Skip to content

arkanzasfeziii/Nebula

Repository files navigation

Nebula — Multi-Cloud Red Team Operations Framework

Enumerate IAM permissions, escalate to administrator, harvest credentials from IMDS and Secrets Manager, plant persistent backdoors, and exfiltrate from S3 — across AWS, Azure, and GCP in a single engagement workflow.


Threat Model

Cloud environments fail at the identity layer. Misconfigured IAM policies, overly permissive roles, and credentials stored in compute metadata have made cloud account compromise one of the most reliably achievable goals in a modern red team engagement.

Nebula models the adversary who enters through a single set of credentials — often leaked from source code, exposed on EC2 user-data, or harvested from IMDSv1 — and escalates to full cloud administrator:

Stage What Fails Adversary Action
Reconnaissance sts:GetCallerIdentity is unrestricted — any credential can reveal its identity Identify who we are, what account we're in, and what permissions are attached
Permission Analysis Inline policies + managed policies + group policies are rarely audited as a combined set Enumerate all effective permissions across inline, attached, and group-level policy documents
Privilege Escalation Overly permissive IAM policies (iam:AttachUserPolicy, iam:CreatePolicyVersion, iam:PassRole) Chain 14 mapped escalation techniques — from policy version replacement to SSM EC2 command execution
Credential Harvesting IMDSv2 not enforced, Secrets Manager lacks resource policies, Lambda env vars store plaintext secrets Harvest credentials from IMDS, Secrets Manager, SSM Parameter Store, Lambda environment, EC2 user-data
Persistence No alerting on IAM user creation or cross-account trust policy modification Create backdoor IAM user with admin access; plant external cross-account role with custom ExternalId
Lateral Movement Role trust policies allow cross-account assumption without conditions Enumerate all assumable roles, sort by admin-level and cross-account priority, assume each
Exfiltration S3 buckets holding backups, PII, and production data without lifecycle alerts Enumerate all accessible buckets by keyword; list and selectively download high-value objects

Scope: Authorized red team engagements and cloud security assessments where the goal is to demonstrate the blast radius of a compromised cloud identity.


Why This Exists

Cloud security is primarily an IAM problem. Every significant cloud breach in the public record — from CapitalOne to Code Spaces to countless S3 exposure incidents — traces back to an identity with permissions it never needed, configured without understanding the attack paths those permissions created.

Standard cloud security tools audit configuration against benchmarks. Nebula attacks the configuration.

The difference: a benchmark scanner tells you that IMDSv2 is not enforced. Nebula harvests the IAM role credentials from IMDSv1 and shows you what an attacker does with them in the next step.

Nebula is built around EngagementContext — a shared state object that carries harvested credentials, discovered roles, and confirmed escalation paths from one module to the next. The credential Nebula harvests from IMDS in the CredDump module is the same credential it uses in the Lateral module for role assumption. Findings compound.


Capabilities

Cloud Reconnaissance

AWS:

  • STS GetCallerIdentity — confirm identity, account ID, ARN
  • Effective permissions enumeration — fetch inline policies, attached managed policies, and group policies; merge into a complete permission set
  • IAM user listing — enumerate all users, last key usage, and MFA status
  • Assumable role enumeration — identify all roles with trust policies allowing assumption by the current identity (cross-account first)
  • Active region sweep — identify which AWS regions have running EC2 instances

Azure:

  • Subscription enumeration — list all accessible subscriptions
  • Privileged role assignment detection — identify Owner, Contributor, and User Access Administrator assignments

GCP:

  • IAM policy retrieval — get organization or project-level IAM bindings
  • High-value binding identification — flag roles/owner, roles/editor, roles/iam.securityAdmin assignments

IAM Privilege Escalation — AWS

14 mapped escalation techniques keyed to specific IAM permissions:

Permission Escalation Path
iam:AttachUserPolicy Attach AdministratorAccess to current user
iam:PutUserPolicy Create inline admin policy on current user
iam:CreatePolicyVersion Replace existing managed policy version with admin policy
iam:CreateAccessKey Create access key for any user — including admin accounts
iam:UpdateAssumeRolePolicy Inject current identity into admin role trust policy
ssm:SendCommand + ec2:DescribeInstances Execute command on EC2 via SSM; retrieve IMDS credentials
iam:SetDefaultPolicyVersion Revert a managed policy to an earlier permissive version
iam:PassRole + ec2:RunInstances Launch EC2 with admin role attached
iam:PassRole + lambda:CreateFunction Deploy Lambda with admin role; invoke for credential extraction
iam:CreateRole + iam:AttachRolePolicy Create new admin role; assume it
sts:AssumeRole (wildcard) Assume any role without conditions
iam:AddUserToGroup Add current user to an admin group
glue:CreateDevEndpoint Create Glue dev endpoint with admin role; SSH for credentials
cloudformation:CreateStack + iam:PassRole Deploy CloudFormation stack with admin role

Azure: Assign Owner role to current identity.
GCP: Set IAM policy binding granting current identity roles/owner.

