BHIS - Breaching the Cloud (On Site)

May 25 & 26, 2023

Course Abstract

Do you want to level up your cloud penetration testing skills? The attack surface of many organizations has changed to include third-party hosted services such as Amazon Web Services, Microsoft Azure, and Google Cloud Platform. In this training course, hacking concepts will be introduced for each of those services.

This training walks through a complete penetration testing methodology of cloud-based infrastructure. Starting with no information other than the company name you will learn to discover what cloud-specific assets your target is using. Following the enumeration of cloud services, you will learn how to discover misconfigurations that commonly expose sensitive data as well as a thorough understanding of how to get an initial foothold into a cloud-based organization.

Post-compromise techniques of cloud infrastructure differ from the techniques used in typical on-premise environments. You will learn situational awareness techniques that ultimately will impact how you will escalate privileges in the cloud. With most cloud-based authentication being publicly exposed this presents new and interesting persistence techniques that are non-existent to on-premise environments. With productivity tools like G-Suite and Microsoft 365 many organizations are making their email and other data that is normally protected by a firewall available to remote employees. You will learn how to discover, pillage, and exfiltrate data from these services.

Many organizations are fully leveraging cloud services for their production infrastructure. This can include web servers, SQL databases, storage, virtual machines, and more. In this training, you will learn how to assess and compromise these resources. Some cloud deployments are directly connected to on-premise environments via VPN. This presents an opportunity to pivot access from cloud to on-prem or vice-versa.

Finally, in this training, we will not only be attacking cloud infrastructure but also leveraging it for red team operations. You will learn techniques that leverage cloud services for techniques such as phishing, domain fronting, and command & control.

Tools and techniques used on real-world penetration tests against cloud assets will be shared including hands-on demonstrations. At the end of this training, you will have new skills for assessing cloud-based infrastructure!


Day 1

Part A: “Breaching the Cloud Perimeter”

  • Cloud Pentest Authorization
  • Overview of Cloud Authentication Methods
    • Azure Authentication Methods - Password Hash Synchronization, Pass Through Authentication, ADFS, Cert-based
    • AWS - Programmatic vs. console
    • Google - API, web console, JSON
  • Reconnaissance
    • Cloud Asset Discovery
    • User Enumeration
  • Exploiting Misconfigured Cloud Assets
    • Open S3 Buckets
    • Public Azure Storage
    • Public Google Buckets
    • S3 Code Injection & Hijacking
  • Gaining a Foothold
    • Key Disclosure in Public Repositories
    • Password Attacks
    • Web Server Exploitation
    • AWS Instance Metadata URL
    • Phishing
    • Steal Access Tokens
  • Post-compromise Recon
    • AWS
    • Google
    • Azure

Part B: “Pillaging Cloud Assets”

  • Gaining Access Review
  • Situational Awareness
    • AWS
    • GCP
    • Azure
    • Active Directory
  • Persistence
    • Persisting in G-Suite
    • Persisting in AWS
    • O365 Persistence
    • Azure Runbooks
  • Privilege Escalation
    • IAM Introduction
    • Privilege Escalation Overview
    • GCP PrivEsc
    • Azure PrivEsc
    • AWS PrivEsc
  • Data Harvesting
    • General Data Pillaging
    • Sensitive Email Discovery

Day 2

Part C: “Cloud Infrastructure Attacks”

  • Leveraging Scanning Tools
    • ScoutSuite
    • CloudSploit
    • WeirdAAL
  • Internal Cloud Asset Enumeration
    • Virtual Cloud Networks
    • AD DS in the Cloud
    • AWS Workspaces
    • CLI Queries
    • Testing Services Within Cloud Infrastructure
  • Web Applications
    • Analyzing WebApps in the Cloud
    • Common WebApp Vulns
  • Cloud Database Attacks
    • AzureSQL
    • Amazon RDS
    • Brute Forcing Passwords
    • PowerUpSQL
  • Virtual Machines
    • VHD Analysis
    • Run Commands on VMs
    • Reset VM Passwords
    • Managed Identities
  • Cloud Networking
    • On-Prem to Cloud
    • Azure VPNs
    • Network Connectivity Discovery Commands
  • Active Directory
    • Azure AD Connect
    • PHS and PTA Vulnerabilities
  • Other Cloud Services
    • AWS Dangling Domains
    • Containers
    • Serverless

Part D: “Weaponizing the Cloud for Red Team Operations”

  • Offensive Infrastructure Creation
    • Opsec Considerations
    • Hardening Considerations
    • Virtual Machines
    • VPNs
    • Domains and Categorization
    • Source IP Rotation Techniques
  • Command & Control
    • Domain Fronting
    • C2 Operational Frameworks
    • Redirectors
    • Other Interesting C2 Tactics
  • Phishing
    • Burnable Phishing Infrastructure
    • Azure Apps Phishing
    • Cred Phishing w/ Reverse Proxies
    • SSO/SAML Phishing
    • Azure Information Protection
    • Out-of-Band Phishing
    • Azure Oauth Apps
  • Payload Creation
    • General Payload Creation Techniques and Tools
    • Azure DevOps
    • Outlook Add-Ins
  • Cloud Infrastructure Automation
    • Terraform
    • Ansible

Who Should Attend

  • Penetration testers
  • Red teamers
  • Cloud security architects
  • Ethical hackers
  • General security practitioners

What You Need

  • A credit card (You will be signing up for cloud service accounts such as Microsoft Azure and AWS. These services require a credit card for signing up.)
  • Validate that both Amazon AWS and Microsoft Azure services are available in your country.

Note that if you cannot sign up for these services you will not be able to participate in the labs


Beau Bullock Security Analyst,

Beau Bullock is a Senior Security Analyst and Penetration Tester and has been with Black Hills Information Security since 2014. Beau has a multitude of security certifications (OSCP, OSWP, GXPN, GPEN, GWAPT, GCIH, GCIA, GCFA, GSEC) and maintains his extensive skills by routinely taking training, learning as much as he can from his peers, and researching topics that he lacks knowledge in. He is a constant contributor to the infosec community by authoring open-source tools, writing blogs, and frequently speaking at conferences and on webcasts.

Return to training sessions