensure ownership, logging, and approval paths are clear.
- Ensure DNS, proxy, firewall, and relevant cloud audit telemetry are retained and searchable for investigations involving serverless infrastructure.
- Integrate threat intelligence enrichment into SOC workflows so serverless-hosted indicators can be assessed in context.
- Update IR playbooks to include evidence collection and scoping steps for suspicious serverless-hosted infrastructure.
- Use cloud security governance and IAM review processes to reduce unmanaged or poorly monitored internal serverless exposure.
Analyst notes and limits
The supplied ATT&CK object is sparse: it has no official description, no official detection text, and no platforms or tactics directly assigned to the detection strategy. The only substantive context is the relationship showing that DET0864 detects T1584.007 Serverless, a resource development technique involving compromised serverless cloud infrastructure used during targeting.
This take is based only on the supplied STIX fields, external reference, and relationship context. It does not assert active exploitation, specific adversary attribution, guaranteed detection coverage, or complete platform scope. Local cloud usage, logging architecture, and business-approved serverless activity must be reviewed before operationalizing detections.
Detection of Serverless
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1584.007 | Serverless Sub-technique | This object detects Serverless. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 13bed430b72f… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0864Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.