S1091: Pacu
Pacu is an open-source AWS exploitation framework. The tool is written in Python and publicly available on GitHub.[1]
Analyst context for executives and security teams
Pacu matters because it packages many AWS/IaaS post-access behaviors into an open-source framework: cloud API execution, account and group discovery, infrastructure and storage enumeration, credential and secrets access, snapshot creation, serverless or administration-command execution, and changes to logging or cloud firewall controls. For leaders, the key issue is not the tool name alone; it is whether the organization can see and govern high-risk cloud control-plane actions performed with valid cloud accounts.
Executive priority
Treat this as a cloud readiness and identity-governance validation item. ATT&CK lists Pacu as an AWS exploitation framework and relates it to techniques spanning discovery, execution, credential access, collection, persistence, privilege escalation, and defense impairment. Executives should ask whether cloud audit logging, IAM least privilege, secrets governance, storage access monitoring, and incident response playbooks can distinguish authorized administration from suspicious automated enumeration or control changes.
Technical view
SOC and IR teams should validate coverage around IaaS control-plane activity rather than relying on a Pacu signature. The relationship set points to Cloud API execution, Cloud Accounts, Cloud Groups, Cloud Infrastructure Discovery, Cloud Storage Object Discovery, Data from Cloud Storage, Cloud Secrets Management Stores, Create Snapshot, Serverless Execution, Cloud Administration Command, Disable or Modify Cloud Log, and Cloud Firewall modification. Detection engineering should focus on unusual API volume, breadth of enumeration, sensitive credential or storage access, new credentials, snapshots, logging changes, and security group/firewall changes by identities, sessions, or source locations that do not match expected administrative patterns.
Likely telemetry
- Cloud control-plane audit logs for API calls and administrative actions
- Identity and access management events for users, roles, groups, permissions, and added credentials
- Cloud account authentication/session context, including source location and user agent where available
- Cloud storage listing, object access, and data retrieval logs
- Secrets manager access logs for reads or enumeration of secrets
Detection direction
- Baseline normal cloud administration so high-volume or broad API enumeration can be separated from expected inventory, compliance, or DevOps activity.
- Correlate discovery sequences across accounts, groups, services, infrastructure, logs, storage objects, and security tooling rather than alerting on a single benign-looking API call.
- Prioritize detections for sensitive transitions: added cloud credentials, secrets access, snapshot creation, data access from cloud storage, serverless execution, administration-command execution, logging changes, and cloud firewall modifications.
- Use relationship context to build cloud kill-chain style analytics: valid cloud account use followed by discovery, credential or storage access, and defense-impairment actions should raise priority.
- Account for false positives from legitimate security assessments, cloud inventory tools, backup processes, and infrastructure automation; require change-ticket, role, source, and timing context where possible.
Mitigation priorities
- Enforce least privilege for cloud identities, especially permissions that read secrets, enumerate broad resources, create snapshots, modify logging, change firewall rules, or execute cloud administration commands.
- Protect and monitor cloud audit logging so it is enabled, retained, and resistant to modification by routine administrative identities.
- Review credential hygiene for cloud accounts, service identities, and secrets management stores; remove unnecessary long-lived or additional credentials.
- Limit access to cloud storage and secrets to explicit business need, and monitor high-risk read/list activity.
- Require governance and approval paths for snapshot creation, serverless execution, cloud administration commands, and firewall/security group changes.
Analyst notes and limits
Pacu is identified by ATT&CK as an open-source AWS exploitation framework written in Python and publicly available on GitHub. The strongest defensive value comes from the listed ATT&CK relationships: they show the kinds of cloud behaviors defenders should validate across AWS/IaaS telemetry. This take intentionally emphasizes behavior-based monitoring and control validation, not tool-specific indicators.
The supplied ATT&CK object does not provide official detection guidance, aliases, labels, or explicit tactics for Pacu itself. Relationship descriptions support AWS/IaaS-oriented defensive planning, but local cloud architecture, logging configuration, identity model, and authorized administration patterns are required to determine real exposure or detection quality. No active exploitation, attribution, or customer impact is implied.
