S3 / Blob / GCS Mass Exfil
ListObjects + GetObject loop across discovered buckets — straight data theft.
§ Where this technique fits
C-S3-EXFIL is catalogued under the Collection tactic of the offensive-security kill-chain. It appears in 4 approved dossiers in the registry, typically at step 4.3 on average.
§ Dossiers chaining this technique
- step 2 / 7
Public bucket → CI/CD secret leak → cloud takeover
A public S3 bucket hosts a build artefact containing CI tokens / .env files. Use them to push to the prod CI/CD pipeline and gain a deploy role.
- step 4 / 5
WAF SSRF → IMDS → S3 mass exfil (Capital One 2019)
A misconfigured ModSecurity rule on a customer-facing app allowed SSRF; SSRF hit EC2 IMDSv1 for the instance role; the role had ListBucket + GetObject on a major customer-data bucket.
- step 5 / 7
Dev workstation → cloud backup keys → encrypted vault store (LastPass 2022)
Attacker compromised a single LastPass DevOps engineer's home machine via outdated Plex Media Server, harvested AWS keys for the encrypted-vault backup bucket, exfiltrated production vault data.
- step 6 / 6
Secret echoed to public build log → cloud takeover
A workflow accidentally runs `env` or `set -x` during debugging — the AWS access key is now in public CI logs and indexed by Google Cache / GitHub search.
§ What commonly comes next
- 01Cloud SSRF → IMDS → Bucket Exfil (Capital One 2019)seen 1×APT-CAPITAL-ONE-SSRF · Initial Access
- 02Dev-Workstation Backup Exfil (LastPass 2022)seen 1×APT-LASTPASS-DEV · Initial Access
- 03Hardcoded Secrets in JS Bundlesseen 1×W-RECON-JS-SECRETS · Reconnaissance