L o a d i n g

Cloud Village is an open space to meet folks interested in offensive and defensive aspects of cloud security.

CFP for DEF CON 31 Contribute/Volunteer Become a Sponsor


Cloud village is an open space to meet folks interested in offensive and defensive aspects of cloud security. The village is home to various activities like talks, workshops, CTFs and discussions targeted around cloud services.

If you are a professional who is looking to gain knowledge on securely maintaining the cloud stack and loves to be around like-minded security folks who share the similar zeal towards the community, Cloud Village is the perfect place for you.

Cloud Village will be in-person at Mesquite(Room), Flamingo Hotel & Casino, Las Vegas.

Hope to see you all there!

Crew Members:

CFP Review Panel:

Cloud Village CTF

Cloud Village CTF @ DEF CON 31: 11th, 12th & 13th August 2023

CTF start - August 11 1000 PST

CTF close - August 13 1200 PST

Registrations Open NOW!

CTF Site - ctf.cloud-village.org

If you ever wanted to break stuff on the cloud, or if you like rabbit holes that take you places you did not think you would go to, follow complicated story lines to only find you could have reached to the flag without scratching your head so much - then this CTF is for you!

Our CTF is a three days jeopardy style contest where we have a bunch of challenges hosted across multiple Cloud providers across multiple categories of difficulty.

You can register as teams or go solo, use hints or stay away from them, in the end it will be all for glory or nothing. Plus the prizes. Did we not mention the prizes? :D

See you on the other side!

Schedule (DEF CON 31)

10:00 - 10:10 PDT

Opening Note

10:10 - 10:50 PDT

Keynote - Cloud Insecurities: What's Up There!

10:50 - 11:30 PDT

Evading Logging in the Cloud: Bypassing AWS CloudTrail

11:30 - 12:10 PDT

The Dark Playground of CI/CD: Attack Delivery by GitHub Actions

12:10 - 12:30 PDT

From Service Catalog Admin to Account takeover: Privilege Escalation with Service Catalog Launch Constraint

12:30 - 13:00 PDT

Attacks as a Service with The DeRF

13:00 - 13:25 PDT

Identifying and securing Firebase vulnerabilities at scale

13:25 - 14:05 PDT

Azure DevOps Security

14:05 - 14:35 PDT

MetaHub Demo: Automating Ownership, Context, and Impact Assessment in Security Findings

14:35 - 16:30 PDT

Infrastructure as Remote Code Execution

10:00 - 10:30 PDT

Introducing IAM-APE

10:30 - 11:10 PDT

Between a Log and a Hard Place: (mis)Adventures in Azure Logs

11:10 - 11:50 PDT

SSO Sloppy, SSO Suspect, SSO Vulnerable

11:50 - 12:20 PDT

Google Workspace Red Team Automation with SWAT

12:20 - 13:00 PDT

The Rocky Balboa Guide to Security Research: Getting Back Up When You Get Knocked Down

13:00 - 13:30 PDT

CloudRecon - finding ephemeral assets in the cloud

13:30 - 14:10 PDT

What the Function: A Deep Dive into Azure Function App Security

14:10 - 14:50 PDT

Bridging the Gap: Cloud Threat Intelligence for Detection and Offensive Security Practitioners

14:50 - 15:35 PDT

The Human Threat Factor - Cloud Security Misconfigurations

10:00 - 10:40 PDT

Call Me Phishmael: Hunting Sensitive Docker Images in Google Container Registry Leaks

10:40 - 11:20 PDT

Tag, You're Exposed: Exploring Azure Service Tags and their Impact on your Security Boundary

11:20 -12:00 PDT

Security Logging in the cloud, trade-offs to consider and patterns to maximise the effectiveness of security data pipelines

12:00 - 12:40 PDT

Tales from a detection engineering in AWSland

12:40 - 13:10 PDT

CNAPPGoat - A multicloud vulnerable-by-design infrastructure deployment tool

13:10 - 13:25 PDT

Closing Note

Talks (DEF CON 31)

Speaker: Ben Sadeghipour (NahamSec)

Date: 11 Aug

Time: 10:10 - 10:50 PDT

Twitter: @NahamSec




This presentation delves into the comprehensive scanning of the entire IP space of major cloud service providers like GCP, Azure, and AWS. By employing ethical and diverse scanning techniques, we uncover valuable insights into their technology stacks, present notable discoveries, and shed light on security vulnerabilities and misconfigurations. The research aims to empower cloud customers with informed decisions and encourages cloud providers to strengthen their security measures for a safer cloud computing environment.

Speakers: Yusuke Kubo, Kiyohito Yamamoto

Date: 11 Aug

Time: 11:30 - 12:10 PDT

Twitter: @voxy14_sec


Yusuke Kubo works as an Offensive Security Researcher at NTT Communications, Japanese Telecommunication Company, and is also NTT Group Certified Security Principal. His responsibilities include researching attack techniques and providing RedTeam for internal. And he contributed to MITRE ATT&CK regarding Safe Mode Boot(T1562.009).

Kiyohito Yamamoto works as an Security Engineer at NTT Communications, Japanese Telecommunication Company, and is also NTT Group Certified Security Principal. He served as a Senior Response Expert during the Tokyo Olympics and also conducted TLPT tests.


GitHub, a software development platform, has become popular in recent years and as of March 2023 and according to GitHub, Inc., is being used by 100 million users worldwide. As the service used by developers around the world, security related to the service becomes a global research topic.
Most of the security topic for GitHub are about information leakage such as source code and APIKEY, which is related to the main function of GitHub service. On the other hand, we focused on the potential for attacks using GitHub Actions, a CICD feature provided by GitHub.

