T1584.007SubTechniqueresource-developmentagent-callable

T1584.007Serverless

Sub-technique of T1584

Platforms: PRE

ATT&CK version: 14.1

What it is

Adversaries may compromise serverless cloud infrastructure, such as Cloudflare Workers or AWS Lambda functions, that can be used during targeting. By utilizing serverless infrastructure, adversaries can make it more difficult to attribute infrastructure used during operations back to them. Once compromised, the serverless runtime environment can be leveraged to either respond directly to infected machines or to [Proxy](https://attack.mitre.org/techniques/T1090) traffic to an adversary-owned command and control server.(Citation: BlackWater Malware Cloudflare Workers)(Citation: AWS Lambda Redirector) As traffic generated by these functions will appear to come from subdomains of common cloud providers, it may be difficult to distinguish from ordinary traffic to these providers.(Citation: Detecting Command & Control in the Cloud)(Citation: BlackWater Malware Cloudflare Workers)

ATT&CK tactics· 1

Resource Development

References

  1. https://attack.mitre.org/techniques/T1584/007
  2. https://blog.xpnsec.com/aws-lambda-redirector/
  3. https://awakesecurity.com/blog/threat-hunting-series-detecting-command-control-in-the-cloud/
  4. https://www.bleepingcomputer.com/news/security/blackwater-malware-abuses-cloudflare-workers-for-c2-communication/
Sourced from MITRE ATT&CK Enterprise v14.1. Curated and contextualized for EU compliance use cases by Adam Lundqvist, Founder at SQUR.
T1584.007: Serverless | SQUR Knowledge Base