Threats

T1525, T1552, T1613

Cloud Threats — Credential Theft, IMDS Abuse, Hijacking

A comprehensive guide to cloud-specific threats analysts face — stolen API keys, IMDS attacks, resource hijacking, privilege escalation paths, and SaaS compromise — and how to detect each.

View on Graph

What Makes Cloud Threats Different

  • Cloud environments change the threat model fundamentally. There is no “endpoint” to compromise in the traditional sense — an attacker can compromise an organization through an exposed S3 bucket, a leaked API key on GitHub, a misconfigured IAM role, or a compromised third-party SaaS integration.
  • Traditional EDR agents do not run in cloud APIs or serverless functions. Cloud threats require cloud-native detection — CloudTrail, CloudWatch, Azure Activity Log, Azure Monitor, GCP Cloud Audit Logs, and SaaS audit logs.
  • The shared responsibility model means the cloud provider secures the infrastructure, but the customer secures everything they put in it: identities, data, configurations, networks, and applications. See Cloud Security Fundamentals for details on the shared responsibility model.
  • MITRE ATT&CK maps cloud attacks across multiple tactics: T1525 (Cloud Service Discovery), T1552.005 (Cloud Instance Metadata API), T1613 (Container and Resource Discovery), T1078 (Valid Accounts).

Cloud Credential Theft

Cloud credentials — API keys, access keys, service principal secrets, and OAuth tokens — are the most valuable target in any cloud environment.

How Attackers Steal Cloud Credentials

MethodTargetDetection Signal
GitHub secret leakAPI keys committed to public or private reposGitLeaks, GitHub secret scanning alerts, or SIEM correlation with key usage
Instance metadata API (IMDS)Temporary credentials from AWS EC2, Azure VM, or GCP Compute instanceAPI calls from an unexpected source IP or VM that does not normally make API calls
Phishing cloud adminsConsole passwords for cloud management portalsUnusual login location, device, or MFA method
SSRF to cloud metadataInternal-facing app making outbound HTTP to 169.254.169.254Web server logs showing requests to the metadata IP
Shared credentials in config files~/.aws/credentials, AZURE_CLIENT_SECRET in env vars, GCP service account JSONDownloaded via malware or exposed in CI/CD logs
Compromised CI/CD pipelineBuild secrets exposed in logs or artifact storageCI/CD log containing plaintext secrets or unauthorized pipeline runs

Detection — IMDS Attack (Instance Metadata Service)

The IMDS endpoint at 169.254.169.254 provides temporary cloud credentials to any process running on the instance. If an attacker gains code execution on a cloud VM, the first thing they do is query IMDS.

IMDS query commands:

# AWS — get IAM role credentials
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/ROLE_NAME

# Azure — get managed identity token
curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/' -H Metadata:true

# GCP — get service account access token
curl "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token" -H "Metadata-Flavor: Google"

Detection — SPL query for IMDS access:

index=web sourcetype=webserver_logs
| search dest_ip="169.254.169.254" OR uri="*metadata*" OR uri="*/latest/meta-data/*"
| stats count by src_ip, user_agent, uri
| eval alert = "INSTANCE METADATA ACCESS — possible IMDS attack from " . src_ip
| table _time, src_ip, uri, user_agent, count, alert

Detection — CloudTrail for unusual credential usage:

index=aws sourcetype=cloudtrail
| search userIdentity.type=AssumedRole userIdentity.sessionContext.sessionIssuer.userName=*
| where userIdentity.arn != sourceIPAddress ~ "internal-network"
| eval alert = "IMDS credentials used from outside the VPC — possible credential theft"
| table _time, userIdentity.arn, sourceIPAddress, eventName, eventSource, alert

Resource Hijacking

Cloud resource hijacking occurs when an attacker uses compromised cloud credentials to provision resources — typically for cryptomining, but also for C2 infrastructure, spam campaigns, or data exfiltration.

Common Hijacking Patterns

PatternWhat HappensCloud ProviderCost Impact
CryptominingAttacker launches GPU-intensive compute instances (p3/p4/GPU instances in AWS, N-series in Azure)AWS, Azure, GCP$10k-$500k+ per day
Lambda cryptoAttacker creates Lambda functions that run cryptominers on triggerAWSLower ($/invocation) but persistent
Bucket abuseAttacker creates S3 buckets that serve malware or phishing pagesAWSReputational and takedown cost
DNS abuseAttacker uses Route53 or Cloud DNS to host malicious domainsAWS, GCPReputational
Email relayAttacker uses compromised SES/Mailgun/SendGrid keys to send spamAWS, third-partyAccount suspension

Detection — Resource Hijacking

CloudTrail — detect unusual instance launches:

index=aws sourcetype=cloudtrail eventName=RunInstances
| stats count by userIdentity.arn, sourceIPAddress, requestParameters.instanceType, bin(_time, 1h)
| eval alert = if(match(requestParameters.instanceType, "(p3|p4|g4|g5|inf1|f1)"), "HIGH — GPU/FPGA instance launched, possible cryptomining", "INFO — instance launch")
| table _time, userIdentity.arn, sourceIPAddress, requestParameters.instanceType, count, alert
| sort - _time

SPL — detect unusual cost/anomaly alerts from cloud provider billing:

index=cloud_billing sourcetype=aws_cost_explorer
| stats sum(cost) as total_cost by service, region, bin(_time, 1d)
| where total_cost > 1000
| eval alert = "HIGH spend on " . service . " in " . region . " — $" . round(total_cost)
| table _time, service, region, total_cost, alert
| sort - total_cost

Cloud Privilege Escalation

Cloud IAM is complex — and complexity breeds misconfigurations that allow privilege escalation.

