Full Report
Consider a cached access key on a single Windows machine. It got there the way most cached credentials do - a user logged in, and the key stored itself automatically. Standard AWS behavior. No one misconfigured anything or violated a policy. Yet that single key, which was easily accessible to a minor-league attacker, could have opened a path to some 98% of entities in the company's cloud
Analysis Summary
# Tool/Technique: Cloud Identity Attack Paths (Cached Credential Exploitation)
## Overview
This technique involves the exploitation of legitimate, cached authentication tokens and over-privileged "Identity Dark Matter" (human and non-human identities) to traverse from a single compromised endpoint to critical cloud infrastructure. Rather than using traditional malware, attackers leverage the "identity highway"—a chain of permissions across Active Directory, SSO providers, and Cloud Service Providers (CSPs)—to escalate privileges and move laterally.
## Technical Details
- **Type:** Technique / Attack Path
- **Platform:** Windows, AWS, Azure, Hybrid Cloud Environments, AI/LLM Frameworks (MCP servers)
- **Capabilities:** Lateral movement, privilege escalation, cross-boundary traversal (On-prem to Cloud), persistence via non-human identities.
- **First Seen:** Ongoing; specifically highlighted in 2026 threat reports regarding AI agent identities.
## MITRE ATT&CK Mapping
- **[TA0006 - Credential Access]**
- [T1555 - Credentials from Web Browsers]
- [T1528 - Steal Application Access Token]
- **[TA0008 - Lateral Movement]**
- [T1021.001 - Remote Services: Remote Desktop Protocol]
- [T1080 - Taint Shared Content]
- **[TA0004 - Privilege Escalation]**
- [T1078.004 - Valid Accounts: Cloud Accounts]
- [T1548 - Abuse Elevation Control Mechanism]
## Functionality
### Core Capabilities
- **Credential Harvesting:** Extracting cached AWS/Azure access keys or session tokens automatically stored on Windows machines after legitimate user logins.
- **Identity Chaining:** Linking disparate permissions (e.g., a retail endpoint user who is a member of an over-privileged AD group) to reach cloud-native administrative roles.
- **Environment Hopping:** Moving from on-premises infrastructure to cloud production environments using permanent SSO roles that were never deprovisioned.
### Advanced Features
- **AI Agent Exploitation:** Compromising "Non-Human Identities" (NHIs) used by AI tools and Model Context Protocol (MCP) servers. These agents often inherit high-level administrative permissions to perform automated tasks.
- **"Living off the Land" Access:** Executing the entire attack chain using legitimate login events, making detection via traditional signature-based antivirus nearly impossible.
## Indicators of Compromise
- **File Hashes:** N/A (Identity-based attacks often use native CLI tools like `aws-cli` or `azure-cli`).
- **File Names:** `~/.aws/credentials`, `~/.azure/accessTokens.json`
- **Registry Keys:** `HKEY_CURRENT_USER\Software\Amazon\AWS SDK for .NET` (or similar provider-specific paths).
- **Network Indicators:** Connections to legitimate cloud provider APIs (e.g., `sts[.]amazonaws[.]com`, `login[.]microsoftonline[.]com`) from unusual source IP addresses or unexpected endpoints.
- **Behavioral Indicators:**
- Unusual API calls (e.g., `GetCallerIdentity`, `ListBuckets`) immediately following a login from a new device.
- Successive logins across different environment boundaries (On-prem -> Azure -> AWS) in a short timeframe.
## Associated Threat Actors
- **General Cybercriminals:** Leveraging stolen credentials from infostealer logs.
- **Advanced Persistent Threats (APTs):** Using identity paths for long-term espionage without deploying detectable malware.
- **Identity-Centric Groups:** (e.g., Scattered Spider / UNC3944 style tactics).
## Detection Methods
- **Identity Threat Detection & Response (ITDR):** Monitoring for anomalies in entitlements and "impossible travel" scenarios.
- **Behavioral Detection:** Baselines of service account and AI agent behavior; alerting on non-human identities accessing resources outside their typical scope.
- **Graph-Based Analysis:** Mapping all potential paths from a single identity to a high-value asset to identify "choke points."
## Mitigation Strategies
- **Token Hardening:** Implementing shorter Time-to-Live (TTL) for session tokens and enforcing MFA for all CLI/API access.
- **Just-In-Time (JIT) Access:** Using ephemeral credentials instead of long-lived, cached access keys.
- **Least Privilege Enforcement:** Regular "Identity Hygiene" to remove stale SSO roles and over-privileged AI service accounts.
- **NHI Management:** Specifically auditing non-human identities and AI agents used in development pipelines.
## Related Tools/Techniques
- **BloodHound / AzureHound:** Used by both attackers and defenders to map identity attack paths.
- **Pacu / PineApples:** Exploitation frameworks for AWS/Cloud environments.
- **Infostealers:** (e.g., RedLine, Lumma) used to harvest the initial cached credentials.