Pacu
Pacu is an open-source AWS exploitation framework. The tool is written in Python and publicly available on GitHub.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1546 | 事件触发执行 |
Pacu can set up S3 bucket notifications to trigger a malicious Lambda function when a CloudFormation template is uploaded to the bucket. It can also create Lambda functions that trigger upon the creation of users, roles, and groups.[1] |
|
| Enterprise | T1580 | 云基础设施发现 |
Pacu can enumerate AWS infrastructure, such as EC2 instances.[1] |
|
| Enterprise | T1619 | 云存储对象发现 |
Pacu can enumerate AWS storage services, such as S3 buckets and Elastic Block Store volumes.[1] |
|
| Enterprise | T1526 | 云服务发现 |
Pacu can enumerate AWS services, such as CloudTrail and CloudWatch.[1] |
|
| Enterprise | T1651 | 云管理命令 |
Pacu can run commands on EC2 instances using AWS Systems Manager Run Command.[1] |
|
| Enterprise | T1530 | 从云存储获取数据 |
Pacu can enumerate and download files stored in AWS storage services, such as S3 buckets.[1] |
|
| Enterprise | T1555 | .006 | 从密码存储中获取凭证: Cloud Secrets Management Stores |
Pacu can retrieve secrets from the AWS Secrets Manager via the enum_secrets module.[1] |
| Enterprise | T1578 | .001 | 修改云计算基础设施: Create Snapshot |
Pacu can create snapshots of EBS volumes and RDS instances.[1] |
| Enterprise | T1059 | .009 | 命令与脚本解释器: Cloud API | |
| Enterprise | T1562 | .007 | 妨碍防御: Disable or Modify Cloud Firewall | |
| .008 | 妨碍防御: Disable or Modify Cloud Logs |
Pacu can disable or otherwise restrict various AWS logging services, such as AWS CloudTrail and VPC flow logs.[1] |
||
| Enterprise | T1648 | 无服务器执行 | ||
| Enterprise | T1654 | 日志枚举 |
Pacu can collect CloudTrail event histories and CloudWatch logs.[1] |
|
| Enterprise | T1078 | .004 | 有效账户: Cloud Accounts |
Pacu leverages valid cloud accounts to perform most of its operations.[1] |
| Enterprise | T1552 | 未加密凭证 |
Pacu can search for sensitive data: for example, in Code Build environment variables, EC2 user data, and Cloud Formation templates.[1] |
|
| Enterprise | T1069 | .003 | 权限组发现: Cloud Groups | |
| Enterprise | T1049 | 系统网络连接发现 |
Once inside a Virtual Private Cloud, Pacu can attempt to identify DirectConnect, VPN, or VPC Peering.[1] |
|
| Enterprise | T1119 | 自动化收集 |
Pacu can automatically collect data, such as CloudFormation templates, EC2 user data, AWS Inspector reports, and IAM credential reports.[1] |
|
| Enterprise | T1087 | .004 | 账号发现: Cloud Account | |
| Enterprise | T1098 | .001 | 账号操控: Additional Cloud Credentials |
Pacu can generate SSH and API keys for AWS infrastructure and additional API keys for other IAM users.[1] |
| Enterprise | T1518 | .001 | 软件发现: Security Software Discovery |
Pacu can enumerate AWS security services, including WAF rules and GuardDuty detectors.[1] |