On This Page

AWS & Azure Exploitation: Making the Cloud Rain Shells!

Stage 2 Security | August 6-7


Stay frosty within AWS and Azure environments with this fast-paced and hands-on course which teaches each participant the Tactics, Techniques, and Procedures (TTPs) needed to infiltrate and expand access within cloud platforms.

In this course you will:
  • Exploit serverless (e.g. Lambda) applications for initial access into targets.
  • Pivot between data and control planes to expand access (e.g. secrets, snapshots).
  • Evade and disrupt cloud logging platforms (e.g. CloudTrail) to remain undetected.
  • Breach and backdoor boundaries (e.g. VPCs) to access hard to reach systems.
  • Leverage stealthy persistence techniques to ensure long-term access (e.g. session tokens).

The Course Syllabus includes...

Day 1:
  • Recon for AWS Services of Interest (e.g. Subdomain Takeovers)
  • Hunting for Secrets to the AWS Control Plane (e.g. S3 buckets)
  • Obtaining Secrets via Web App Vulnerabilities (e.g. XXE, LFI)
  • Surveying & Persisting Access within the AWS (e.g. Session Tokens)
  • Pivoting from the AWS Control Plane to the Data Plane (e.g. Snapshots)
  • Gaining RCE via Web App Vulnerabilities (e.g. SSTI, RFI)
  • Post Exploitation within AWS EC2 Instances (e.g. User Data Scripts, DynamoDB)

Day 2:
  • Serverless Exploitation w/ Lambda (e.g. Keeping it Hot, Exfiltrating via Services)
  • Breaching Boundaries: Bypassing VPCs (e.g. API Gateway + Lambda Bypass)
  • Logging Disruption within AWS (e.g. Cleaning CloudTrail Logs w/ Lambda)
  • Pivoting from Azure Control Plane to the Data Plane (e.g. Storage Manipulation)
  • Expanding Access via PaaS Specific Azure Attacks (e.g. RDP "debug")
  • Stealthy Azure Persistence Techniques (e.g. Offline Minting of SAS Keys)
  • Overview of Defensive Countermeasures (e.g. MFA, Logging, Alerting, etc...)

Who Should Take this Course

This course assumes the student already has some basic penetration testing knowledge and would like to learn more about how to apply penetration testing to cloud centric environments.

This includes:
  • Red Teamers & Penetration Testers
  • Blue Teamers & Security Professionals, who wish to see the offensive side
  • Site Reliability Engineers (SREs) & System Administrators, who work with cloud technologies

Student Requirements

Students will need to bring to the class:
  • Access to an active Amazon Web Services (AWS) account with admin access before the class starts.
  • Access to an active Azure subscription with admin access before the class starts.
  • A laptop with admin access to install software with wired network support via an ethernet adapter.

Students should be comfortable:
  • Using Linux and SSH.
  • With basic networking concepts and services (e.g. TCP/IP, DNS, DHCP, etc…)
  • Some experience interacting with AWS and Azure platforms.
  • Some python scripting knowledge is recommended, but not required.

What Students Should Bring

Students must:
  • Obtain access to an active Amazon Web Services (AWS) account with admin access.
  • Obtain access to an active Azure subscription with admin access.
  • Bring their own laptop, with admin rights to install software.
  • The Laptop needs a wired network support with an ethernet adapter.

What Students Will Be Provided With

  • A detailed lab guide
  • A copy of all course slides


Bryce Kunz (@TweekFawkes) is an Information Security Researcher located in Salt Lake City, Utah, who specializes in exploiting cloud environments through R&D access vectors for key systems (e.g. containers, orchestration systems, web applications, etc…). As a security professional, Bryce has spent time at various agencies (i.e. NSA, DoD, DHS, CBP) and tech companies (i.e. Adobe) focusing on vulnerability research, penetration testing, and incident response. Previously, Bryce received an MBA from a NSA designated "Center of Excellence" Idaho State University (ISU) program with an emphasis in Information Assurance (IA) on a full academic scholarship from the National Science Foundation (NSF). Bryce holds numerous certifications (e.g. OSCP, CISSP, ...) and has spoken at various security conferences (i.e. BlackHat, DerbyCon, BSidesLV, etc...).