| enterprise |
T1087 |
Account Discovery |
- |
| enterprise |
T1087.004 |
Cloud Account |
Pacu can enumerate IAM users, roles, and groups. |
| enterprise |
T1098 |
Account Manipulation |
- |
| enterprise |
T1098.001 |
Additional Cloud Credentials |
Pacu can generate SSH and API keys for AWS infrastructure and additional API keys for other IAM users. |
| enterprise |
T1119 |
Automated Collection |
Pacu can automatically collect data, such as CloudFormation templates, EC2 user data, AWS Inspector reports, and IAM credential reports. |
| enterprise |
T1651 |
Cloud Administration Command |
Pacu can run commands on EC2 instances using AWS Systems Manager Run Command. |
| enterprise |
T1580 |
Cloud Infrastructure Discovery |
Pacu can enumerate AWS infrastructure, such as EC2 instances. |
| enterprise |
T1526 |
Cloud Service Discovery |
Pacu can enumerate AWS services, such as CloudTrail and CloudWatch. |
| enterprise |
T1619 |
Cloud Storage Object Discovery |
Pacu can enumerate AWS storage services, such as S3 buckets and Elastic Block Store volumes. |
| enterprise |
T1059 |
Command and Scripting Interpreter |
- |
| enterprise |
T1059.009 |
Cloud API |
Pacu leverages the AWS CLI for its operations. |
| enterprise |
T1555 |
Credentials from Password Stores |
- |
| enterprise |
T1555.006 |
Cloud Secrets Management Stores |
Pacu can retrieve secrets from the AWS Secrets Manager via the enum_secrets module. |
| enterprise |
T1530 |
Data from Cloud Storage |
Pacu can enumerate and download files stored in AWS storage services, such as S3 buckets. |
| enterprise |
T1546 |
Event Triggered Execution |
Pacu can set up S3 bucket notifications to trigger a malicious Lambda function when a CloudFormation template is uploaded to the bucket. It can also create Lambda functions that trigger upon the creation of users, roles, and groups. |
| enterprise |
T1562 |
Impair Defenses |
- |
| enterprise |
T1562.007 |
Disable or Modify Cloud Firewall |
Pacu can allowlist IP addresses in AWS GuardDuty. |
| enterprise |
T1562.008 |
Disable or Modify Cloud Logs |
Pacu can disable or otherwise restrict various AWS logging services, such as AWS CloudTrail and VPC flow logs. |
| enterprise |
T1654 |
Log Enumeration |
Pacu can collect CloudTrail event histories and CloudWatch logs. |
| enterprise |
T1578 |
Modify Cloud Compute Infrastructure |
- |
| enterprise |
T1578.001 |
Create Snapshot |
Pacu can create snapshots of EBS volumes and RDS instances. |
| enterprise |
T1069 |
Permission Groups Discovery |
- |
| enterprise |
T1069.003 |
Cloud Groups |
Pacu can enumerate IAM permissions. |
| enterprise |
T1648 |
Serverless Execution |
Pacu can create malicious Lambda functions. |
| enterprise |
T1518 |
Software Discovery |
- |
| enterprise |
T1518.001 |
Security Software Discovery |
Pacu can enumerate AWS security services, including WAF rules and GuardDuty detectors. |
| enterprise |
T1049 |
System Network Connections Discovery |
Once inside a Virtual Private Cloud, Pacu can attempt to identify DirectConnect, VPN, or VPC Peering. |
| enterprise |
T1552 |
Unsecured Credentials |
Pacu can search for sensitive data: for example, in Code Build environment variables, EC2 user data, and Cloud Formation templates. |
| enterprise |
T1078 |
Valid Accounts |
- |
| enterprise |
T1078.004 |
Cloud Accounts |
Pacu leverages valid cloud accounts to perform most of its operations. |