Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1583.007: Serverless

Adversaries may purchase and configure serverless cloud infrastructure, such as Cloudflare Workers, AWS Lambda functions, or Google Apps Scripts, that can be used during targeting. By utilizing serverless infrastructure, adversaries can make it more difficult to attribute infrastructure used during operations back to them.

Once acquired, the serverless runtime environment can be leveraged to either respond directly to infected machines or to Proxy traffic to an adversary-owned command and control server.[1][2][3] As traffic generated by these functions will appear to come from subdomains of common cloud providers, it may be difficult to distinguish from ordinary traffic to these providers - making it easier to Hide Infrastructure.[4][1]

EnterpriseT1583.007Sub-techniqueObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Serverless infrastructure acquisition matters because an adversary can use trusted cloud-provider runtimes, such as Cloudflare Workers, AWS Lambda, or Google Apps Scripts, as part of pre-compromise resource development. For defenders, the business issue is not the serverless service itself; it is that malicious traffic may blend into normal connections to common cloud providers, complicating attribution, alert triage, and incident scoping.

Executive priority

Treat this as a cloud and SOC visibility question: can the organization distinguish legitimate business use of major serverless platforms from suspicious routing or command-and-control-like traffic? Leaders should prioritize evidence of outbound traffic governance, cloud service allowlisting decisions, and incident response playbooks for cases where infrastructure appears to be hosted under reputable cloud-provider domains.

Technical view

This is a PRE-platform resource-development sub-technique under Acquire Infrastructure. MITRE provides no official detection text, but the object is related to DET0829, Detection of Serverless, and to M1056, Pre-compromise. SOC and detection teams should validate whether network monitoring, proxy, DNS, and cloud-access telemetry can identify unusual interactions with serverless provider subdomains, especially where traffic may be used to proxy to adversary-controlled command-and-control infrastructure or to hide infrastructure.

Likely telemetry

  • DNS queries and resolutions for serverless/cloud-provider subdomains
  • Web proxy and secure web gateway logs showing outbound requests to common cloud-provider runtime domains
  • Network flow metadata, including destination domains, IPs, ports, timing, and volume
  • TLS/SNI and HTTP metadata where legally and technically available
  • Cloud access security or SaaS access logs showing organizational use of serverless-related services

Detection direction

  • Baseline normal organizational use of serverless platforms before treating cloud-provider domains as suspicious.
  • Tune detections for unusual beacon-like timing, rare destinations, unexpected user agents, abnormal request patterns, or endpoints with no business reason to contact serverless runtimes.
  • Avoid broad blocking or noisy alerting on major cloud providers without business context; false positives are likely where developers, automation, or SaaS integrations legitimately use these services.
  • Use the relationship to Acquire Infrastructure to connect suspicious serverless traffic with other pre-compromise or command-and-control indicators rather than evaluating it in isolation.
  • Validate whether DET0829-aligned analytics exist in the local environment, since the supplied ATT&CK object does not include official detection guidance.

Mitigation priorities

  • Start with M1056-style pre-compromise controls: reduce unnecessary exposure, document approved cloud services, and make adversary preparation harder to use against the organization.
  • Maintain policy and technical governance for outbound access to serverless and cloud-provider runtime domains based on business need.
  • Ensure SOC and IR teams have access to DNS, proxy, and network telemetry needed to investigate cloud-provider subdomain traffic.
  • Create response procedures for suspicious serverless traffic that include endpoint containment, traffic analysis, and validation of whether the service is legitimate business use.
  • Use threat intelligence carefully to enrich suspicious destinations, while recognizing that provider-owned infrastructure can change quickly and may host both benign and malicious activity.
Analyst notes and limits

The object is a resource-development sub-technique, so the most useful defensive value is readiness: visibility, baselining, and response decision-making before or during an intrusion. The campaign relationship to APT41 DUST shows this behavior has ATT&CK relationship context, but the take does not infer current activity, customer exposure, or attribution beyond the supplied relationship.

MITRE does not provide official detection text for this technique in the supplied fields. The platforms field is PRE, not a runtime enterprise operating system or cloud account platform. Local business context is required to separate legitimate serverless use from suspicious use of common cloud-provider domains.

Official MITRE ATT&CK definition

Serverless

Adversaries may purchase and configure serverless cloud infrastructure, such as Cloudflare Workers, AWS Lambda functions, or Google Apps Scripts, that can be used during targeting. By utilizing serverless infrastructure, adversaries can make it more difficult to attribute infrastructure used during operations back to them.

Once acquired, the serverless runtime environment can be leveraged to either respond directly to infected machines or to Proxy traffic to an adversary-owned command and control server.[1][2][3] As traffic generated by these functions will appear to come from subdomains of common cloud providers, it may be difficult to distinguish from ordinary traffic to these providers - making it easier to Hide Infrastructure.[4][1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1583 Acquire Infrastructure This object subtechnique of Acquire Infrastructure.
Associated objects

Groups, software, and campaigns

Relationship explorer

All related ATT&CK context

mitigates · Mitigation M1056: Pre-compromise Enterprise subtechnique of · Technique T1583: Acquire Infrastructure Enterprise uses · Campaign C0040: APT41 DUST Enterprise detects · Detection Strategy DET0829: Detection of Serverless Enterprise
Mitigations

Mitigation direction

Mitigation Enterprise

M1056: Pre-compromise

Pre-compromise mitigations involve proactive measures and defenses implemented to prevent adversaries from successfully identifying and exploiting weaknesses during the Reconnaissance and Resource Development phases of an attack. These activities focus on reducing an organization's attack surface, identify adversarial preparation efforts, and increase the difficulty for attackers to conduct successful operations. This mitigation can be implemented through the following measures:

Limit Information Exposure:

- Regularly audit and sanitize publicly available data, including job posts, websites, and social media. - Use tools like OSINT monitoring platforms (e.g., SpiderFoot, Recon-ng) to identify leaked information.

Protect Domain and DNS Infrastructure:

- Enable DNSSEC and use WHOIS privacy protection. - Monitor for domain hijacking or lookalike domains using services like RiskIQ or DomainTools.

External Monitoring:

- Use tools like Shodan, Censys to monitor your external attack surface. - Deploy external vulnerability scanners to proactively address weaknesses.

Threat Intelligence:

- Leverage platforms like MISP, Recorded Future, or Anomali to track adversarial infrastructure, tools, and activity.

Content and Email Protections:

- Use email security solutions like Proofpoint, Microsoft Defender for Office 365, or Mimecast. - Enforce SPF/DKIM/DMARC policies to protect against email spoofing.

Training and Awareness:

- Educate employees on identifying phishing attempts, securing their social media, and avoiding information leaks.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
68503f7a1f03bdd8...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle 68503f7a1f03…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    BlackWater Malware Cloudflare Workers

    Lawrence Abrams. (2020, March 14). BlackWater Malware Abuses Cloudflare Workers for C2 Communication. Retrieved July 8, 2022.

    Open source URL
  2. [2]
    AWS Lambda Redirector

    Adam Chester. (2020, February 25). AWS Lambda Redirector. Retrieved July 8, 2022.

    Open source URL
  3. [3]
    GWS Apps Script Abuse 2021

    Sergiu Gatlan. (2021, February 18). Hackers abuse Google Apps Script to steal credit cards, bypass CSP. Retrieved July 1, 2024.

    Open source URL
  4. [4]
    Detecting Command & Control in the Cloud

    Gary Golomb. (n.d.). Threat Hunting Series: Detecting Command & Control in the Cloud. Retrieved July 8, 2022.

    Open source URL
  5. [5]
    mitre-attack T1583.007
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use