Pacu
Pacu is an open-source AWS exploitation framework. The tool is written in Python and publicly available on GitHub.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1648 | Serverless Execution | Pacu can create malicious Lambda functions.CitationGitHub Pacu |
| Enterprise | T1685.002 | Disable or Modify Cloud Log Sub-technique | Pacu can disable or otherwise restrict various AWS logging services, such as AWS CloudTrail and VPC flow logs.CitationGitHub Pacu |
| Enterprise | T1619 | Cloud Storage Object Discovery | Pacu can enumerate AWS storage services, such as S3 buckets and Elastic Block Store volumes.CitationGitHub Pacu |
| Enterprise | T1049 | System Network Connections Discovery | Once inside a Virtual Private Cloud, Pacu can attempt to identify DirectConnect, VPN, or VPC Peering.CitationGitHub Pacu |
| Enterprise | T1654 | Log Enumeration | Pacu can collect CloudTrail event histories and CloudWatch logs.CitationGitHub Pacu |
| Enterprise | T1526 | Cloud Service Discovery | Pacu can enumerate AWS services, such as CloudTrail and CloudWatch.CitationGitHub Pacu |
| Enterprise | T1552 | Unsecured Credentials | Pacu can search for sensitive data: for example, in Code Build environment variables, EC2 user data, and Cloud Formation templates.CitationGitHub Pacu |
| Enterprise | T1546 | Event Triggered Execution | Pacu can set up S3 bucket notifications to trigger a malicious Lambda function when a CloudFormation template is uploaded to the bucket. It can also create Lambda functions that trigger upon the creation of users, roles, and groups.CitationGitHub Pacu |
| Enterprise | T1686.001 | Cloud Firewall Sub-technique | Pacu can allowlist IP addresses in AWS GuardDuty.CitationGitHub Pacu |
| Enterprise | T1069.003 | Cloud Groups Sub-technique | Pacu can enumerate IAM permissions.CitationGitHub Pacu |
| Enterprise | T1098.001 | Additional Cloud Credentials Sub-technique | Pacu can generate SSH and API keys for AWS infrastructure and additional API keys for other IAM users.CitationGitHub Pacu |
| Enterprise | T1555.006 | Cloud Secrets Management Stores Sub-technique | Pacu can retrieve secrets from the AWS Secrets Manager via the enum_secrets module.CitationGitHub Pacu |
| Enterprise | T1580 | Cloud Infrastructure Discovery | Pacu can enumerate AWS infrastructure, such as EC2 instances.CitationGitHub Pacu |
| Enterprise | T1059.009 | Cloud API Sub-technique | Pacu leverages the AWS CLI for its operations.CitationGitHub Pacu |
| Enterprise | T1530 | Data from Cloud Storage | Pacu can enumerate and download files stored in AWS storage services, such as S3 buckets.CitationGitHub Pacu |
| Enterprise | T1078.004 | Cloud Accounts Sub-technique | Pacu leverages valid cloud accounts to perform most of its operations.CitationGitHub Pacu |
| Enterprise | T1119 | Automated Collection | Pacu can automatically collect data, such as CloudFormation templates, EC2 user data, AWS Inspector reports, and IAM credential reports.CitationGitHub Pacu |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | Pacu can enumerate AWS security services, including WAF rules and GuardDuty detectors.CitationGitHub Pacu |
| Enterprise | T1578.001 | Create Snapshot Sub-technique | Pacu can create snapshots of EBS volumes and RDS instances.CitationGitHub Pacu |
| Enterprise | T1087.004 | Cloud Account Sub-technique | Pacu can enumerate IAM users, roles, and groups. CitationGitHub Pacu |
| Enterprise | T1651 | Cloud Administration Command | Pacu can run commands on EC2 instances using AWS Systems Manager Run Command.CitationGitHub Pacu |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | b572038b0281… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
GitHub Pacu
Rhino Security Labs. (2019, August 22). Pacu. Retrieved October 17, 2019.
Open source URL -
[2]
mitre-attack S1091Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.