{"description": "Enterprise techniques used by Pacu, ATT&CK software S1091 (v1.0)", "name": "Pacu (S1091)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1087", "showSubtechniques": true}, {"techniqueID": "T1087.004", "comment": "[Pacu](https://attack.mitre.org/software/S1091) can enumerate IAM users, roles, and groups. (Citation: GitHub Pacu)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1098", "showSubtechniques": true}, {"techniqueID": "T1098.001", "comment": "[Pacu](https://attack.mitre.org/software/S1091) can generate SSH and API keys for AWS infrastructure and additional API keys for other IAM users.(Citation: GitHub Pacu)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1119", "comment": "[Pacu](https://attack.mitre.org/software/S1091) can automatically collect data, such as CloudFormation templates, EC2 user data, AWS Inspector reports, and IAM credential reports.(Citation: GitHub Pacu)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1651", "comment": "[Pacu](https://attack.mitre.org/software/S1091) can run commands on EC2 instances using AWS Systems Manager Run Command.(Citation: GitHub Pacu)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1580", "comment": "[Pacu](https://attack.mitre.org/software/S1091) can enumerate AWS infrastructure, such as EC2 instances.(Citation: GitHub Pacu)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1526", "comment": "[Pacu](https://attack.mitre.org/software/S1091) can enumerate AWS services, such as CloudTrail and CloudWatch.(Citation: GitHub Pacu)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1619", "comment": "[Pacu](https://attack.mitre.org/software/S1091) can enumerate AWS storage services, such as S3 buckets and Elastic Block Store volumes.(Citation: GitHub Pacu)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.009", "comment": "[Pacu](https://attack.mitre.org/software/S1091) leverages the AWS CLI for its operations.(Citation: GitHub Pacu)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1555", "showSubtechniques": true}, {"techniqueID": "T1555.006", "comment": "[Pacu](https://attack.mitre.org/software/S1091) can retrieve secrets from the AWS Secrets Manager via the enum_secrets module.(Citation: GitHub Pacu)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1530", "comment": "[Pacu](https://attack.mitre.org/software/S1091) can enumerate and download files stored in AWS storage services, such as S3 buckets.(Citation: GitHub Pacu)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1546", "comment": "[Pacu](https://attack.mitre.org/software/S1091) can set up S3 bucket notifications to trigger a malicious Lambda function when a CloudFormation template is uploaded to the bucket. It can also create Lambda functions that trigger upon the creation of users, roles, and groups.(Citation: GitHub Pacu)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1562", "showSubtechniques": true}, {"techniqueID": "T1562.007", "comment": "[Pacu](https://attack.mitre.org/software/S1091) can allowlist IP addresses in AWS GuardDuty.(Citation: GitHub Pacu)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1562.008", "comment": "[Pacu](https://attack.mitre.org/software/S1091) can disable or otherwise restrict various AWS logging services, such as AWS CloudTrail and VPC flow logs.(Citation: GitHub Pacu)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1654", "comment": "[Pacu](https://attack.mitre.org/software/S1091) can collect CloudTrail event histories and CloudWatch logs.(Citation: GitHub Pacu)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1578", "showSubtechniques": true}, {"techniqueID": "T1578.001", "comment": "[Pacu](https://attack.mitre.org/software/S1091) can create snapshots of EBS volumes and RDS instances.(Citation: GitHub Pacu)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1069", "showSubtechniques": true}, {"techniqueID": "T1069.003", "comment": "[Pacu](https://attack.mitre.org/software/S1091) can enumerate IAM permissions.(Citation: GitHub Pacu)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1648", "comment": "[Pacu](https://attack.mitre.org/software/S1091) can create malicious Lambda functions.(Citation: GitHub Pacu)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1518", "showSubtechniques": true}, {"techniqueID": "T1518.001", "comment": "[Pacu](https://attack.mitre.org/software/S1091) can enumerate AWS security services, including WAF rules and GuardDuty detectors.(Citation: GitHub Pacu)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1049", "comment": "Once inside a Virtual Private Cloud, [Pacu](https://attack.mitre.org/software/S1091) can attempt to identify DirectConnect, VPN, or VPC Peering.(Citation: GitHub Pacu)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1552", "comment": "[Pacu](https://attack.mitre.org/software/S1091) can search for sensitive data: for example, in Code Build environment variables, EC2 user data, and Cloud Formation templates.(Citation: GitHub Pacu)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1078", "showSubtechniques": true}, {"techniqueID": "T1078.004", "comment": "[Pacu](https://attack.mitre.org/software/S1091) leverages valid cloud accounts to perform most of its operations.(Citation: GitHub Pacu)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Pacu", "color": "#66b1ff"}]}