Our research includes both known attack techniques already used by attackers and unknown attacks not yet observed in the wild. The following is a description of the five attacks introduced in this presentation.

  • Malicious Custom Action
  • Two attack techniques are going to be introduced in this section: Malicious JScript Composite Action and Malicious JavaScript Custom Action. Malicious JScript Composite Action is a developed custom action that performs an attack using JScript, after replacing the script engine from node.exe to wscript.exe through Binary Hijacking and Masquerading. Malicious JavaScript Custom Action performs the attack from Nodejs implemented using its C++ addons.

  • GitHub Actions C2
  • We will demonstrate a new C2 framework using self-hosted runner in GitHub Actions. This C2 has been developed using Runner Application, a GitHub Action's agent, to execute commands and download/upload files via GitHub Actions. The C2 achieves stealthiness by utilizing official binaries provided by GitHub and communicating only with GitHub owned domains and IPs.

  • Free Jacking
  • We will introduce the results of my investigation into attacks using free cloud resources, known as "Free Jacking," including the attack actually used by attackers and its changes according to GitHub's countermeasures.

  • Public Malicious Fork and PR
  • We will briefly discuss an Initial Foothold being established through repository configuration or developer operation errors when using self-hosted runners.

  • Theft of Secret
  • We will also provide an overview of the threat of theft of secrets, where encrypted environment variables used within GitHub are stolen from GitHub Actions, based on discussions among researchers.

    Finally, we have systematized the above five attacks based on two perspectives: - GitHub Actions features, such as repository ownership and runner types. - Threat level, including severity and probability. Each attack is shown with its use cases, as well as the potential damages that could occur if it were executed.

    The attack we demonstrate in this presentation could potentially be widely used in other CI/CD services. By discovering threats in CI/CD, we hope to enhance the overall security of these services.

    Speaker: Viktor Gazdag

    Date: 11 Aug

    Time: 13:25 - 14:05 PDT

    Twitter: @wucpi


    Viktor Gazdag has worked as pentester and security consultant for 8 years, lead cloud research working group and M365 capability service. He has reported numerous vulnerabilities in products from companies such as Oracle, SAP, Atlassian, Jenkins, CloudBees Jenkins, JetBrains, Sonatype, as well as hundreds of plugin vulnerabilities in Jenkins Plugins. In 2019, he received the Jenkins Security MVP award. He gave a talk about the research behind finding more than a 100 Jenkins Plugin vulnerabilities at DevOps World. He also gave a presentation at Black Hat USA and DoD CyberDT XSWG about CI/CD pipeline compromises. He also holds multiple AWS/Azure/GCP, Infra as Code, DevOps and Hacking certifications.


    Companies move their development environment from on-prem to the cloud as well. One of the solutions is Azure DevOps (ADO). ADO provides same or similar service that are already existed on-prem such as ticketing, wiki, repository, pipeline, artifacts etc.

    There is a difference between security in the pipeline and security of the pipeline. As a security consultant/pentester we saw both ends and came across these environments either in assumed breach, configuration review or SDL assessment.

    In this talk, we take a look at the later and review the security controls for Azure DevOps (although can be used for other cloud providers as well) that can help in mitigating attacks and the blast radius of a breach. There will be also some resources shared where to go after the talk.

    Speaker: Alex Delamotte

    Date: 12 Aug

    Time: 14:10 - 14:50 PDT

    Twitter: @spiderspiders_


    Alex's passion for cybersecurity is humbly rooted in the early aughts, when she declared a vendetta against a computer worm. Over the past decade, Alex has worked with blue, purple, and red teams serving companies in the technology, financial, pharmaceuticals, and telecom sectors and she has shared research with several ISACs. Alex enjoys researching the intersection of cybercrime and state-sponsored activity. She relentlessly questions why actors pivot to a new technique or attack surface. In her spare time, she can be found DJing or servicing her music arcade games.


    During my transition from a conventional malware research position to a detection engineering role within a technology company, I encountered significant difficulties in acquiring actionable and timely intelligence regarding cloud-based threat actors. Subsequently, when I assumed a new position on an offensive security team, I faced similar challenges due to the scarcity of threat intelligence necessary for effective adversary emulation.

    Recently, I had the opportunity to publish my research on [AlienFox](https://www.sentinelone.com/labs/dissecting-alienfox-the-cloud-spammers-swiss-army-knife/), a communally-developed cloud spamming toolset. As a curator of cloud intelligence, I am confronted with the arduous task of providing defenders with actionable threat intelligence in situations where the tools employed by attackers remain confined within their own systems. In targeted service environments, the utilization of payloads is considerably reduced, with the absence of prominent features such as Cobalt Strike beacons or Meterpreter. Additionally, the intricacies of DLL injection and registry modifications are rendered obsolete. Instead, cloud attackers harness robust and extensively documented APIs developed by the respective service providers, eliminating the need for complex shellcode encoders.

    Given these limitations, how can defenders effectively operate? These attacks invariably leave behind artifacts in the form of configurations, such as the creation of new user profiles, which can be traced through API logs. Ultimately, if approached with an open mind and a willingness to adapt forensic methodologies, these techniques can be extrapolated from the realm of endpoint security. This talk will discuss how to approach detection of several familiar techniques--such as privilege escalation and persistence--ported to the cloud realm.

