EpochZero Learn
EpochZero LearnMulti-Domain Tech Learning Hub
Courses
LeaderboardAbout
Dashboard
EpochZero
EpochZero Learn
Multi-Domain Tech Learning Hub

Structured learning for Reverse Engineering, Cloud Security, Cryptography, and Web Development. Articles, videos, tests, and peer discussion.

Learn

  • Learning Path
  • All Articles
  • Video Lessons
  • Podcast
  • eBooks & PDFs
  • Question Banks
  • Cheatsheets
  • MCQ Banks

Tests & Forum

  • All Tests
  • REMA Tests
  • Cloud Tests
  • Forum
  • REMA Forum
  • Cloud Forum
  • Crypto Forum
  • Web Dev Forum

Campus

  • REMA Club
  • Full Stack Dev Club
  • Extension Activity
  • Events
  • CTF Competitions
  • Workshops
  • Industrial Visits

Platform

  • Dashboard
  • Leaderboard
  • About
  • Verify Certificate

© 2026 EpochZero Learn. Educational content for learning purposes.

Course Instructor: Ashish Revar

All articles
cloud-securityAPTlateral-movementMITRE-ATT&CK

Advanced Persistent Threats & Lateral Movement in Cloud Environments

APT groups have adapted their techniques for cloud infrastructure. This article examines the cloud APT kill chain — from initial access through privilege escalation, lateral movement across accounts, and data exfiltration — with detection patterns for each stage.

Ashish Revar3 July 202622 min read1 views

Sign in to mark this article as read and track your progress.

Related to this topic

Continue learning

Reference material

eBook
Cloud Security — eBook
v2026
Open resource
Cheatsheet
Cloud Security — Cheatsheet
v2026
Open resource
MCQ Bank
Cloud Security — MCQ Bank
v2026
Open resource
Question Bank
Cloud Security — Question Bank
v2026
Open resource

External references

MITRE ATT&CK for Cloud

The complete MITRE ATT&CK for Cloud matrix covering IaaS, SaaS, and cloud-native tactics.

Rhino Security: AWS IAM Privilege Escalation Methods

Documented IAM privilege escalation paths with mitigation guidance.

AWS CloudTrail Event Reference

AWS CloudTrail event structure reference for forensic and detection purposes.

LAPSUS$ TTPs — CISA Advisory

CISA advisory on LAPSUS$ group cloud-specific techniques and mitigations.

More articlesTest your knowledge

APTs Have Moved to the Cloud

Advanced Persistent Threat (APT) groups — typically nation-state or state-sponsored actors — initially focused their cloud capabilities on cloud as a target (stealing data from cloud storage) and cloud as a tool (using cloud compute for C2). By 2022, groups including Cozy Bear (APT29), LAPSUS$, and SCATTERED SPIDER had developed cloud-specific TTPs that leverage cloud-native services for every phase of the attack lifecycle.

The cloud kill chain differs from the traditional Lockheed Martin Cyber Kill Chain in several important ways:

PhaseTraditional Kill ChainCloud APT Adaptation
ReconnaissanceNetwork scanning, OSINTEnumerate public S3 buckets, public ECR images, CloudFront origins
Initial AccessPhishing, exploitPhishing for cloud console credentials, SSRF for IMDS creds, compromised CI/CD
ExecutionMalware dropped on endpointLambda function deployed, ECS task modified, cloud-native tooling abused
PersistenceRegistry run keys, scheduled tasksIAM backdoor user, rogue Lambda trigger, S3 event notification to attacker endpoint
Privilege EscalationLocal admin exploitIAM policy confusion, iam:PassRole abuse, sts:AssumeRole chaining
Lateral MovementPass-the-hash, RDPCross-account role assumption, federated access token abuse
ExfiltrationFTP, encrypted channelS3 cross-account replication to attacker-controlled bucket

MITRE ATT&CK for Cloud: Initial Access

The most common initial access techniques (mapped to MITRE ATT&CK):

Technique IDNameHow It Works
T1078.004Valid Accounts: Cloud AccountsStolen credentials used directly; phishing most common vector
T1190Exploit Public-Facing ApplicationSSRF, SQL injection, RCE in cloud-hosted web application
T1552.005Unsecured Credentials: Cloud Instance MetadataSSRF to IMDS (see separate topic)
T1195.001Supply Chain Compromise: Compromise S/W DependenciesMalicious npm/pip package in Lambda or container image

Privilege Escalation in Cloud

Cloud IAM privilege escalation relies on misconfigured policies rather than kernel exploits. The Rhino Security Labs team documented over 20 IAM privilege escalation paths in AWS. Common patterns:

1. iam:PassRole + service creation If a user can call ec2:RunInstances and iam:PassRole, they can launch an EC2 instance with a more privileged role than their own, then use that instance's credentials.

2. Lambda function creation If a user can call lambda:CreateFunction and iam:PassRole, they can deploy a Lambda function with an admin execution role. The function code calls sts:GetCallerIdentity or writes secrets to S3.

3. sts:AssumeRole without condition check A trust policy that allows * principal (or Principal: "arn:aws:iam::*:root") to assume a role allows any authenticated AWS principal — in any account — to assume that role. This is the cloud equivalent of "anyone in the world can escalate to admin."

Lateral Movement: Cross-Account Role Chaining

A cloud attack rarely ends in the account it starts in. The target's production data is often in a different account. Attackers chain role assumptions:

Compromised account (dev)
  → sts:AssumeRole → staging account
    → sts:AssumeRole → production account
      → access production database

This is possible when:

  • A staging role has a trust policy that trusts the dev account
  • The production account trusts the staging account
  • No IP condition or MFA condition restricts the assumption

Detection signal: sts:AssumeRole events in CloudTrail where the userIdentity.type is AssumedRole and the source account differs from the target. Alert on cross-account role assumptions that were not seen in the previous 30 days (baseline normal behaviour and detect deviations).

Exfiltration Techniques

TechniqueHow It WorksDetection
S3 cross-account replicationAttacker creates a replication rule pointing to their bucketCloudTrail: PutBucketReplication event; alert on replications to unknown accounts
Lambda data forwardingLambda posts data to external HTTP endpointVPC Flow Logs: outbound HTTPS to unknown IPs from Lambda VPC
Snapshot sharingEBS volume shared with attacker's AWS account IDCloudTrail: ModifySnapshotAttribute with external account ID
Glacier archive copyCopy data to Glacier, then retrieve to external accountCloudTrail: CopyObject, InitiateJob with cross-account parameters

Detection in Practice: The Key CloudTrail Events

Every SOC analyst working cloud environments should alert on:

cloudtrail:StopLogging                   — attacker disabling audit trail
iam:CreateUser                           — new IAM user created (backdoor)
iam:AttachUserPolicy                     — policy attached to new user
iam:CreateAccessKey                      — access key created for any user
ec2:ModifyInstanceMetadataOptions        — IMDS downgraded to v1
s3:PutBucketReplication                  — replication rule added
sts:AssumeRole (cross-account)           — role assumption to external account
lambda:CreateFunction (admin role)       — privileged Lambda created

These events should generate near-real-time alerts in CloudWatch Metrics or SecurityHub. Do not rely on daily log review — APT exfiltration completes in hours.