ThreatBreach Labs ThreatBreach Labs
Docs Blog Labs Lab Authors About Tags
Hero Image of content
> AWS > Cloud Threat Detection
Acid Rain From Cloud
01 Mar 2026
362 words
2 mins
Lab Author
TheDeadThinker
DFIR | Security Researcher

Lab Description:

In this lab, you will explore how attackers can exploit permissions in the AWS cloud to collect details, perform reconnaissance, and exfiltrate data. From the defender’s perspective, you will use AWS CloudTrail, S3 access logs to detect suspicious activities and unauthorized access. Through practical exercises, you will gain hands-on experience in both attacking and defending cloud environments, ultimately learning best practices for continuous monitoring and incident response in AWS.

LAB Disclaimer:

All organization names, binaries names, applications, scenarios, and entities used throughout the lab are entirely fictional. Any resemblance to actual individuals, companies, software, or systems—past or present—is purely coincidental and not intentional.

Lab Details

GreenWire SpaceResearch Pvt. Ltd. organisation was reached out by ThreatBreach IR and GreenWire SpaceResearch was informed that GreenWire SpaceResearch developer user aws credentials was found on ThreatBreach server, ThreatBreach IR is not able to find RootCause as most of evidence was removed from server by attacker and ThreatBreach IR not sure for what purpose developer aws credentials are used, GreenWire SpaceResearch IR Team also investigated logs and cloud security team also checked AWS Configuration and they don’t found any new misconfiguration and can you find out what activities performed by attacker on GreenWire SpaceResearch Pvt. Ltd. AWS environment.

Lab Objectives:

  • Discovery - Identify what services are enumerated by attacker and what IPs are used by attacker for Reconnaissance.

  • Persistence Mechanisms: Investigate if any method used by the attacker to maintain access, on AWS cloud environment.

  • Exfiltration: Analyse Logs and find what data is exfiltrated by attackers and what mechanism is used to exfiltrate data.

  • Log Analysis: Review AWS Cloudtrail and S3 Access logs for unusual activity or errors related to the attacker’s actions. Analyze S3 access logs to detect unauthorized data access.

  • Remediation: Learn best practices to secure the aws and prevent similar breaches/attacks in the future.

Tools and Techniques:

  • Log Analysis : Any Preferred Tool or SIEM

Lab Evidence:

You will get access to all the collected logs from the AWS Cloudtrail and S3 Access Logs.

Password: threatbreach.io

Link To Evidence SHA256
🔗 CloudTrail_Logs.tar.gz 2793db51713ed25cbbaa9543da1579f918c0de8725c05263ec787244195c6f9c
🔗 S3AccessLogs.tar.gz f3d49f45da7bc14b97e0e9577bfd43e3d5e076f49562e8ddf0ee23469ceaa4c1

Writeup

Writeup will be published soon, If you want to send your writeup to be evaluated share it on labs[@]threatbreach.io

#Log Analysis #Cloud #DFIR #Cloudtrail Logs #S3 Access Logs #AWS