    Speaker: Nick Frichette

    Date: 11 Aug

    Time: 10:50 - 11:30 PDT

    Twitter: @Frichette_n


    Nick Frichette is a Senior Security Researcher at Datadog, where he specializes in AWS offensive security. He is known for finding multiple zero-day vulnerabilities in the AWS services and regularly publishing on new attack techniques. In addition to his research, Nick is the creator and primary contributor to Hacking the Cloud, an open source encyclopedia of offensive cloud security tradecraft.


    Amazon Web Services (AWS) customers rely on CloudTrail for continuous monitoring and detection of security incidents within their cloud environments. But what if an attacker could bypass this vital security layer, conducting stealthy reconnaissance and even modifying the environment without leaving any log evidence?
    In this talk I will explore the attack surface of the AWS API, and share multiple vulnerabilities I discovered that allowed me to bypass CloudTrail logging for different AWS services. These vulnerabilities have now been fixed by AWS.
    Attendees will gain an understanding of how these vulnerabilities are found, an understanding of the internals of the AWS APIs, and knowledge of how to apply these methods to new CloudTrail bypasses.

    Speaker: Dmitriy Beryoza

    Date: 12 Aug

    Time: 10:30 - 11:10 PDT

    Twitter: @0xd13a


    Dmitriy Beryoza is a Senior Security Researcher with Vectra AI, working on threat detection in the cloud and on-prem networks. Before that, he was a penetration tester and secure software development advocate at IBM. Before switching to security full-time, Dmitriy has been a software developer for many years. He presented talks at BSides Las Vegas, BSides SF, HackFest, and others. Dmitriy holds a Ph.D. in Computer Science and OSCP, CISSP, CCSP and CEH certifications. His interests include reverse engineering, secure software development, and CTF competitions.


    Security monitoring in any environment is made or broken by the signal quality in the event logs.
    Cloud-based solutions have transformed the computing landscape with advantages like on-demand resource availability, scalability, cost-effectiveness, and enhanced collaboration capabilities. For defenders, this new world offered many benefits: robust identity management, patching at scale, improved incident detection and response, and more.

    Cloud providers expose detailed logs that are consumed by security monitoring tools and SOC analysts. One would expect a common, streamlined logging solution to be a clear win in attack detection functionality, but the reality is more complicated.

    We have spent the last three years studying and monitoring Azure logs and have seen many problems that can complicate incident detection and response. With no alternatives to the provider's logging solution and slow problem mitigation speed, these issues go beyond mere annoyances and can help attackers avoid detection.

    In this talk, we will examine logging facilities in Azure, concentrating on events generated by Azure AD and Microsoft 365, and discuss multiple problems that we have observed in monitoring them.

    These include:

  • Blind spots hiding critical security events

  • Poorly documented events, attributes and magic values

  • Missing important information about user actions

  • Bugs in log records

  • Unannounced changes that break detection queries

  • Log pollution opportunities, potentially leading to RCE

  • and more
    For all these issues, we will:

  • examine their impact on defense and monitoring

  • discuss how attackers (and red teamers) may take advantage of them

  • suggest how defenders can mitigate the negative impact, where possible

  • and propose ways the cloud provider can address the problems going forward

  • Speaker: Ian Dillon

    Date: 13 Aug

    Time: 10:00 - 10:40 PDT

    Twitter: @amenbreakpoint


    Ian Dillon is a Staff Security engineer at the New York Times, mostly focusing on cloud security. Long interested in security (like driving 24 hours straight for DEF CON 8), he instead wandered in the desert for years as a software engineer, DBA, then cloud engineer before coming to his senses.


    UI confusion, ACL limitations, and default product behaviors in Google Cloud Platform (GCP) have created a scenario in which it is very easy to accidentally expose sensitive Google Container Registry (GCR) Docker images to the public. To try and determine the frequency of this misconfiguration, and the resulting value of leaked Docker images to attackers, we built a scanner to help find GCP projects with mis-configured GCR repositories. The results were surprising: scores of open image repositories with sensitive source code and a multitude of active secrets to cloud environments, build systems, and external vendors.

    In this presentation, I'll explain the common cause of the GCR misconfiguration and how other GCP service defaults can widen the exposure. We'll also discuss our scanner's approach in narrowing down potential target projects and avoiding GCP abuse mitigation. Finally, we'll go over the common mistakes I found in image builds and applications that allowed simple image exposure to cascade into privilege escalation and direct production system access.

    Speaker: Liv Matan

    Date: 12 Aug

    Time: 12:20 - 13:00 PDT

    Twitter: @terminatorLM


    Liv Matan is a cloud security researcher at Ermetic, where he specializes in application and web security. He previously served in the 8200 Intelligence Corps unit as a software developer. As a bug bounty hunter, Liv has found several vulnerabilities in popular software platforms, such as Azure web services, Facebook and Gitlab. In his free time, Liv boxes, lifts and plays Capture the Flag (CTF).Liv studied computer science at the Weizmann Institute of Science, in Israel.


