Skip Navigation
Get a Demo
Resources Blog Threat detection

Why adversaries have their heads in the cloud

Watch experts from Red Canary and elsewhere walk through common attack techniques in Azure and AWS cloud environments

Susannah Clark Matt
Originally published . Last modified .

It makes sense that defenders’ visibility into cloud environments can be a bit…well, cloudy. We gathered a team of experts to help you clear things up. In the latest installment of our Detection Series, Red Canary’s own Thomas Gardner and Justin Schoenfeld joined MITRE’s Casey Knerr and Atomic Red Team Maintainer Jose Hernandez for an in-depth discussion of the most prevalent cloud techniques.

You can watch the full recording here or check out the clips below.

What’s so special about the cloud anyway?

To kick things off, Thomas examines some key differences between cloud environments and their on-premise counterparts, noting that in the cloud “risk detection is just as important as threat detection.”

Why do adversaries target cloud assets?

Jose provides answers for both the who and the why when it comes to adversaries targeting cloud environments, highlighting the modus operandi of the Scattered Spider, Team TNT, APT 29 and Cloud Wizard threat groups.

How do I improve visibility into cloud techniques?

The short answer? Get to know your logs. Thomas gives a run down of the various log sources available in AWS, as featured in our comprehensive guide on How to increase visibility into AWS and improve cloud security.


Justin then takes on the Microsoft side of things, showcasing log sources available from Azure and Entra ID, including the new Graph API activity logs.

What does a cloud intrusion look like?

Initial access, Discovery, Privilege escalation, Persistence, Defense Evasion, and Exfiltration phases of a cloud intrusion

With some help from Fantastic Mr. Fox, the gang walks us through each step of a typical cloud intrusion, from initial access to exfiltration. Take note: every phase introduces new detection opportunities.

Initial access

Justin sheds light on various phishing strategies as well as how adversaries exploit public-facing web applications via server-side request forgery (SSRF).


To help you thwart an adversary trying to uncover lists of roles and policies, Thomas shares some discovery operations to watch out for in both AWS and Azure.

Privilege escalation

Before diving into the various ways that adversaries gain permissions, Casey points out that privilege escalation is not always necessary in the cloud, as many cloud accounts are configured with overly permissive privileges from the start.


Justin walks through how adversaries maintain their elevated privileges and access to AWS and Azure environments.

Defense evasion

Thomas explains how adversaries disable logging and multi-factor authentication (MFA) to stay out of sight in AWS and Azure.


Jose tackles the final phase of the intrusion cycle, during which adversaries often download valuable assets directly from cloud storage.

What’s new in ATT&CK?

Casey updates everyone on the latest cloud techniques added to the MITRE ATT&CK matrix:


How can I test my defenses against these techniques?

Jose handpicks some Atomic Red Team tests that will help you validate your detection coverage for disabling cloud logs and data exfiltration via rclone.



Accelerating identity threat detection and response with GenAI


How adversaries use Entra ID service principals in business email compromise schemes


MSIX and other tricks: How to detect malicious installer packages


The detection engineer’s guide to Linux

Subscribe to our blog

Back to Top