2025-11-17 –, Westin - Munich
Once an attacker has gained initial access to an AWS account, one of their first steps is to build persistence. Their retained access can last even after defenders have already begun to isolate and contain an attack. This talk will evaluate the advantages and drawbacks of attacker persistence techniques in AWS, comparing their complexity, potential for compromise, and how easy they are to detect.
Of course, an attacker's choice of persistence methods can depend heavily on the permissions available to them and the target they’re after, and there are a myriad of different ways to build persistence. Therefore, the aim here isn’t to cover every possible persistence method in AWS. Instead, this talk will cover some of the more common methods that have been seen in the wild, and draw your attention to some of the more niche techniques that are still worth looking out for and locking down.
Finally, for each technique, this talk will review practical detection and prevention methods and the considerations of these.
Persistence is one of the key tactics in the MITRE ATT&CK framework and one of the first steps that an attacker takes after gaining access. This is no different in the cloud, and attackers can use a variety of techniques to build persistence in a compromised Amazon Web Services (AWS) account.
As someone who develops practical cybersecurity training, I’m able to offer a relatively unique perspective. Instead of spending all day battling alerts, securing resources, and implementing the latest best security practices, I spend a lot of my time researching and learning. This allows me to step back and evaluate the latest developments in the field across a range of cloud services. To the best of my knowledge, there aren’t any sources out there that compare the effectiveness, technical complexity, and detectability of persistence techniques across AWS, so this talk will fill that gap.
There are countless ways to build persistence, so the talk will focus on techniques that have been seen in the wild. It’ll start with common persistence methods in some of the most heavily targeted AWS services: IAM, EC2, and Lambda. For each technique, I’ll run through and analyze the required steps to achieve persistence. Then I’ll review the potential for compromise that the technique offers, and how an attacker’s target can change the effectiveness of a technique. Finally, I’ll cover practical methods of detection and evaluate how easy they are to implement.
Cloud penetration testers and adversary simulation specialists will gain knowledge of which persistence techniques in AWS are most effective and easiest to use, and the advantages they offer in evading detection. You’ll also hear about new and niche persistence techniques in AWS that can be added to your arsenal.
From a blue team perspective, this talk offers a general overview of persistence techniques in AWS and the most common ones you should be on the lookout for. You’ll also learn about methods of detection (including CloudTrail event names and automated alerting techniques), alongside ways of preventing and locking down these persistence techniques by enforcing short-lived credentials, following the principle of least privilege, and more. Together, this knowledge can enhance your AWS security posture when implemented in an organization.
Cloud security, Amazon Web Services (AWS), Persistence
Hi, I'm Oisín, a cloud security engineer at Immersive, a company specialising in practical cybersecurity training. I've spent the past five years there honing my cloud security skills, with experience across all the major public cloud providers. I love learning about and evaluating cutting-edge research from across the cloud security field, so I can teach others all about the latest trends, tactics, and techniques. I'm especially enthusiastic about AWS and promoting secure practices in cloud infrastructure.