Credential Harvesting

  • IMDSv2 harvest — PUT for token → retrieve role name → GET credentials (AccessKeyId, SecretAccessKey, SessionToken)
  • Secrets Manager dump — list and retrieve up to 20 secrets across the account; scan for credential patterns in secret values
  • SSM Parameter Store — retrieve all SecureString parameters with automatic decryption; scan for patterns
  • Lambda environment variables — list all functions; extract environment variables; flag credential patterns
  • EC2 user-data — retrieve base64-encoded user-data for running instances; decode and scan for hardcoded credentials, bootstrap scripts containing secrets

Persistence Mechanisms

  • IAM backdoor user — create IAM user with randomized name from BACKDOOR_NAMES (aws-health-monitor, ec2-metrics-agent, lambda-log-processor, cloud-telemetry-sync, iam-audit-reader, cost-allocation-helper); attach AdministratorAccess; create access key pair; output cleanup command
  • Cross-account backdoor role — create IAM role with external account trust policy and custom ExternalId condition; attach admin policy; allows operator to re-enter from external account even after initial credentials are rotated

Lateral Movement — Role Chaining

  • Enumerate all IAM roles with sts:AssumeRole trust policies
  • Sort by priority: cross-account roles first, then admin-named roles
  • Attempt sts:AssumeRole for each; store returned credentials per role
  • Support specific role ARN targeting for direct assumption

S3 Exfiltration

  • Enumerate all accessible S3 buckets — filter by keyword: backup, prod, secret, credential, pii, data, database, private, sensitive, internal, config, logs
  • List matched bucket contents — object count and total size
  • Download mode: selectively retrieve high-value objects
  • Dry-run mode: report what would be exfiltrated without downloading

Architecture

Credentials (AWS / Azure / GCP)
              │
              ▼
     EngagementContext
  ┌──────────────────────────────────┐
  │  provider · region · session     │
  │  harvested_creds · roles         │
  │  escalation_paths · loot         │
  └──────────────────────────────────┘
              │
    ┌─────────┼─────────┐
    ▼         ▼         ▼
 ReconModule  PrivEsc  CredDump
 IAM/STS      Module   IMDS/SM/SSM
 identity     14 AWS   Lambda/UserData
              paths
    │
    ├──────────────────┐
    ▼                  ▼
 PersistModule    LateralModule
 backdoor user    role chaining
 cross-acct role  assume all
                       │
                       ▼
                  ExfilModule
                  S3 keyword hunt
                  selective download
                       │
                       ▼
                  JSON Report
            (provider · action · finding)

Attack Flow

  1. Identity confirmationSTS GetCallerIdentity confirms current identity, account, and ARN across all configured providers
  2. Permission mapping — enumerate inline, attached, and group-level IAM policies; construct effective permission set; identify escalation-relevant permissions
  3. Escalation evaluation — compare effective permissions against 14 escalation path definitions; execute feasible escalation techniques in priority order
  4. Credential harvest sweep — IMDSv2 (if running on EC2 or reachable from inside a VPC/EKS); Secrets Manager full dump; SSM SecureString decryption; Lambda env var extraction; EC2 user-data decode
  5. Persistence plant — create backdoor IAM user with admin access; create cross-account trust role; output credentials and cleanup commands to operator
  6. Role assumption chain — enumerate all assumable roles across the account; attempt assumption sorted by cross-account and admin-naming priority; store all successful credentials
  7. S3 exfiltration — enumerate all buckets, filter by high-value keyword patterns, assess total data volume, selectively download in non-dry-run mode
  8. Report--output report.json with full finding list, credentials extracted, escalation paths confirmed, and roles assumed

Usage

# Install dependencies
pip install -r requirements.txt

# AWS: identify current identity and enumerate permissions
python nebula.py --provider aws --modules recon

# AWS: test all 14 privilege escalation paths
python nebula.py --provider aws --modules privesc

# AWS: harvest credentials from IMDS, Secrets Manager, SSM, Lambda
python nebula.py --provider aws --modules credharvest

# AWS: plant backdoor IAM user
python nebula.py --provider aws --modules persist

# AWS: enumerate and assume all reachable roles
python nebula.py --provider aws --modules lateral

# AWS: find and exfiltrate from S3 (dry-run)
python nebula.py --provider aws --modules exfil --dry-run

# Azure: enumerate subscriptions and privileged assignments
python nebula.py --provider azure --modules recon

# GCP: enumerate IAM bindings and high-value roles
python nebula.py --provider gcp --modules recon

# Full AWS engagement chain
python nebula.py --provider aws --modules all --output cloud-findings.json

# Non-interactive mode
python nebula.py --provider aws --modules all --yes --output results.json

Output

16:03:21 [INFO]  [Recon] Identity: arn:aws:iam::123456789012:user/dev-deploy
16:03:21 [INFO]  [Recon] Account: 123456789012 | Region: eu-west-1
16:03:22 [INFO]  [Recon] Effective permissions: 47 actions across 12 services

