☁️
CTHFM: AWS
  • Welcome
  • Getting Started
    • Account Setup
  • AWS CLI
    • AWS CLI Overview
    • Installation
  • AWS Fundamentals
    • AWS Documentation
    • AWS Shared Responsibility Model
    • Organizational Hierarchy
    • AWS Principals
    • IAM Fundamentals
      • IAM Policy Components
      • IAM Documentation References
    • AWS Security Services Overview
    • AWS Core Services
    • AWS Frameworks
    • Regions and Availability Zones
  • SQL
    • SQL Refresher for Threat Hunting
  • Logging Reference
    • Cloudtrail
      • What is Cloudtrail?
      • Setting Up Cloudtrail
      • Cloudtrail Events Structure
      • Filtering and Searching CloudTrail Logs
      • IAM ID Prefixes
      • Additional Resources
      • API References
    • VPCFlow Logs
    • GuardDuty
      • Multi-Account Setup
      • GuardDuty Concepts
      • GuardDuty Finding References
      • S3 Protection
      • Malware Protection
        • EC2 Malware Protection
          • EC2 Protection Resources
          • Monitoring Scans
          • EC2 Malware Protection Events: CloudWatch
        • S3 Malware Protection
          • Enabling S3 Malware Protection
          • After Enabling S3 Malware Protection
          • S3 Malware Resource Plan Status
          • S3 Malware Protection Quotas
      • RDS Protection Enablement
      • Lambda Protection Enablement
      • Trusted IP Lists and Threat Lists in Amazon GuardDuty
      • Remediation Recommendations
      • GuardDuty API Reference
      • GuardDuty Quotas
    • Access Analyzer
      • Setup
      • External Access and Unused Access Analyzer Findings
      • Review Findings
      • Access Analyzer Resources
      • Access Analyzer API Reference
    • AWS Network Firewall
      • Permissions
      • Firewall Log Contents
      • Logging Destinations
      • CloudWatch Firewall Metrics
    • AWS Config
      • Resource Management in AWS Config
      • AWS Config Integrations
      • AWS Config Resources
      • Configuration Item
      • Config Rules
        • Evaluation Modes
  • CloudWatch
    • Amazon CloudWatch
      • CloudWatch Concepts
      • CloudWatch Metrics
        • Filter Pattern Syntax
      • CloudWatch Alarms
        • Alarm Recommendations
      • Subscriptions
      • CloudWatch Agent
      • CloudWatch Insights
        • Supported Logs and Discovered Fields
        • CloudWatch Insights Query Syntax
      • Anomaly Detection
        • Create Anomaly Detector
        • Alarms for Anomaly Detections
      • CloudWatch Filter Syntax
      • CloudWatch Service Quota
  • Athena For Threat Hunting
    • Introduction to Athena
    • Setting Up Athena
    • SQL For Threat Hunters
    • Automated Response
    • Query Best Practices
  • AWS Security Research and Resources
    • AWS Security Blog
    • AWS Goat
    • Cloud Goat
    • Pacu
    • Prowler
    • Scout Suite
  • Threat Hunting in AWS
    • Threat Hunting in AWS
    • Threat Hunting Introduction
    • Threat Hunting Process
      • Hypothesis Generation
      • Investigation
      • Identification
      • Resolution & Follow Up
    • Pyramid of Pain
    • MITRE Att&ck
      • MITRE Att&ck Concepts
      • MITRE Att&CK Data Sources
      • MITRE Att&CK Mitigations
    • MITRE Att&ck: AWS
      • MITRE Att&CK Matrix
      • Amazon Web Services Security Control Mappings
    • AWS Threat Hunting Ideas
      • AWS Threat Hunting Ideas: EC2
      • AWS Threat Hunting Ideas: Lambda
      • AWS Threat Hunting Ideas: SQS
      • AWS Threat Hunting Ideas: SNS
      • AWS Threat Hunting Ideas: RDS
Powered by GitBook
On this page
  • What is Pacu?
  • Key Features of Pacu:
  • Common Modules in Pacu:
  • Example Workflow Using Pacu:
  • Use Cases for Pacu in AWS Security Testing:
  • Benefits of Pacu:
  • Limitations of Pacu:
  1. AWS Security Research and Resources

Pacu

What is Pacu?

  • Pacu is named after a type of Amazonian fish, symbolizing its role as a lightweight yet effective tool for navigating the AWS cloud environment.

