255. Adversaries Use Azure Functions as C2
Hello everyone! Yes, another legitimate service is abused by adversaries for C2 channel. And this time it's Azure Functions. Azure Functions is a serverless, event-driven platform that lets you run small pieces of code (functions) in the cloud without provisioning or managing servers. And according to this report , it's now used by threat actors as C2. As always, we can hunt for such behavior focusing on suspicious processes: event_type: "dnsreqwin" AND dns_rname: "azurewebsites.net" See you tomorrow!