Blue Team | Hunting Cloud Persistence Without Malware
•February 17, 2026
0
Why It Matters
Organizations can suffer prolonged, high-impact breaches without endpoint indicators if cloud-native trust mechanisms are abused; defenders must shift to cloud-centric hunting, inventorying identities/credentials and deploying targeted detection queries to catch malware-free persistence.
Summary
The talk explains how modern attackers achieve long-term cloud persistence without malware by abusing legitimate cloud-native features—OAuth app consent, stolen or replayed tokens, mismanaged service principal credentials, long-lived API keys, mailbox rules and automated connectors. These malicious activities blend into normal API traffic and admin workflows, evading traditional EDR/AV and often remaining undetected for weeks or months. The presenter outlines common attack patterns (illicit consent, token replay, conditional-access gaps, exposed secrets) and illustrates real-world examples where adversaries exfiltrated data silently. He closes with practical hunting guidance: which logs to inspect, detection queries and how to use SIEM tools like Splunk and Microsoft Sentinel with KQL to map and detect these stealthy intrusions.
Original Description
Blue Team | The Hunt for Silent Compromise: Detecting Cloud-Native Persistence Without Malware or Alerts
🎙️ Ankit Gupta, Senior Security Engineer, Exeter Finance LLC
🎙️ Shilpi Mittal, Lead IT Security Engineer, Tyson Foods Inc.
📍 Presented at SANS Hack & Defend Summit 2025
As attackers evolve beyond malware and implants, defenders must learn to hunt compromise that never triggers an alert.
Today's most advanced intrusions don't involve code execution at all-they rely on cloud-native persistence, misused APIs, stolen tokens, and dormant OAuth grants that appear to be business as usual.
In this session, we'll explore how to detect stealthy post-exploitation techniques in Microsoft 365, Azure, AWS, and SaaS platforms, where no malware is dropped, no command line is executed, and no EDR agent is triggered.
We'll walk through:
- How attackers achieve malware-less persistence using OAuth apps, service principals, automation accounts, and token replay
- Abusing API keys, app secrets, and conditional access gaps to maintain long-term access
- Hunting abnormal cloud behavior using log patterns, KQL queries, and telemetry triangulation
- Detecting passive infrastructure abuse: mailbox forwarding, rule injection, dormant connectors, and abused automation
- Using MITRE ATT&CK for Cloud and behavioral chaining to surface invisible persistence paths
- Lessons learned from real investigations and red team ops where no AV or EDR caught the compromise
We'll demonstrate:
- How to build behavior-based detections using Microsoft Sentinel, M365 logs, and custom enrichment
- Sample KQL queries and logic apps that automate persistent threat hunting
- A modular framework for hunting persistence across IdP, mail, storage, and app layers
Takeaways include:
- Ready-to-deploy hunt queries mapped to real-world persistence TTPs
- A reference model for cloud-native persistence mapping (covering identity, API, and data layers)
- Practical tips to close detection gaps in Microsoft, Okta, and AWS environments
- How to combine automation with analyst intuition to surface silent compromise
This talk is ideal for:
- Threat hunters, cloud defenders, and SOC analysts in hybrid or cloud-first organizations
- Blue teamers frustrated by the lack of visibility from traditional tools in SaaS environments
- Teams focused on post-exploitation detection, identity protection, and high-impact threat response.
In 2025, persistence doesn't look like malware-it seems like your own infrastructure. Join this session to learn how to hunt for what others miss.
0
Comments
Want to join the conversation?
Loading comments...