AWS intrusion for red teamers
Cloud technologies are gradually being integrated into the information system of companies. They provide many security mechanisms that are sometimes difficult to understand and force attackers to rethink their methods of intrusion.
During this 2-day course, participants will be introduced to the core concepts of AWS, one of the leading cloud providers. After covering the fundamentals, we will dive deeper into the platform’s implementation and its specific security nuances. This training is specifically tailored for red teamers, focusing on the tactics, techniques, and procedures (TTPs) used in cloud environments, with an emphasis on discretion and stealth during testing.
Through hands-on exercises in fully simulated environments, attendees will learn and practice cloud intrusion techniques, gaining critical skills to identify vulnerabilities and exploit weaknesses while maintaining operational secrecy. This course is designed to equip red team professionals with the knowledge necessary to assess cloud security with a high degree of subtlety and effectiveness.
Trainers
The 2 trainers will be:
- Matthieu Barjole – 6 years at Synacktiv, Red Team leader
- Paul Barbé – 5 years at Synacktiv, Red Team operator
Syllabus
Day 1
Fundamentals: architecture (organization, accounts), IAM (identity types, role assumption, policies), aws CLI usage, service discovery methods, unauthenticated identity enumeration, S3 bucket rights abuse, EC2 (metadata, lateral movements and poisoning of SSM agents).
Lab: getting started, reconnaissance, initial access, enumeration, lateral movements.
Day 2
Advanced concepts: Lambdas (runtime API, persistence, data exfiltration), Cognito (user and identity pools) IAM privilege escalation, network reconnaissance (VPC, network ACL, security groups), persistence (modification of IAM policies, role chain juggling), logging and security alerts (CloudTrail, CloudWatch, GuardDuty).
Lab: privilege escalation, backdooring services, persistence.
The labs emulate a full corporate environment with various services were students have to perform multiple steps to finally gain administrator access.
Materials
The trainees will be provided with:
- 1 slides deck (~150 slides)
- 1 AWS cheatsheet
- 1 attack virtual machine
- 2 AWS environments (1 for each student + 1 shared to test payloads and launch attacks)
- 1 writeup
Check full description PDF below for a content preview (slides, labs, writeup)!
Audience
This training is suitable for people with notions of offensive security but no prior experience in cloud environments. It is aimed primarily at red teamers, pentesters, system administrators, security architects and developers, but also at any technical profile wishing to enrich their professional career with a security component.
- Red teamers / pentesters
- System administrators
- Security architects
- Developers
Good network and Unix knowledge and notions of web intrusion are recommended.
Additional Resources
Download additional resources: