AWS Penetration Testing

This command is not inherently malicious but performs a high-impact IAM state change: attaching an inline policy from a local file to an IAM user. Risk depends on the contents of admin-policy.json and the credentials used to run the CLI. If the policy grants broad privileges or the invoking credentials are compromised/over-privileged, this can be used for privilege escalation, persistence, or data access. Treat as high-risk operation—require policy review, least-privilege, and strict controls/auditing before use.

High-risk, likely malicious recipe for data theft from an EBS volume. The sequence of snapshot -> volume creation -> attach to external instance -> mounting to /mnt/stolen is a canonical post-compromise exfiltration technique. If executed by an unauthorized actor or using compromised credentials, this results in data exposure. Immediate mitigations: audit CloudTrail for these API calls, revoke/rotate credentials that permitted the actions, restrict IAM permissions (least privilege for CreateSnapshot/CreateVolume/AttachVolume), enable snapshot/volume tagging and alerting, and inspect the implicated instance for other signs of compromise.

This snippet is a non-obfuscated, read-only AWS IAM enumeration checklist. It contains no direct malware or backdoor code, and no hardcoded credentials. However, when run with valid (especially overly permissive or compromised) credentials it yields high-value information that supports attacker reconnaissance and privilege escalation planning. Treat instances of unexpected execution as suspicious and monitor/alert accordingly; apply least privilege and logging best practices to reduce risk.

The snippet is not malicious code but performs a high-risk privileged operation: it attaches the AdministratorAccess managed policy to an IAM user. The main security concern is operational (overly broad permissions and lack of safeguards). Treat this command as sensitive: do not run it without review, prefer least-privilege alternatives, and implement approval and auditing controls.

The command itself is not obfuscated or inherently malicious, but it performs a high‑risk administrative action: creating long‑lived IAM access keys for another user and printing the secret to stdout. If executed by an unauthorized or overprivileged actor, or in an environment that logs terminal output, it can lead to credential leakage, lateral movement, and persistent access. Treat this operation as privileged: apply least privilege, approval/automation safeguards, avoid printing secrets, and monitor/rotate keys.

This artifact is a clear, actionable malicious playbook for extracting AWS credentials via SSRF and using them to access or abuse a victim AWS account. It includes operational guidance to bypass defenses and evade detection. Treat the content as high-risk: remove from public repos, investigate any systems that might have executed the described steps, and apply mitigations (block SSRF, enforce IMDSv2, tighten IAM policies, monitor logs).

This code is intentionally malicious: it unconditionally attempts to grant AdministratorAccess to a hardcoded IAM user when executed and the package includes an explicit example of how to deploy it to another Lambda. If run in an environment where the Lambda execution role has IAM-modification permissions, it enables immediate and severe account compromise. Treat occurrences as high-severity compromise: isolate, revoke relevant permissions, and perform incident response and remediation.

This fragment constitutes high-risk offensive guidance: it documents how to harvest credentials via IMDS, enumerate AWS resources, and disable or limit CloudTrail to evade detection. While it includes a note to obtain authorization, the concrete, actionable commands and explicit evasion tips (Pacu/user-agent) make it dangerous if used by an unauthorized actor. Treat as malicious guidance; do not execute in production or without strict written authorization and controls.

This document is high-risk, actionable offensive guidance for extracting AWS instance/task credentials via SSRF and metadata endpoints. It contains the exact endpoints, request patterns, and example credential payloads needed to perform credential theft and privilege escalation in cloud environments. Treat the content as malicious/useful to attackers; prioritize mitigation of SSRF vulnerabilities, restrict metadata access, and apply least-privilege IAM controls.

This fragment is an explicit, actionable attacker playbook for credential exfiltration (NTDS.dit + SYSTEM via snapshot abuse) and converting AWS API keys into console access. It contains concrete commands and references to offensive tooling and therefore poses a high security risk if published in a code repository or distribution. Treat artifacts containing this content as hostile: remove or restrict access, investigate repository authorship and intent, and if present in a package release, revoke and audit downstream consumers and signing keys.

This skill is an explicit offensive AWS pentesting/red-team playbook. It provides actionable, high-risk steps to enumerate IAM, harvest credentials (including SSRF to EC2 metadata), create/steal keys, escalate privileges, compromise S3/Lambda/EC2 resources, and disable CloudTrail to evade detection. As authored, it is dual-use: legitimate for authorized penetration tests but highly dangerous if used in unauthorized contexts or by an AI agent with execution and network access. Key risks: credential harvesting, privilege escalation, disabling logging, and supply-chain risk from installing third-party offensive tools. Treat this skill as high security risk and restrict usage to human-supervised, authorized engagements with strict safeguards (consent, scope, monitoring, pinned tool versions, code review).