AG-003: Cross-Cloud Lateral Movement & Exfiltration Path
A comprehensive technical analysis of multi-cloud identity compromise sequences. This attack graph maps the progression from initial token theft through federated trust exploitation to complete cross-platform dominance.
Attackers leverage JWT replay attacks or OAuth token exchange mechanisms to assume new identities across federated platforms. Lack of proper audience validation enables seamless authentication.
JWT replay to federated services
OAuth token exchange for identity pivot
Bypassed audience validation controls
MC-SESSION-05: No audience validation
Multi-Cloud Authentication
Successful cross-cloud entry grants unauthorized access to secondary cloud environments. Broad role mappings amplify the impact of initial compromise.
AWS console via Azure token
GCP service account via OIDC
SaaS admin panels via federation
MC-CLOUD-04: Broad role mappings
Privilege Escalation in Secondary Cloud
IAM Role Enumeration
Systematic discovery of available roles, permissions, and trust relationships within the compromised cloud environment.
Trust Relationship Abuse
Exploitation of overly permissive trust policies to assume higher-privilege roles and service identities.
Machine Identity Pivot
Leveraging service accounts and machine identities to expand access scope across cloud infrastructure.
Critical Weakness: MC-CLOUD-01 — Unrestricted cloud roles enable unchecked privilege escalation across multiple tenants and services.
Lateral Movement Across SaaS & Cloud Applications
GitHub Enterprise
Access to source code repositories, CI/CD pipelines, and development secrets.
Salesforce
Customer data, sales intelligence, and business process automation access.
ServiceNow
IT infrastructure details, change management records, and incident data.
Confluence
Internal documentation, architectural diagrams, and organizational knowledge.
File Storage
Document repositories, shared drives, and unstructured data assets.
Identity APIs
User provisioning systems, directory services, and authentication backends.
Long-lived refresh tokens enable persistent access without re-authentication. Tokens remain valid across session boundaries and security events.
Access Token Extraction
Short-lived access tokens provide immediate authorization to protected resources. Multiple tokens across platforms enable parallel operations.
API Key Acquisition
Service API keys and application credentials provide programmatic access to cloud resources and SaaS platforms without interactive authentication.
MC-SESSION-01 Exploitation: Excessive token lifetimes allow attackers to maintain access far beyond initial compromise detection. Organizations lack visibility into token usage patterns and validation frequency.
High-Privilege Consolidation
1
2
3
4
1
Global Admin
2
Root-Equivalent Cloud Role
3
SaaS Tenant Administrator
4
Cross-Platform Privilege Aggregation
Attackers consolidate access across multiple identity systems to achieve maximum control. Without Privileged Identity Management (PIM) for cross-cloud roles, there are no time-based restrictions or approval workflows to limit abuse.
MC-PIM-04: Absence of just-in-time access controls allows permanent high-privilege assignment across federated environments.
Data Exfiltration Operations
Storage Bucket Export
Cloud object storage containing sensitive files, backups, and archived data transferred to attacker-controlled infrastructure.
S3 bucket enumeration
Blob storage access
Cross-region replication
SaaS Record Download
Bulk extraction of CRM data, support tickets, HR records, and business intelligence from integrated SaaS platforms.
API-based data extraction
Report generation abuse
Export functionality misuse
Database Snapshot Extraction
Complete database copies containing structured customer, financial, and operational data exported through cloud backup mechanisms.