Pacu is an open-source AWS exploitation framework. The tool is written in Python and publicly available on GitHub.[1]

ID: S1091
Type: TOOL
Platforms: IaaS
Contributors: Thanabodi Phrakhun, @naikordian
Version: 1.0
Created: 28 September 2023
Last Modified: 19 October 2023

Techniques Used

Domain ID Name Use
Enterprise T1087 .004 Account Discovery: Cloud Account

Pacu can enumerate IAM users, roles, and groups. [1]

Enterprise T1098 .001 Account Manipulation: Additional Cloud Credentials

Pacu can generate SSH and API keys for AWS infrastructure and additional API keys for other IAM users.[1]

Enterprise T1119 Automated Collection

Pacu can automatically collect data, such as CloudFormation templates, EC2 user data, AWS Inspector reports, and IAM credential reports.[1]

Enterprise T1651 Cloud Administration Command

Pacu can run commands on EC2 instances using AWS Systems Manager Run Command.[1]

Enterprise T1580 Cloud Infrastructure Discovery

Pacu can enumerate AWS infrastructure, such as EC2 instances.[1]

Enterprise T1526 Cloud Service Discovery

Pacu can enumerate AWS services, such as CloudTrail and CloudWatch.[1]

Enterprise T1619 Cloud Storage Object Discovery

Pacu can enumerate AWS storage services, such as S3 buckets and Elastic Block Store volumes.[1]

Enterprise T1059 .009 Command and Scripting Interpreter: Cloud API

Pacu leverages the AWS CLI for its operations.[1]

Enterprise T1555 .006 Credentials from Password Stores: Cloud Secrets Management Stores

Pacu can retrieve secrets from the AWS Secrets Manager via the enum_secrets module.[1]

Enterprise T1530 Data from Cloud Storage

Pacu can enumerate and download files stored in AWS storage services, such as S3 buckets.[1]

Enterprise T1546 Event Triggered Execution

Pacu can set up S3 bucket notifications to trigger a malicious Lambda function when a CloudFormation template is uploaded to the bucket. It can also create Lambda functions that trigger upon the creation of users, roles, and groups.[1]

Enterprise T1562 .007 Impair Defenses: Disable or Modify Cloud Firewall

Pacu can allowlist IP addresses in AWS GuardDuty.[1]

.008 Impair Defenses: Disable or Modify Cloud Logs

Pacu can disable or otherwise restrict various AWS logging services, such as AWS CloudTrail and VPC flow logs.[1]

Enterprise T1654 Log Enumeration

Pacu can collect CloudTrail event histories and CloudWatch logs.[1]

Enterprise T1578 .001 Modify Cloud Compute Infrastructure: Create Snapshot

Pacu can create snapshots of EBS volumes and RDS instances.[1]

Enterprise T1069 .003 Permission Groups Discovery: Cloud Groups

Pacu can enumerate IAM permissions.[1]

Enterprise T1648 Serverless Execution

Pacu can create malicious Lambda functions.[1]

Enterprise T1518 .001 Software Discovery: Security Software Discovery

Pacu can enumerate AWS security services, including WAF rules and GuardDuty detectors.[1]

Enterprise T1049 System Network Connections Discovery

Once inside a Virtual Private Cloud, Pacu can attempt to identify DirectConnect, VPN, or VPC Peering.[1]

Enterprise T1552 Unsecured Credentials

Pacu can search for sensitive data: for example, in Code Build environment variables, EC2 user data, and Cloud Formation templates.[1]

Enterprise T1078 .004 Valid Accounts: Cloud Accounts

Pacu leverages valid cloud accounts to perform most of its operations.[1]