1. Home
  2. Techniques
  3. Enterprise
  4. 无服务器执行

无服务器执行

无服务器执行指攻击者滥用云服务商提供的无服务器计算资源执行恶意代码,通常通过函数即服务(FaaS)平台实现攻击载荷部署与运行。许多云服务提供商提供无服务器计算引擎、应用集成服务等,攻击者可以利用这些服务执行任意代码,从而获取对云环境的控制。通过无服务器函数,攻击者能够执行恶意代码(如加密货币挖矿恶意软件)。此外,攻击者可能创建恶意函数实现特权提升等,来进一步扩大对云环境的危害。

由于无服务器执行技术具有高度的动态性和灵活性,且无服务器函数的执行是事件驱动的,这意味着恶意函数可以在特定事件发生时被触发执行。这种分散性和动态性使得防御者难以通过集中的监控点或固定的检测模式来发现恶意函数的执行,因此攻击者在攻击执行的过程中天然具有较高的隐蔽性。

匿迹技术的演进导致传统基于资源静态配置分析或运行时特征匹配的云安全防护体系面临失效风险,防御方需构建跨函数行为关联分析、事件总线深度审计、内存取证等新型检测能力,同时强化云服务API的细粒度监控与异常模式识别,以应对无服务器环境中的高级威胁。

ID: T1648
Sub-techniques:  No sub-techniques
Tactic: 攻击执行
Platforms: IaaS, Office Suite, SaaS
Contributors: Alex Soler, AttackIQ; Cisco; OWN; Oleg Kolesnikov, Securonix; Praetorian; Shailesh Tiwary (Indian Army); Varonis Threat Labs; Vectra AI
Version: 1.1
Created: 27 May 2022
Last Modified: 14 October 2024

匿迹效应

效应类型 是否存在
特征伪装
行为透明
数据遮蔽
时空释痕

行为透明

无服务器执行并不依赖传统的长期运行进程,而是依靠事件驱动机制触发任务,恶意操作仅在特定事件发生时触发,不会在云环境中以长期活动的形式存在,通常没有持续性的痕迹。利用临时函数自销毁执行技术进一步清除恶意代码执行痕迹,使检测系统难以有效捕捉攻击行为。

时空释痕

通过事件触发机制分散攻击步骤的执行时序,结合临时函数的瞬时存活特性,将连续攻击过程分解为离散的合法服务事件响应。例如利用定时触发器按小时级间隔激活不同函数模块,或通过存储事件触发短期函数执行数据窃取任务,使得攻击特征被稀释在云环境的海量事件日志中,破坏防御系统的时序关联分析能力。

Procedure Examples

ID Name Description
S1091 Pacu

Pacu can create malicious Lambda functions.[1]

Mitigations

ID Mitigation Description
M1036 Account Use Policies

Where possible, consider restricting access to and use of serverless functions. For examples, conditional access policies can be applied to users attempting to create workflows in Microsoft Power Automate. Google Apps Scripts that use OAuth can be limited by restricting access to high-risk OAuth scopes.[2][3]
M1018 User Account Management

Remove permissions to create, modify, or run serverless resources from users that do not explicitly require them.

Detection

ID Data Source Data Component Detects
DS0015 Application Log Application Log Content

Monitor Serverless Execution activities by examining logs that contain information about Serverless function invocations. This is especially useful for detecting anomalous behavior within AWS Lambda, Azure Functions, or Google Cloud Functions. For example, in Exchange environments emails sent by Power Automate via the Outlook 365 connector include the phrase ‘Power App’ or ‘Power Automate’ in the SMTP header 'x-ms-mail-application.'[4]

Analytic 1 - Failed or abnormal serverless function invocations across AWS, Azure, and Google Cloud

sourcetype=aws:lambda OR sourcetype=azure:function OR sourcetype=gcp:function| where result_status != "Success"

DS0025 Cloud Service Cloud Service Modification

Monitor for unusual Serverless function modifications, such as adding roles to a function that allow unauthorized access or execution.

Analytic 1 - Tracks actions related to creating or modifying serverless functions

index=cloud_logs sourcetype=aws:iam OR sourcetype=azure:activity OR sourcetype=gcp:iam| search action IN ("iam:PassRole", "iam:CreateFunction", "iam:AddPermission", "iam:UpdateFunctionConfiguration")

References

  1. Rhino Security Labs. (2019, August 22). Pacu. Retrieved October 17, 2019.
  2. Microsoft Developer Support. (2020, May 9). Control Access to Power Apps and Power Automate with Azure AD Conditional Access Policies. Retrieved July 1, 2024.
  1. Google Workspace. (2024, March 5). Monitor & restrict data access. Retrieved July 1, 2024.
  2. Microsoft. (2022, February 15). Email exfiltration controls for connectors. Retrieved May 27, 2022.