Serverless Execution (T1648)

View on ATT&CK

In Playbook

Technique & Subtechniques

  • Serverless Execution

Associated Tactics

  • Execution

Execution (TA0002)

The adversary is trying to run malicious code. Execution consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, like exploring a network or stealing data. For example, an adversary might use a remote access tool to run a PowerShell script that does Remote System Discovery.

View on ATT&CK

Procedure Examples

Description Source(s)
Berk Veral. (2020, March 9). Real-life cybercrime stories from DART, the Microsoft Detection and Response Team. Retrieved May 27, 2022. Microsoft DART Case Report 001
Daniel Grzelak. (2016, July 9). Backdooring an AWS account. Retrieved May 27, 2022. Backdooring an AWS account
Eric Saraga. (2022, February 2). Using Power Automate for Covert Data Exfiltration in Microsoft 365. Retrieved May 27, 2022. Varonis Power Automate Data Exfiltration
HackTricks Cloud. (n.d.). GWS - App Scripts. Retrieved July 1, 2024. Cloud Hack Tricks GWS Apps Script
L'Hutereau Arnaud. (n.d.). Google Workspace Malicious App Script analysis. Retrieved October 2, 2024. OWN-CERT Google App Script 2024
Matt Muir. (2022, April 6). Cado Discovers Denonia: The First Malware Specifically Targeting Lambda. Retrieved May 27, 2022. Cado Security Denonia
Rhino Security Labs. (n.d.). AWS IAM Privilege Escalation – Methods and Mitigation. Retrieved May 27, 2022. Rhino Security Labs AWS Privilege Escalation
Spencer Gietzen. (n.d.). Privilege Escalation in Google Cloud Platform – Part 1 (IAM). Retrieved May 27, 2022. Rhingo Security Labs GCP Privilege Escalation