Common Escalation Paths

Escalation PathDescriptionAWS ExampleAzure Example
Permissive pass roleiam:PassRole without resource restrictionPass an admin role to any EC2 instance — launch an instance with full admin accessAssign Contributor role to a VM that then accesses resources
Policy modificationAbility to create or modify IAM policiesiam:CreatePolicyVersion, iam:SetDefaultPolicyVersion — attacker escalates their own permissionsAzure RBAC Microsoft.Authorization/roleAssignments/write
Key creationAbility to create access keys for other usersiam:CreateAccessKey — attacker creates a key for an admin userAAD application credential creation
Service principal abuseManipulating service principals with high privilegesLambda with AdministratorAccess role — attacker modifies Lambda to use the roleAzure Managed Identity attached to a compromised resource
Assume roleAbility to assume a more privileged rolests:AssumeRole with no ExternalId — attacker assumes a cross-account admin roleAzure — Managed Identity token theft

Detection — Privilege Escalation

CloudTrail — detect IAM policy changes:

index=aws sourcetype=cloudtrail
| search eventSource="iam.amazonaws.com" (eventName=CreatePolicy OR eventName=CreatePolicyVersion OR eventName=SetDefaultPolicyVersion OR eventName=AttachRolePolicy OR eventName=AttachUserPolicy)
| stats count by userIdentity.arn, sourceIPAddress, eventName, requestParameters.policyArn
| eval alert = "IAM policy change by " . userIdentity.arn . " — " . eventName
| table _time, userIdentity.arn, sourceIPAddress, eventName, requestParameters.policyArn, alert
| sort - _time

SaaS Compromise Patterns

SaaS applications (O365, GWS, Slack, GitHub, Salesforce) have their own threat landscape that does not map neatly to IaaS monitoring.

Key SaaS Attack Vectors

VectorTargetDetection
OAuth app abuseGranting malicious third-party apps access to user mail/calendar/filesOAuth consent log, unexpected app permissions, unverified publisher apps
Mailbox rule abuseAttacker creates forwarding/inbox rules to exfiltrate emailExchange Admin Audit Log — new forwarding rules or mailbox delegation
MFA fatigue bombingRepeated MFA push notifications until the user approvesAzure AD Sign-in Logs showing repeated MFA denials then approval
Token theft/replayStealing session tokens from browser or deviceAnomalous location, device, or IP for the user — impossible travel
Admin role escalationCompromising a user who can grant themselves higher rolesAzure AD Audit Log — Add member to role from unexpected user or IP
API token compromiseGitHub personal access tokens, Slack bot tokens, Salesforce session tokensAudit logs showing API access from unexpected IP or at unusual times

Detection — OAuth App Abuse in Azure AD

index=azure sourcetype=audit_logs
| search OperationName="Consent to application" OR OperationName="Add OAuth2PermissionGrant"
| where TargetResources{}.displayName NOT IN (known_approved_apps)
| stats values(TargetResources{}.displayName) as AppName, values(InitiatedBy.user.userPrincipalName) as User by Result, bin(_time, 1d)
| eval alert = "New OAuth app consent: " . mvjoin(AppName, ", ") . " by " . User
| table _time, User, AppName, Result, alert

Detection — Mailbox forwarding rules in Exchange Online:

index=m365 sourcetype=exchange_admin
| search Operation="New-InboxRule" OR Operation="Set-InboxRule"
| where Parameters.ForwardTo OR Parameters.ForwardingSmtpAddress
| eval alert = "Mailbox forwarding rule created — possible data exfiltration"
| table _time, UserId, Parameters, alert

Key Detection Tables — Cloud Threat Quick Reference

ThreatPrimary Log SourceKey EventsMITRE ATT&CK
IMDS credential theftCloudTrail / Azure Activity Log / GCP Audit LogsAssumeRole from unexpected IP, metadata API accessT1552.005
Credential leak (GitHub)GitHub secret scanning, AWS CreateAccessKeyGitHub alert + same key used from new IPT1552.001
Resource hijackingCloudTrail RunInstances, Cost Explorer anomaliesGPU instance launches, high cost anomalyT1496
IAM privilege escalationCloudTrail IAM eventsCreatePolicy, AttachRolePolicy, PassRoleT1098
SaaS OAuth abuseAzure AD Audit Logs, GWS OAuth logsThird-party OAuth consent, broad scope requestsT1059.009
SaaS token theftAzure AD Sign-in Logs, GWS Login AuditImpossible travel, unfamiliar device, IP mismatchT1528

Sources