16:03:23 [CRIT]  [PrivEsc] Path available: iam:CreatePolicyVersion
16:03:23 [CRIT]  [PrivEsc] Executed: replaced policy → admin policy version set as default
16:03:24 [CRIT]  [PrivEsc] iam:CreateAccessKey path available — admin user: admin-ops
16:03:24 [CRIT]  [PrivEsc] Access key created for admin-ops: AKIAIOSFODNN7EXAMPLE / ...

16:03:25 [CRIT]  [CredDump/IMDS] IMDSv2 token acquired — role: ec2-app-role
16:03:25 [CRIT]  [CredDump/IMDS] Credentials: AccessKeyId=ASIA... Expiration=+1h
16:03:26 [CRIT]  [CredDump/SM] Secret: prod/database/master-password — postgresql://admin:C0nf!dential@db.internal
16:03:27 [CRIT]  [CredDump/Lambda] Function: order-processor — env var DB_SECRET=hardcoded-value

16:03:28 [CRIT]  [Persist] Backdoor IAM user created: aws-health-monitor
16:03:28 [CRIT]  [Persist] AccessKey: AKIAIOSFODNN7EXAMPLE | SecretKey: [stored in output]
16:03:28 [INFO]  [Persist] Cleanup: aws iam delete-user --user-name aws-health-monitor

16:03:29 [INFO]  [Lateral] Assumable roles: 8 found
16:03:30 [CRIT]  [Lateral] Assumed: arn:aws:iam::987654321098:role/OrganizationAccountAccess (cross-account)
16:03:30 [CRIT]  [Lateral] Assumed: arn:aws:iam::123456789012:role/AdminRole

16:03:31 [INFO]  [Exfil] S3 buckets matching keywords: prod-backups (2.3GB), internal-configs (447MB)
16:03:31 [WARN]  [Exfil] Dry-run mode — 2.7GB would be exfiltrated

[✓] Cloud engagement complete — 10 critical findings | report: cloud-findings.json

MITRE ATT&CK Coverage

Technique ID Module
Valid Accounts: Cloud Accounts T1078.004 ReconModule
Abuse Elevation Control Mechanism T1548 PrivEscModule
Unsecured Credentials: Cloud Instance Metadata API T1552.005 CredDumpModule (IMDS)
Unsecured Credentials: Credentials in Files T1552.001 CredDumpModule (user-data, env vars)
Account Manipulation: Additional Cloud Credentials T1098.001 PersistModule
Create Account: Cloud Account T1136.003 PersistModule
Use Alternate Authentication Material T1550 LateralModule (role assumption)
Transfer Data to Cloud Account T1537 ExfilModule
Permission Groups Discovery: Cloud Groups T1069.003 ReconModule

Tactics: TA0001 Initial Access · TA0003 Persistence · TA0004 Privilege Escalation · TA0006 Credential Access · TA0008 Lateral Movement · TA0009 Collection · TA0010 Exfiltration


CWE Coverage Exercised

CWE Description Where
CWE-250 Execution with Unnecessary Privileges IAM privilege escalation paths
CWE-269 Improper Privilege Management Overly permissive IAM policies
CWE-306 Missing Authentication for Critical Function IMDSv1 (no token requirement), Secrets Manager without resource policies
CWE-522 Insufficiently Protected Credentials Lambda env vars, EC2 user-data, SSM parameters
CWE-732 Incorrect Permission Assignment for Critical Resource IAM role trust policies, S3 bucket policies
CWE-200 Exposure of Sensitive Information Secrets Manager, parameter store without KMS

Legal Notice

Nebula is designed exclusively for authorized penetration testing and cloud security assessment activities where explicit written permission has been obtained from the cloud account owner. Creating IAM resources, assuming roles, or accessing cloud credentials without authorization violates cloud provider terms of service and is illegal in most jurisdictions. The author assumes no liability for misuse.

About

Multi-cloud red team framework targeting AWS, Azure, and GCP — IAM privilege escalation, IMDS credential harvest, persistence, role chaining, and S3 exfiltration.

Topics

Resources

License

Contributing

Security policy

Stars

Watchers

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages