Hacktricks Aws -

Creating a role that looks benign but has a trust relationship allowing a compromised user to assume it at any time.

HackTricks emphasizes the use of tools like Enumeration Scripts to check for "low-hanging fruit." If you have iam:SimulatePrincipalPolicy , you can determine exactly what you can do without triggering unnecessary "Access Denied" logs.

| If you want to... | HackTricks Feature | Action | | :--- | :--- | :--- | | | "Privilege Escalation" section | Search for each IAM action listed. If a user has it, assume they can become admin. | | Simulate a real attacker | "Methodology" section | Follow the step-by-step: Recon -> Initial Access -> Privilege Escalation -> Persistence -> Exfiltration. | | Test a specific service | Service-specific page (e.g., /aws-ec2.md ) | Run the # Enumeration commands to see what an attacker sees. | | Write a detection rule | "AWS Post-Exploitation" section | Look for API calls marked as "malicious" or "suspicious" (e.g., CreateAccessKey , UpdateAssumeRolePolicy ). | hacktricks aws

Leverage AWS’s managed threat detection to spot unusual behavior, such as API calls from known malicious IPs or unusual data exfiltration patterns.

Once an attacker gains a foothold, the goal shifts to staying there. Creating a role that looks benign but has

If you're interested in learning more about AWS security and HackTricks, I recommend checking out the official HackTricks website or searching for relevant articles and tutorials online.

Use aws sts get-caller-identity to find out who you are (IAM User, Role, or Federated identity). | HackTricks Feature | Action | | :---

If you can modify a Lambda function's code ( lambda:UpdateFunctionCode ), you can inject a reverse shell to execute commands in the cloud environment's context. 4. Post-Exploitation and Persistence

Mastering AWS Security: Insights from the HackTricks Methodology