  • Developed by Rhino Security Labs, Pacu offers modular functionality, meaning users can load different modules to perform specific tasks such as privilege escalation, data exfiltration, or service enumeration.

Key Features of Pacu:

  1. Modular Structure:

    • Pacu works through modules designed for individual tasks. You can run these modules independently, depending on your goals.

    • Examples:

      • IAM privilege escalation checks

      • Lambda service enumeration

      • S3 bucket enumeration

  2. Credential Management:

    • Pacu allows testers to store and switch between AWS credentials to target multiple accounts. This is useful when evaluating security across different environments.

  3. Simulated Exploits:

    • It can simulate privilege escalation, insecure S3 configurations, and token compromise scenarios.

    • The tool does not actively exploit vulnerabilities but shows how vulnerabilities can be abused.

  4. Persistence and Attack Automation:

    • Supports creating persistent backdoors (e.g., rogue IAM users).

    • It automates common attack paths like escalating permissions or gaining unauthorized access.

  5. Interactive Command-Line Interface (CLI):

    • Pacu operates from a Python-based interactive CLI where modules can be called, and results are saved in session-based projects for reporting and tracking.

  6. Reporting and Session Persistence:

    • Sessions allow testers to save progress and generate reports on what vulnerabilities or issues were identified during the testing.

Common Modules in Pacu:

  1. IAM-Related Modules:

    • iam__enum_users_roles_policies: Enumerates IAM users, roles, and attached policies.

    • iam__privesc_scan: Scans for privilege escalation opportunities (like policies with Action: *).

  2. S3 Storage Modules:

    • s3__enum_buckets: Identifies public and private S3 buckets.

    • s3__bucket_takeover: Simulates bucket takeover scenarios.

  3. Lambda and EC2 Modules:

    • lambda__enum: Lists AWS Lambda functions and their permissions.

    • ec2__enum: Enumerates EC2 instances, security groups, and networking configurations.

  4. Credential Modules:

    • iam__backdoor_users_keys: Generates backdoor IAM users with programmatic keys.

    • iam__create_keys: Creates new access keys for existing IAM users (if allowed by permissions).

  5. Networking Modules:

    • vpc__enum: Enumerates VPCs, subnets, and network ACLs.

    • route53__enum_zones: Lists DNS zones configured in AWS Route 53.

Example Workflow Using Pacu:

  1. Setup and Configuration:

    • Clone the Pacu repository:

      bashCopy codegit clone https://github.com/RhinoSecurityLabs/pacu.git
cd pacu
pip install -r requirements.txt

    • Start Pacu:

      bashCopy codepython3 pacu.py

  2. Load AWS Credentials:

    • Use the command to load AWS credentials:

      bashCopy codeset_keys

    • Switch between multiple credentials during the session using:

      bashCopy codeuse_profile

  3. Run Modules:

    • Run an enumeration module (e.g., S3 buckets):

      bashCopy coderun s3__enum_buckets

    • Scan for privilege escalation opportunities:

      bashCopy coderun iam__privesc_scan

  4. Review Findings:

    • List session results using:

      bashCopy codelist_sessions

    • Export results to a JSON or text report.

Use Cases for Pacu in AWS Security Testing:

  1. Identify Misconfigurations:

    • Misconfigured IAM roles, public S3 buckets, over-permissioned Lambda functions.

  2. Privilege Escalation Testing:

    • Assess IAM policies to see if attackers can escalate their privileges.

  3. Simulate Insider Threats:

    • Test how compromised credentials or misconfigured services could be abused.

  4. Evaluate S3 Security Posture:

    • Ensure no public buckets expose sensitive information.

  5. Validate Security Controls:

    • Test persistence mechanisms like rogue IAM users and validate if security monitoring tools detect them.

Benefits of Pacu:

  • Free and open-source: Anyone can use and customize it.

  • Modular flexibility: Only load the modules you need for a specific test.

  • Interactive CLI: Provides an easy-to-use interface for beginners and experts.

  • Reporting features: Useful for compliance and documentation after testing.

Limitations of Pacu:

  1. No Active Exploits: Pacu is designed to simulate attacks but won’t directly exploit AWS services.

  2. AWS API Rate Limits: Since Pacu relies on AWS APIs, it may run into throttling limits during large-scale assessments.

  3. Lacks Active Blue Team Evasion: Unlike other tools, Pacu doesn’t focus heavily on stealth (e.g., bypassing CloudTrail logging).

PreviousCloud GoatNextProwler

Last updated 8 months ago