Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1584.007: Serverless

Adversaries may compromise serverless cloud infrastructure, such as Cloudflare Workers, AWS Lambda functions, or Google Apps Scripts, that can be used during targeting. By utilizing serverless infrastructure, adversaries can make it more difficult to attribute infrastructure used during operations back to them.

Once compromised, the serverless runtime environment can be leveraged to either respond directly to infected machines or to Proxy traffic to an adversary-owned command and control server.[1][2][3] As traffic generated by these functions will appear to come from subdomains of common cloud providers, it may be difficult to distinguish from ordinary traffic to these providers - making it easier to Hide Infrastructure.[4][1]

EnterpriseT1584.007Sub-techniqueObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Serverless infrastructure matters because it can let adversaries use trusted cloud-provider subdomains as part of their preparation and later traffic handling. For leaders, the risk is not the serverless platform itself; it is that normal-looking traffic to common cloud services can reduce attribution clarity and make command-and-control or proxy activity harder to separate from legitimate business use.

Executive priority

Treat this as a cloud and SOC visibility question in the resource-development phase. Ask whether the organization can justify, monitor, and investigate traffic to serverless services such as Cloudflare Workers, AWS Lambda, and Google Apps Scripts without blocking legitimate cloud use. This is relevant to incident decision-making, managed detection scope, cloud security governance, and audit evidence showing that pre-compromise infrastructure abuse is considered in monitoring strategy.

Technical view

ATT&CK maps this sub-technique to Resource Development under Compromise Infrastructure, with PRE as the platform context. MITRE provides no official detection text, but the relationship to DET0864 indicates a detection strategy exists for this behavior. SOC and detection teams should validate visibility into outbound connections where the destination is a common cloud-provider/serverless domain and the traffic pattern is inconsistent with known business workflows. IR teams should be prepared to assess whether suspicious serverless endpoints are acting as direct responders or as proxies to other adversary-controlled infrastructure, while avoiding assumptions based only on cloud-provider domain reputation.

Likely telemetry

  • DNS queries and resolved domains for serverless/cloud-provider subdomains
  • Web proxy, secure web gateway, or firewall logs showing outbound HTTP/S destinations
  • Network flow metadata for unusual or persistent connections to cloud serverless services
  • TLS/SNI and certificate metadata where available and policy-compliant
  • Endpoint process-to-network telemetry linking local processes to serverless destinations

Detection direction

  • Inventory legitimate business use of major serverless services before alerting heavily on provider domains.
  • Hunt for unusual frequency, timing, user-agent, process lineage, or endpoint group patterns in traffic to serverless destinations.
  • Correlate serverless-domain traffic with suspicious endpoint behavior rather than relying only on destination reputation.
  • Tune for false positives from legitimate SaaS, automation, developer, and productivity workflows that use the same providers.
  • Use the DET0864 relationship as a prompt to review available ATT&CK detection-strategy content, but confirm local telemetry coverage because the technique object itself has no official detection guidance.

Mitigation priorities

  • Apply pre-compromise controls consistent with M1056: reduce exposed information and preparation opportunities that help adversaries select or abuse infrastructure.
  • Define acceptable-use and egress policies for serverless/cloud services, with exceptions documented for business-critical workflows.
  • Maintain network and endpoint telemetry sufficient to investigate cloud-provider subdomain traffic during incidents.
  • Where feasible, restrict or monitor unsanctioned serverless service use through existing web, DNS, and cloud security controls.
  • Include this scenario in incident response playbooks so responders know how to handle trusted-cloud infrastructure without overblocking legitimate operations.
Analyst notes and limits

This behavior is material because it exploits defender trust in common cloud infrastructure. The main decision point is whether the organization can distinguish normal cloud/serverless usage from abnormal traffic patterns during investigation. The relationship to T1584 reinforces that this is preparation infrastructure, not necessarily proof of compromise by itself.

MITRE does not provide official detection text for this object. The supplied data supports serverless infrastructure examples and the relationship to DET0864 and M1056, but it does not establish organization-specific exposure, active exploitation, attribution, impact, or guaranteed detection coverage. Local baselines and telemetry are required.

Official MITRE ATT&CK definition

Serverless

Adversaries may compromise serverless cloud infrastructure, such as Cloudflare Workers, AWS Lambda functions, or Google Apps Scripts, that can be used during targeting. By utilizing serverless infrastructure, adversaries can make it more difficult to attribute infrastructure used during operations back to them.

Once compromised, the serverless runtime environment can be leveraged to either respond directly to infected machines or to Proxy traffic to an adversary-owned command and control server.[1][2][3] As traffic generated by these functions will appear to come from subdomains of common cloud providers, it may be difficult to distinguish from ordinary traffic to these providers - making it easier to Hide Infrastructure.[4][1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1584 Compromise Infrastructure This object subtechnique of Compromise Infrastructure.
Relationship explorer

All related ATT&CK context

mitigates · Mitigation M1056: Pre-compromise Enterprise subtechnique of · Technique T1584: Compromise Infrastructure Enterprise detects · Detection Strategy DET0864: Detection of Serverless Enterprise
Mitigations

Mitigation direction

Mitigation Enterprise

M1056: Pre-compromise

Pre-compromise mitigations involve proactive measures and defenses implemented to prevent adversaries from successfully identifying and exploiting weaknesses during the Reconnaissance and Resource Development phases of an attack. These activities focus on reducing an organization's attack surface, identify adversarial preparation efforts, and increase the difficulty for attackers to conduct successful operations. This mitigation can be implemented through the following measures:

Limit Information Exposure:

- Regularly audit and sanitize publicly available data, including job posts, websites, and social media. - Use tools like OSINT monitoring platforms (e.g., SpiderFoot, Recon-ng) to identify leaked information.

Protect Domain and DNS Infrastructure:

- Enable DNSSEC and use WHOIS privacy protection. - Monitor for domain hijacking or lookalike domains using services like RiskIQ or DomainTools.

External Monitoring:

- Use tools like Shodan, Censys to monitor your external attack surface. - Deploy external vulnerability scanners to proactively address weaknesses.

Threat Intelligence:

- Leverage platforms like MISP, Recorded Future, or Anomali to track adversarial infrastructure, tools, and activity.

Content and Email Protections:

- Use email security solutions like Proofpoint, Microsoft Defender for Office 365, or Mimecast. - Enforce SPF/DKIM/DMARC policies to protect against email spoofing.

Training and Awareness:

- Educate employees on identifying phishing attempts, securing their social media, and avoiding information leaks.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
6cf5c49683877b2a...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle 6cf5c4968387…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    BlackWater Malware Cloudflare Workers

    Lawrence Abrams. (2020, March 14). BlackWater Malware Abuses Cloudflare Workers for C2 Communication. Retrieved July 8, 2022.

    Open source URL
  2. [2]
    AWS Lambda Redirector

    Adam Chester. (2020, February 25). AWS Lambda Redirector. Retrieved July 8, 2022.

    Open source URL
  3. [3]
    GWS Apps Script Abuse 2021

    Sergiu Gatlan. (2021, February 18). Hackers abuse Google Apps Script to steal credit cards, bypass CSP. Retrieved July 1, 2024.

    Open source URL
  4. [4]
    Detecting Command & Control in the Cloud

    Gary Golomb. (n.d.). Threat Hunting Series: Detecting Command & Control in the Cloud. Retrieved July 8, 2022.

    Open source URL
  5. [5]
    mitre-attack T1584.007
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use