    Vulnerability research is sometimes perceived as a glamorous pursuit, where researchers constantly uncover security flaws and find critical exploits that can lead to catastrophic results. In this talk, we show you what it's really like behind the scenes of cloud vulnerability research.
    We discuss the lessons learned while dealing with the barriers and challenges that arise when searching for and reporting new vulnerabilities to the biggest cloud vendors. We will present the mindset we embrace to find common ground in major services, and the importance of a responsible disclosure process. We debate why we, the researchers, are accountable for our findings and how we should push the cloud vendor for the best bug resolution.
    Often, vulnerability talks are about the researcher's greatest success stories. This talk also explores the unexpected benefits of coming up short in vulnerability research. We argue that these ""losses"" can provide valuable insights into security research, allowing us to better understand a system's strengths and weaknesses and its security stack.
    The session draws on real-world examples, including a major vulnerability we uncovered that affected multiple Azure web services, exploitation of internal communication channels across various CSPs, and our go-to approach when exploring new unfamiliar cloud services. We close the session by discussing each vendor's unique approach to fixing reported security issues.
    Join us for this thought-provoking talk and discover the hidden side of vulnerability research. You'll come away with a new appreciation for the challenges and rewards of this fascinating field and a deeper understanding of its role in keeping us all safe and secure.

    Speaker: Karl Fosaaen, Thomas Elling

    Date: 12 Aug

    Time: 13:30 - 14:10 PDT

    Twitter: @kfosaaen


    As a VP of Research, Karl is part of a team developing new services and product offerings at NetSPI. Karl previously oversaw the Cloud Penetration Testing service lines at NetSPI and is one of the founding members of NetSPI's Portland, OR team. Karl has a Bachelors of Computer Science from the University of Minnesota and has been in the security consulting industry for 15 years. Karl spends most of his research time focusing on Azure security and contributing to the NetSPI blog. As part of this research, Karl created the MicroBurst toolkit (https://github.com/NetSPI/Microburst) to house many of the PowerShell tools that he uses for testing Azure. In 2021, Karl co-authored the book "Penetration Testing Azure for Ethical Hackers" with David Okeyode.

    Thomas Elling is the Director of Cloud Pentesting and a security researcher at NetSPI. He specializes in web application and cloud security testing. He has advised multiple Fortune 500 companies in the technology sector. In his spare time, Thomas enjoys improving his coding skills, watching bad action movies, and hanging out with his dog, Chunks.


    As organizations have evolved from the "Lift and Shift" cloud migration strategy to building "Cloud Native" applications, there has been a significant increase in the usage of Platform as a Service (PaaS) services in the cloud. The Azure Function App service is a commonly used resource in this space, as it provides simple and easy to deploy application hosting. While the serverless service offers a wide variety of convenient features, it also comes with its own security challenges.

    We will be discussing how the service is utilized by Azure customers and some of the architecture design flaws that can lead to privilege escalation scenarios. Additionally, we will be covering a recently remediated privilege escalation issue that resulted in the Azure “Reader” RBAC role gaining code execution privileges in Function App containers.

    We will also be releasing a tool that automates the exploitation of write access on a Function App's Storage Account. The tool will allow you to gain cleartext access to the Function App keys, and will generate Managed Identity tokens that can be used to pivot to the Function App’s identity. Finally, we will also include best practices and recommendations on how defenders can implement policy and configuration changes that help mitigate these issues.

    Speaker: Jenko Hwong

    Date: 12 Aug

    Time: 11:10 - 11:50 PDT

    Twitter: @jenkohwong


    Jenko Hwong is a Principal Researcher on Netskope's Threat Research Team, focusing on cloud threats/vectors. He's spent time in engineering and product roles at various security startups in vulnerability scanning, AV/AS, pen-testing/exploits, L3/4 appliances, threat intel, and windows security.


    Enterprise SSO protocols and vendor implementations continue to evolve for the worse, as we've gone from SAML to OAuth to MUVP (Made-Up-Vendor-Protocol).
    Attacks against SSO started with the Golden SAML attack (Cyberark, 11/2017), which used stolen certificates to spoof SAML responses, recently used in the SolarWinds hack in 2020. Recently, OAuth has been used to implement SSO, and new POC identity attacks have been published such as gaining access to a Facebook account that uses Gmail as the SSO identity provider via OAuth 2.0 (Sammouda, 5/2022), utilizing the chaining of traditional web vulnerabilities such as XSS with the design of the OAuth protocol in order to steal OAuth session tokens. AWS's SSO implementation mixes SAML, OAuth, and traditional AWS access keys. And Microsoft and Google also use custom OAuth to implement SSO among their app suites.
    This protocol soup opens up more areas for abuse by attackers with key benefits: remotely-enabled attacks by design without need for endpoint compromise, near-permanent access, no need to go through MFA challenges, and incomplete controls for in preventing, detecting, and responding to these attacks.
    We will demonstrate how these attacks work, what's different, how the underlying SSO protocols and features are abused, and where defensive measures fail.

    Speakers: Aled Mehta, Christian Philipov

    Date: 13 Aug

    Time: 10:40 - 11:20 PDT

    Twitter: @x_delfino, @chrispy_sec


    Aled is security consultant in the cloud security team at WithSecure. He spends the majority of his time exploring Microsoft Cloud services focussing on identifying new attack paths, or new ways of performing well established attacks. Outside of this exploration, he is motivated by sharing knowledge and skills with his colleagues and with the wider community.

    Chris is a senior security consultant in the cloud security team at WithSecure. Loves looking into the unique ways that Microsoft Azure and Google Cloud Platform (GCP) works as well as helping out his fellow colleagues with all their various cloud technical issues. Chris has previously presented at fwd:cloudsec as well as BlueTeamCon, and holds multiple Microsoft certificates with the latest one being Microsoft Cybersecurity Architect.


    Within Cloud environments, the approach to securing networks and resources has shifted. An organisation's security perimeter has become blurred, with resources increasingly exposed, making it harder to clearly establish their attack surface. Components of network and security controls have been abstracted away, including the specific on how they are implemented. One of these abstractions is through Azure Service Tags, a feature that we frequently see being used, and one that often results in resources being more exposed than intended.

