The Hunt for Silent Compromise

As attackers evolve beyond malware and implants, defenders must learn to hunt compromise that never triggers an alert. Today's most advanced intrusions don't involve code execution at all-they rely on cloud-native persistence, misused APIs, stolen tokens, and dormant OAuth grants that appear to be business as usual. In this session, we'll explore how to detect stealthy post-exploitation techniques in Microsoft 365, Azure, AWS, and SaaS platforms, where no malware is dropped, no command line is executed, and no EDR agent is triggered. We'll walk through: - How attackers achieve malware-less persistence using OAuth apps, service principals, automation accounts, and token replay - Abusing API keys, app secrets, and conditional access gaps to maintain long-term access - Hunting abnormal cloud behavior using log patterns, KQL queries, and telemetry triangulation - Detecting passive infrastructure abuse: mailbox forwarding, rule injection, dormant connectors, and abused automation - Using MITRE ATT&CK for Cloud and behavioral chaining to surface invisible persistence paths - Lessons learned from real investigations and red team ops where no AV or EDR caught the compromise We'll demonstrate: - How to build behavior-based detections using Microsoft Sentinel, M365 logs, and custom enrichment - Sample KQL queries and logic apps that automate persistent threat hunting - A modular framework for hunting persistence across IdP, mail, storage, and app layers Takeaways include: - Ready-to-deploy hunt queries mapped to real-world persistence TTPs - A reference model for cloud-native persistence mapping (covering identity, API, and data layers) - Practical tips to close detection gaps in Microsoft, Okta, and AWS environments - How to combine automation with analyst intuition to surface silent compromise This talk is ideal for: - Threat hunters, cloud defenders, and SOC analysts in hybrid or cloud-first organizations - Blue teamers frustrated by the lack of visibility from traditional tools in SaaS environments - Teams focused on post-exploitation detection, identity protection, and high-impact threat response. In 2025, persistence doesn't look like malware-it seems like your own infrastructure. Join this session to learn how to hunt for what others miss.