Pacu
Pacu is an open-source AWS exploitation framework. The tool is written in Python and publicly available on GitHub.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1087 | .004 | Account Discovery: Cloud Account | |
| Enterprise | T1098 | .001 | Account Manipulation: Additional Cloud Credentials |
Pacu can generate SSH and API keys for AWS infrastructure and additional API keys for other IAM users.[1] |
| Enterprise | T1119 | Automated Collection |
Pacu can automatically collect data, such as CloudFormation templates, EC2 user data, AWS Inspector reports, and IAM credential reports.[1] |
|
| Enterprise | T1651 | Cloud Administration Command |
Pacu can run commands on EC2 instances using AWS Systems Manager Run Command.[1] |
|
| Enterprise | T1580 | Cloud Infrastructure Discovery |
Pacu can enumerate AWS infrastructure, such as EC2 instances.[1] |
|
| Enterprise | T1526 | Cloud Service Discovery |
Pacu can enumerate AWS services, such as CloudTrail and CloudWatch.[1] |
|
| Enterprise | T1619 | Cloud Storage Object Discovery |
Pacu can enumerate AWS storage services, such as S3 buckets and Elastic Block Store volumes.[1] |
|
| Enterprise | T1059 | .009 | Command and Scripting Interpreter: Cloud API | |
| Enterprise | T1555 | .006 | Credentials from Password Stores: Cloud Secrets Management Stores |
Pacu can retrieve secrets from the AWS Secrets Manager via the enum_secrets module.[1] |
| Enterprise | T1530 | Data from Cloud Storage |
Pacu can enumerate and download files stored in AWS storage services, such as S3 buckets.[1] |
|
| Enterprise | T1546 | Event Triggered Execution |
Pacu can set up S3 bucket notifications to trigger a malicious Lambda function when a CloudFormation template is uploaded to the bucket. It can also create Lambda functions that trigger upon the creation of users, roles, and groups.[1] |
|
| Enterprise | T1562 | .007 | Impair Defenses: Disable or Modify Cloud Firewall | |
| .008 | Impair Defenses: Disable or Modify Cloud Logs |
Pacu can disable or otherwise restrict various AWS logging services, such as AWS CloudTrail and VPC flow logs.[1] |
||
| Enterprise | T1654 | Log Enumeration |
Pacu can collect CloudTrail event histories and CloudWatch logs.[1] |
|
| Enterprise | T1578 | .001 | Modify Cloud Compute Infrastructure: Create Snapshot |
Pacu can create snapshots of EBS volumes and RDS instances.[1] |
| Enterprise | T1069 | .003 | Permission Groups Discovery: Cloud Groups | |
| Enterprise | T1648 | Serverless Execution | ||
| Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
Pacu can enumerate AWS security services, including WAF rules and GuardDuty detectors.[1] |
| Enterprise | T1049 | System Network Connections Discovery |
Once inside a Virtual Private Cloud, Pacu can attempt to identify DirectConnect, VPN, or VPC Peering.[1] |
|
| Enterprise | T1552 | Unsecured Credentials |
Pacu can search for sensitive data: for example, in Code Build environment variables, EC2 user data, and Cloud Formation templates.[1] |
|
| Enterprise | T1078 | .004 | Valid Accounts: Cloud Accounts |
Pacu leverages valid cloud accounts to perform most of its operations.[1] |