Skip to main content

Overview

The CloudCredentials command searches for cloud provider credential files on the system, including AWS, Google Cloud Platform (GCP), Azure, and IBM Bluemix credentials. These credential files often contain API keys, access tokens, and authentication information that can be used to access cloud resources. Important: User commands run for the current user if not elevated and for ALL users if elevated.

Syntax

Seatbelt.exe CloudCredentials
No additional arguments are supported. This command supports remote execution.

Output

The command returns:
  • AWS credential file locations (~/.aws/credentials)
  • Google Cloud credential files
  • Azure credential files and tokens
  • IBM Bluemix/Cloud credentials
  • File paths and access timestamps
  • Credential file contents (when readable)

Use Cases

Red Team

  • Cloud Access: Discover credentials for lateral movement into cloud environments
  • Privilege Escalation: Find cloud service credentials that may have elevated permissions
  • Multi-Cloud Reconnaissance: Identify which cloud platforms the organization uses
  • Credential Harvesting: Collect API keys and access tokens for cloud services
  • Persistence: Identify cloud access methods for maintaining long-term access

Blue Team

  • Credential Hygiene: Locate improperly stored cloud credentials on endpoints
  • Security Audit: Identify users storing cloud credentials in plaintext
  • Compliance Checking: Ensure cloud credentials follow organizational security policies
  • Incident Response: Quickly identify potentially compromised cloud credentials
  • Data Loss Prevention: Find sensitive cloud authentication material on workstations

Example Output

====== CloudCredentials ======

  AWS Credentials
    FilePath          : C:\Users\john\.aws\credentials
    LastModified      : 2024-10-15 08:30:22
    FileSize          : 156 bytes
    Readable          : True

  Google Cloud
    FilePath          : C:\Users\john\AppData\Roaming\gcloud\credentials.db
    LastModified      : 2024-10-18 14:22:10
    FileSize          : 8192 bytes
    Readable          : True

  Azure
    FilePath          : C:\Users\john\.azure\accessTokens.json
    LastModified      : 2024-10-19 09:15:33
    FileSize          : 2048 bytes
    Readable          : True

Privilege Context

  • Non-Elevated: Searches for cloud credential files in the current user’s profile only
  • Elevated: Searches for cloud credential files across all user profiles on the system, providing comprehensive cloud credential discovery

Remote Execution

This command supports remote execution (marked with + in the command list). Remote syntax: 
Seatbelt.exe CloudCredentials -computername=TARGET.domain.com -username=DOMAIN\user -password=pass

Detection Considerations

Indicators

  • File system enumeration in user profile directories
  • Access to cloud provider configuration directories (.aws, .azure, .config/gcloud)
  • Reading credential files and token caches
  • Pattern-based searching for cloud credential file names

Defensive Monitoring

  • Monitor access to cloud credential directories by non-cloud-CLI processes
  • Alert on automated enumeration of cloud configuration paths
  • Track processes reading cloud credential files
  • Log unusual access patterns to credential storage locations
  • Detect bulk reading of credential files across multiple user profiles
  • Monitor for credential file exfiltration attempts

Security Recommendations

  • Store cloud credentials using secure credential managers
  • Implement short-lived tokens and rotate credentials regularly
  • Use environment variables or secure vaults instead of file-based credentials
  • Enable MFA for cloud service access
  • Monitor cloud API usage for anomalies
  • azuread: Returns AzureAD information
  • CloudSyncProviders: Lists configured Office 365 and OneDrive sync providers
  • EnvironmentVariables: May reveal cloud-related environment settings
  • WindowsCredentialFiles: Finds Windows credential DPAPI blobs
  • WindowsVault: Enumerates credentials saved in Windows Vault