    In this talk, we will explore Service Tags in Azure, a common method for modern organisations to use pre-defined network ranges to be allow-listed for inbound and outbound network traffic. Although a useful means to simplify configuration to allow service-to-service communication, its usage can lead to unintentional cross-tenant access to Azure resources. The aim of the talk is to highlight several novel methods by which attackers can get access to a corporate environment. These will range from:

  • Accessing internal resources via an attacker controlled VM in a different tenant

  • Abusing Azure Logic Apps functionality to interact with internal APIs

  • Using SaaS services such as Azure DevOps to modify pipelines within a misconfigured target organisation

  • Fundamentally, this is the service working as intended. Service Tags are *supposed* to cover Azure service network ranges and these *do*, by design, include other organisations' environments. The issue mostly lies in the lack of detailed documentation and the lack of awareness around the breadth of coverage, and the potential impact of these controls. Where documentation is available that highlights some of these components, it is inconsistent in outlining the risks and potential impact. Through our work at a consultancy, we have worked with a range of organisations from large enterprises to medium sized companies. Based on our observations, this is a common issue that is present in different production Azure environments.

    Listeners of the talk will come out with an understanding of:

  • Service Tags and their use cases

  • Attack methods to take advantage of Service Tags

  • Practical recommendations for Service Tag usage
  • Speaker: Marco Mancini

    Date: 13 Aug

    Time: 11:20 - 12:00 PDT

    Twitter:  @mancinij


    I am the tech lead for the Detection Engineering team at Thought Machine a cloud-native core banking company. My career has been based on doing Incident Response and Security monitoring for banks and financial institutions with a deep focus on engineering data driven solutions to several security problems.


    Security Operations in the cloud can be thought as a data problem. If you can immediately and easily answer questions of what, how and who has done an action attackers can be uncovered and dealt with much quicker.
    Building the infrastructure to do this however can easily become very expensive and there are some big trade-offs to consider when building a security logging pipeline.
    This talk will explain the different logging patterns that you can find in public clouds like AWS, GCP and Azure and the pitfalls and experience from building and rebuilding the security logging at different scale levels.
    This talk should give any attendees protecting a company with a big cloud exposure valuable insights that could be applied to building a new security logging function and also how to improve their current security pipelines.

    Speaker: Rodrigo Montoro

    Date: 13 Aug

    Time: 12:00 - 12:40 PDT

    Twitter: @spookerlabs


    Rodrigo Montoro has over 23 years of experience in Information Technology and Computer Security. For most of his career, he has worked with open-source security software (firewalls, IDS, IPS, HIDS, log management, endpoint monitoring), incident detection & response, and Cloud Security. Currently is Head of Threat & Detection Research at Clavis Security. Before that, he worked as Cloud Researcher at Tenchi Security, Head of Research and Development at Apura Cyber Intelligence, SOC/Researcher at Tempest Security, Senior Security Administrator at Sucuri, and Researcher at Spiderlabs. Author of 2 patented technologies involving innovation in the detection field. One is related to discovering malicious digital documents. The second one is in how to analyze malicious HTTP traffic. Rodrigo has spoken at several open source and security conferences (Defcon Cloud Village, OWASP AppSec, SANS (DFIR, SIEM Summit & CloudSecNext), Toorcon (USA), H2HC (São Paulo and Mexico), SecTor (Canada), CNASI, SOURCE, ZonCon (Amazon Internal Conference), Blackhat Brazil, BSides (Las Vegas e SP)).


    Cloud providers' ecosystems have brought a lot of new challenges to the Security Operations Center (SOC). We now have a lot of attack vectors that create known and still unknown attack vectors, generating a considerable need for further research and detection in this field.

    Specifically, in AWS, we are talking about more than three hundred (300+) services that an attacker could have their specific attack path to achieve their goal. Considering that chaotic scenario and leading a Detection Engineering Team that monitors hundreds of customers, we developed new and innovative ways to improve customer detection in three paths:

    First, the largest market for cloud security is associated with Cloud Security Posture Management (CSPM), a tool that monitors misconfigurations in cloud accounts. We converted the top 10 results based on the CSPM vendor's statistics reports. The findings are prioritized from informational to critical, helping to fix the misconfiguration and making the attacker path more difficult.

    Second, we examined the standard tools' behavior and built detections based on those. In particular, PACU (comprehensive AWS security-testing toolkit designed for offensive security practitioners), Endgame, and Cloudfox. The main goal is to have tool-agnostic detections using a combination of them to better fit into the AWS scenario.

    Third, and just as important, are uncommon paths that abuse services that are not commonly used or have enough research on it but could lead to data exfiltration, resource exposure, privilege escalation, and so on.

    By the end of this talk, attendees will be able to acquire new detection ideas, improve their cloud security posture, and mitigate attack surfaces.

    Speaker: Kat Fitzgerald

    Date: 12 Aug

    Time: 14:50 - 15:35 PDT

    Twitter: @rnbwkat


    I have to say who I am and why I'm here and my qualifications. I want to explain how/why I do this and how I'm going to make it a fun project for everyone after the talk - with some very specific key takeaways!


    Threat modeling the human security risk, or as others might call it, Security Misconfigurations in the cloud and all the fun attack vectors they create. Yep, it's clobberin time and this is what makes this job fun - helping others to find their own security problems before others do!

    Speaker: Michael McCabe

    Date: 11 Aug

    Time: 14:35 - 16:30 PDT

    Twitter: @mccabe615


    Michael McCabe founded Cloud Security Partners in 2017 to create and implement security solutions for a select number of clients. Over the course of his career, Michael has led teams in startups and large financial institutions and guided them through their security journeys. He leads the OWASP Northern Virginia chapter, where he coordinated countless talks and meetups that hosted industry-leading experts. He has been a featured speaker at numerous conferences about application security, cloud security, and more.


    The workshop will focus on research done on Terraform implementations and ways a malicious user could abuse them. During the workshop attendees will learn how Terraform works, how common Terraform security controls are applied, and multiple ways to bypass them and gain further access to environments.

    Terraform is a powerful infrastructure as code tool, but it is also a potential security gap when not properly configured. Built into Terraform, there are numerous ways an attacker with developer-level access could abuse it to gain a larger foothold or harvest data.

    During the workshop, attendees will be led through various exercises using GitHub Actions, Terraform Cloud, and AWS. The workshop aims to teach attendees how Terraform works, various methods that can be potentially abused, and some controls to prevent them.

    Speaker: Kat Traxler

    Date: 11 Aug

    Time: 12:30 - 13:00 PDT

    Twitter: @nightmareJs


    Kat Traxler is the Principal Security Researcher at Vectra AI focusing on threat detection in the public cloud. Prior to her current role, she worked in various stages in the SDLC performing web application penetration testing and security architecture design for Web, IAM, Payment Technologies and Cloud Native Technologies.

    Kat's research philosophy directs her attention to where design flaws and misconfigurations are most probable. This guiding principle leads her research to the intersection of technologies, particularly the convergence of cloud security and application security and where the OS-layer interfaces with higher-level abstractions.

    Kat has presented at various conferences including the SANS CloudSecNext Summit and fwd:CloudSec on topics such as privilege escalation in GCP, and bug-hunting in the cloud. In addition to her work at Vectra AI, she is a member of IAN Faculty and the Lead Author of the SANS SEC549 - Enterprise Cloud Security Architecture and currently holds multiple GIAC certifications. You can find her on the internet as @nightmareJS


    Introducing the DeRF (Detection Replay Framework), a tool which hosts attack techniques and supports the invocation of those attacks across cloud environments. What sets DeRF apart from other cloud attack tools?

  • User-Friendly Interface: Since the DeRF is hosted in Google Cloud, End Users can invoke attacks through the cloud console UI without the need to install software or use the CLI.

  • Accessibility for Non-Security Professionals: The DeRF caters to a broad audience of End Users, including Engineering, Sales, Support Staff or automated processes.

  • Robust OpSec: Long-Lived Credentials are not passed between operators, instead access to the DeRF and its attack techniques are controlled through GCP IAM Role-Based Access Control (RBAC)

  • Extensibility at its Core: Attack sequences are written in YAML, enabling easy configuration of new techniques.

  • Turn-Key deployment: Deploying (and destroying!) the DeRF is a fully automated process, completed in under 3 minutes.

  • During this demo, we will guide you through the straightforward and automated deployment process for the DeRF. We'll demonstrate how to invoke pre-configured attack techniques and illustrate how you can customize the framework to align with your internal attacker profile. By deploying the DeRF within your organization you can easily spin up attacker simulations, to augment training or automate the testing of detection capabilities.

    Speakers: Noam Dahan, Igal Gofman

    Date: 13 Aug

    Time: 12:40 - 13:10 PDT

    Twitter: @NoamDahan, @IgalGofman


    Noam Dahan is a Senior Security Researcher at Ermetic with several years of experience in embedded security. He is a graduate of the Talpiot program at the Israel Defense Forces and spent several years in the 8200 Intelligence Corps. Noam was a competitive debater and is a former World Debating Champion.He is also a former speaker at Black Hat USA, DEF CON DemoLabs, Cloud Village and fwd:cloudsec.

    Igal Gofman is a Head of Security Research at Ermetic. Igal has a proven track record in cloud security, network security, research-oriented development, and threat intelligence. His research interests include cloud security, operating systems, and active directory. Prior to Ermetic Igal worked at Microsoft, XM-Cyber, and Check Point Software Technologies. Igal has spoken at various leading security conferences including Black Hat and DEF-CON.


    CNAPPGoat is a CLI tool designed to deploy intentionally vulnerable-by-design cloud infrastructure. It provides a useful playground for defenders to test their protective strategies, tools, and procedures and for offensive professionals to refine their skills and tooling. This tool deploys diverse infrastructures, including those with misconfigurations, IAM issues, network exposure, and those conducive to lateral movement attacks. While other (excellent) tools are designed to deploy tailored capture-the-flag scenarios, CNAPPGoat takes a broader approach by deploying a wide array of environments with diverse misconfigurations, providing a comprehensive perspective.
    CNAPPGoat supports modular deployment of various vulnerable environments and is a multi-cloud tool. CNAPPGoat is built on Pulumi and supports multiple programming languages. It operates as a CLI tool, requiring no specific IaC expertise, enabling a wide range of professionals to deploy and monitor environments.
    The tool enables defenders to test detection, prevention, and control mechanisms against vulnerabilities and misconfigurations, while aiding offensive professionals by providing practice environments. Demonstrations will include tool showcasing, deployment and remediation of a scenario, practical exploitation for learning, and guidance on building modules to customize CNAPPGoat.

    Speaker: Gabriel

    Date: 11 Aug

    Time: 14:05 - 14:35 PDT

    Linkedin: gabrielsoltz


    Hello! My name is Gabriel, and I'm originally from Argentina but now I live in Berlin. I have accumulated over 15 years of experience in the technology sector, dedicating the last ten to various security-related roles. My journey in security started in Network Security, transitioned into Infrastructure, and currently, I'm deeply invested in Cloud Security.

    Over the past five years, I have devoted my efforts to developing both internal and open-source security tooling, and have made substantial contributions to numerous well-known projects. Unfortunately, I've never had the opportunity to attend Defcon in person. Living in Argentina made traveling challenging, and more recently, relocating to Europe amidst the Covid-19 pandemic has further deferred my plans.

    I am eager to connect with other builders and collaborators in the community. I am particularly excited to share my latest project, MetaHub. I am looking forward to engaging discussions and invaluable insights at Defcon!


    Security findings from automated sources such as network, software, or compliance scanners often overwhelm security teams with excessive generic, context-less information. Determining ownership and impact takes time and can cause critical vulnerabilities to go unnoticed, unnecessary noise, or friction between security teams and other stakeholders.
    My proposed demo introduces MetaHub, a tool designed to mitigate these issues by automating the three crucial stages of security finding assessment: owner determination, contextualization, and impact definition. Leveraging the power of metadata through MetaChecks, MetaTags, MetaTrails, and MetaAccount, MetaHub provides a detailed, context-aware assessment of each finding.

    By integrating MetaHub, teams can significantly reduce false positives, streamline the detection and resolution of security findings, and strategically tailor their scanner selection to minimize unnecessary noise. This ability to focus on meaningful, high-impact issues represents a significant step forward in security engineering and will be the primary focus of the demo.

    MetaHub relies on the ASFF format for ingesting security findings which can be consumed from AWS Security Hub or any ASFF-supported scanner, like Prowler or ElectricEye. It can also help to generate reports and dashboards.

    MetaHub is designed for use as a CLI tool or within automated workflows, such as AWS Security Hub custom actions, AWS Lambda functions, or AWS Step Functions.

    Context, ownership, and impact definitions are not common topics that open source tools are addressing; this one is the approach I found for this problem that aims to be agnostic to the source scanner itself. For me, it would be more than valuable to connect with other people to understand other approaches and get feedback on this one.

    Github: https://github.com/gabrielsoltz/metahub

    Speaker: Tohar Braun

    Date: 12 Aug

    Time: 10:00 - 10:30 PDT

    Twitter: @MaliciousDelish


    Tohar Braun is a Research Tech Lead at Orca Security. During his career, he has helped bring cybercriminals to justice, stopped ransomware from extorting innocents, and unveiled numerous security issues for high-profile companies. He is passionate about helping businesses secure their cloud assets, taking malware apart, and getting shells where they shouldn't be.

    Tohar is an avid gamer, trained chef, and on a quest to become a one man metal band.


    Permission management in AWS can be a daunting task. A single user can have an inline policy, attached managed policies, and be a member of several IAM groups. Not to mention Service Control Policies and permission boundaries!

    IAM-APE, or IAM AWS Policy Evaluator, is an open source, automated tool that was designed to simplify the process of calculating effective permissions for an AWS entity. The tool gathers all the IAM policies present in your account, and then calculates the effective permissions that each entity - User, Group, or Role - has. It presents you with a single policy, summarizing all of their actual permissions

    Speaker: Jason Haddix, Gunnar Andrews

    Date: 12 Aug

    Time: 13:00 - 13:30 PDT

    Twitter: @jhaddix, @G0LDEN_infosec


    Jason Haddix is the CISO and “Hacker in Charge” at BuddoBot, a world-class adversary emulation consultancy. He's had a distinguished 15-year career in cybersecurity previously serving as the CISO of Ubisoft, Head of Trust/Security/Operations at Bugcrowd, Director of Penetration Testing at HP, and Lead Penetration Tester at Redspin. He has also held positions doing mobile penetration testing, network/infrastructure security assessments, and static analysis. Jason is a hacker and bug hunter to the core, and he is ranked 51st all-time on Bugcrowd's leaderboards. Currently, he specializes in recon and web application analysis. Jason has also authored many talks on offensive security methodology, including speaking at cons such as; DEF CON, Black Hat, OWASP, RSA, Nullcon, SANS, IANS, BruCon, Toorcon, and many more. Jason currently lives in Colorado with his wife and three children.

    Gunnar Andrews is an offensive security enthusiast from the Midwest. He enjoys offensive tool development, fitness, adventures, and gaming!


    CloudRecon is a suite of tools for red teamers and bug hunters to find ephemeral and development assets in their campaigns and hunts.

    Often, target organizations stand up cloud infrastructure that is not tied to their ASN or related to known infrastructure. Many times these assets are development sites, IT product portals, etc. Sometimes they don't have domains at all but many still need HTTPs.

    CloudRecon is a suite of tools to scan all the cloud providers and find these hidden gems for testers, by inspecting those SSL certificates.

    The tool suite is three parts in GO:

    • - CloudScrape - A LIVE running too to inspect the ranges for a keywork in SSL certs OU, CN, and SN fields in real time.
    • - CertStan - a tool to retrieve the ranges of AWS, GCP, and Azure, and download all their certs to your box. So you can have your OWN cert.sh database.
    • - CertSniff - a tool to parse and search through the downloaded certs for keywords.

    Speakers: Terrance DeJesus, Justin Ibarra

    Date: 12 Aug

    Time: 11:50 - 12:20 PDT

    Twitter: @_xDeJesus, @br0k3ns0und


    Terrance DeJesus is a Security Detection Engineer for Elastic, where I balance engineering development with threat research into cloud-based threats. Previously held various positions at NTT Ltd. such as cyber threat hunter, threat intelligence analyst, and SOC analyst. Overall, I don't take myself seriously by am committed to whatever has my attention. Became a father at 19 years old and now have a beautiful family of 5. Selfishly, I love hip-hop culture and any role-playing game (RPG) I can get my hands on, but will choose WoW over Runescape any day. Focused on pursuing threat research in cloud-security, with a focus on GCP and AWS, but Google Workspace has been my interest lately. Looking forward to meeting others like-minded and potentially collaborating.

    Justin Ibarra is the leader of the Threat Research and Detection Engineering team at Elastic, where he was previously a principal security research engineer. He focuses on many aspects of offensive and defensive security research, including endpoint, cloud, and web based technologies. He spends a lot of time in telemetry and building detection capabilities, while also continually looking for ways to advance and evolve detection engineering approaches and principles.


    The Simple Workspace ATT&CK Tool (SWAT) is a cutting-edge cybersecurity application that serves as an invaluable asset for threat detection rule authors, red team members, and security researchers. Designed with modularity and simplicity at its core, SWAT is an interactive Python shell tool, instrumental in emulating red-teaming behavior specifically against Google Workspace, and acting as a post-compromise tool.

    At its heart, SWAT is grounded in the MITRE ATT&CK framework, a globally-accessible knowledge base of adversary tactics and techniques. By hosting the ATT&CK enterprise data locally, SWAT significantly reduces lookup times, enhancing the overall user experience while ensuring access to the most relevant and current information.

    A standout feature of SWAT is its inherent modularity, enabling security practitioners to add their custom modules for adversary emulation seamlessly. This flexibility allows the tool to adapt to evolving cybersecurity landscapes, and meet the unique needs of individual use-cases, thereby fostering a collaborative approach to threat detection and response.

    SWAT further enhances its value proposition by integrating a payload known as 'Tango'. Written in Go, Tango functions as a Command and Control (C2) agent, thus adding another layer of realism to red-teaming exercises. This integration encourages a deeper understanding of adversarial behavior and aids in the development of effective defense mechanisms.

    In addition to its emulation capabilities, SWAT offers functionality to analyze data from Google Workspace. This feature empowers users to inspect and evaluate their current security posture, identify potential vulnerabilities, and proactively take steps to strengthen their defenses.

    Finally, the tool's use extends beyond being a mere testing platform. SWAT can be a vital component in security workflows to model potential threats, formulate countermeasures, and train personnel on various facets of cybersecurity. With the continually evolving threat landscape, SWAT is well-positioned to assist cybersecurity professionals in staying ahead of their adversaries. The simplicity and modularity of SWAT make it a powerful tool in the arsenal of those committed to enhancing cybersecurity.

    Speaker: Rojan Rijal

    Date: 11 Aug

    Time: 13:00 - 13:25 PDT

    Twitter: @uraniumhacker


    Rojan Rijal is a security researcher with seven years of experience identifying vulnerabilities in open source, SaaS products and cloud environments. Rojan has been recognized for finding impactful vulnerabilities in private organizations such as Netflix, Zoom, Google, and GitHub and public organizations like the United State Air Force and the United Kingdom's Ministry of Defence. Rojan has presented his research at conferences like BSides San Francisco, Recon Village at Defcon 30 and more.


    Google's Firebase product is a one-stop-shop for deploying infrastructure for small and large scale applications. Firebase provides products ranging from databases, file storage to application authentication and more. Misconfigurations in setting up these infrastructure can result in severe information disclosure and breaches.

    In this talk, we will go over common vulnerabilities on each Firebase product. When going over the vulnerabilities, we will show some sample case-studies affecting small and large organizations. We will then cover some automation test cases that we used to identify these vulnerabilities at scale. Finally, we will cover some example rules that can help mitigate these vulnerabilities at large.

    At the end of this talk, the audience will walkway with knowledge about different types of vulnerabilities to test when reviewing Firebase configurations.

    Speaker: Sarachai Boonyakiat

    Date: 11 Aug

    Time: 12:10 - 12:30 PDT

    Twitter: @ChaiBoonyakiat


    I am Principal Cloud Security in a Non-Profit organization with several years experience in IT security in many industries including Industrial automation, Banking, Insurance, MSSP, Non-Profit and transition to full time Cloud Security since 2019. My current area of responsibilities are design, implement, maintain security controls as well as threat research, pen-testing, log management and incident response in the Cloud (primary AWS). Beside work I like to travel and explore food from different places and cultures.


    AWS offers Service Catalog to help organization centrally manage commonly deployed IT services through Infrastructure As Code whether it be CloudFormation template or Terraform, and helps organizations achieve consistent governance and meet compliance requirements. Additionally, as the security feature, organization can delegate the permission to what AWS called "Launch Constraints" role to provision resources on behalf of regular users whom otherwise do not have enough permission to provision resource themselves.

    In this talk, we are going to explore how attackers, after initial access, can establish persistence and escalate their permission and continue further down the attack chain by leveraging the misconfiguration of the launch constraints role in conjunction with compromised service catalog admin user to take over the entire AWS account. We also will talk about how to detect such attempt and how to apply defense in depth to stop attackers at different stages of the attack chain.

    For Previous Talks & Recent Updates