Category: Cyber Threat

The definitive AWS threat hunting reference — indexing all 27 published AWS hunting posts on hackforlab.com. 7 flagship 2026 hunts (CloudTrail blind spots, KMS ransomware, GuardDuty evasion, CI/CD compromise, native messaging C2, Athena data lake exfiltration, multi-account federation), plus 19 archive posts covering AWS identity attacks, Bedrock CloudTrail playbook, VPC Flow Log analytics, cloud malware case studies, and the foundational AWS attack-chain detection content.

AWS Organizations centralises governance — and that centralisation creates a high-value attack target. This article covers the four most-exploited multi-account compromise patterns, the cross-account telemetry stitching required to detect them, and the response strategies for organisation-level incident response.

AWS Athena lets adversaries run massive SELECT queries against S3-stored data lakes — and the resulting data exfiltration leaves a trail that most cloud SOCs do not monitor. This article catalogues the three Athena exfiltration patterns and ships the detection queries that surface them.

Sophisticated adversaries are increasingly abusing native AWS messaging — EventBridge buses, SNS topics, and SQS queues — as command-and-control channels. The traffic blends with legitimate internal application messaging and produces no obvious external-network indicators. This article catalogues the patterns and ships the detection logic.

The AWS CI/CD attack surface — CodeBuild project configurations, CodePipeline triggers, buildspec.yml files, and build-runner IAM roles — is one of the most under-monitored layers in modern cloud environments. This article ships a focused hunt playbook for the four most exploited CI/CD compromise patterns observed in production incidents.