In the cloud-native world of 2025, CLI tools like az, aws, gcloud, and kubectl are omnipresent—pre-installed on VMs, CI/CD agents, and developer laptops. But as we've seen with traditional LOLBins, these tools harbor "dangerous" subcommands ripe for abuse: exfiltrating data, executing remote code, dumping secrets, and more.
This article walks you through building a Python scanner that:
tool --help for each CLI.upload, exec, run-command).Why Build This?
We'll use Python's subprocess for CLI execution and regex for parsing. No external deps needed beyond standard libs. Test in a lab—ensure CLIs are installed and authenticated if required.
az, aws, gcloud, kubectl (e.g., via brew on macOS or chocolatey on Windows).aws configure with test creds) to avoid auth errors in help output.Based on real-world abuse from sources like MITRE ATT&CK, Stratus Red Team, and recent CVEs (e.g., Azure CLI credential leaks), here are flagged keywords:
| CLI | Risky Keywords/Subcommands | Abuse Example (MITRE) |
|---|---|---|
az | storage blob upload, vm run-command, keyvault secret set, keyvault secret list | T1567 (Exfil), T1059 (Exec) |
aws | s3 cp/sync, ssm send-command, lambda invoke, iam list-users/create-policy | T1071 (AppData), T1059.006 (Script) |
gcloud | compute instances start/ssh, storage cp, secrets versions access, run deploy | T1552 (Credentials), T1059 (Exec) |
kubectl | exec, cp, apply/create (with YAML injection), port-forward | T1059.004 (Unix Shell), T1610 (Dep Priv) |
These are starting points—extend as you discover more.
Save this as cloud_lolbin_scanner.py. It:
subprocess to capture --help output.Labs use only!
#!/usr/bin/env python3
"""
Cloud LOLBin Scanner: Parse CLI help for risky subcommands.
Usage: python cloud_lolbin_scanner.py [az|aws|gcloud|kubectl|all]
"""
import subprocess
import re
import sys
from typing import Dict, List, Tuple
# Risky patterns: {cli: [(regex_pattern, risk_score, description)]}
RISKY_PATTERNS = {
'az': [
(r'storage\s+blob\s+upload', 9, 'Data exfil via blob storage'),
(r'vm\s+run-command', 10, 'Remote code execution on VMs'),
(r'keyvault\s+secret\s+(set|list)', 8, 'Secret manipulation/dump'),
],
'aws': [
(r's3\s+(cp|sync)', 9, 'S3 data exfil'),
(r'ssm\s+send-command', 10, 'Remote exec via SSM'),
(r'lambda\s+invoke', 8, 'Serverless payload execution'),
(r'iam\s+(list|create)', 7, 'IAM enumeration/escalation'),
],
'gcloud': [
(r'storage\s+cp', 9, 'GCS data exfil'),
(r'compute\s+(instances\s+start|ssh)', 8, 'VM exec/access'),
(r'secrets\s+versions\s+access', 10, 'Secret dumping'),
(r'run\s+deploy', 7, 'Serverless deployment abuse'),
],
'kubectl': [
(r'exec', 10, 'Shell access to pods'),
(r'cp', 9, 'File transfer to/from pods'),
(r'(apply|create)', 8, 'Resource creation (YAML injection risk)'),
(r'port-forward', 7, 'Tunneling to services'),
]
}
def run_help(cli: str, help_flag: str = '--help') -> str:
"""Run CLI --help and return output."""
try:
result = subprocess.run([cli, help_flag], capture_output=True, text=True, timeout=30)
if result.returncode == 0:
return result.stdout
else:
print(f"Error running {cli}: {result.stderr}")
return ""
except FileNotFoundError:
print(f"{cli} not found. Install it first.")
return ""
except subprocess.TimeoutExpired:
print(f"{cli} --help timed out.")
return ""
def extract_subcommands(help_output: str) -> List[str]:
"""Extract subcommands from help text using regex."""
# Common patterns: indented lines with subcmd names
patterns = [
r'^\s*([a-zA-Z0-9\-]+)\s+.*$', # e.g., "subcmd Description"
r'^\s*[a-zA-Z0-9\-]+\s+([a-zA-Z0-9\-]+)\s+.*$', # Nested
]
subcmds = set()
for pattern in patterns:
matches = re.findall(pattern, help_output, re.MULTILINE)
subcmds.update(matches)
return list(subcmds)
def scan_risks(cli: str, subcmds: List[str]) -> List[Tuple[str, int, str]]:
"""Score subcommands against risky patterns."""
risks = []
patterns = RISKY_PATTERNS.get(cli, [])
for subcmd in subcmds:
for pat, score, desc in patterns:
if re.search(pat, subcmd.lower()):
risks.append((subcmd, score, desc))
break # One match per subcmd
return sorted(risks, key=lambda x: x[1], reverse=True)
def main(target: str = 'all'):
clis = {
'az': ['az', '--help'],
'aws': ['aws', 'help'], # AWS uses 'help' not '--help'
'gcloud': ['gcloud', '--help'],
'kubectl': ['kubectl', '--help'],
}
targets = [target] if target != 'all' else clis.keys()
print(f"# Cloud LOLBin Scan Report ({target})\n")
for cli_name in targets:
if cli_name not in clis:
print(f"Unknown CLI: {cli_name}")
continue
cli_cmd, flag = clis[cli_name]
print(f"## Scanning {cli_name} ({cli_cmd} {flag})\n")
help_out = run_help(cli_cmd, flag)
if not help_out:
continue
subcmds = extract_subcommands(help_out)
risks = scan_risks(cli_name, subcmds)
if risks:
print("### Flagged Risky Subcommands:")
for subcmd, score, desc in risks:
print(f"- **{subcmd}** (Risk: {score}/10): {desc}")
else:
print("No known risky subcommands detected. (Update patterns?)\n")
print(f"Total subcommands parsed: {len(subcmds)}\n")
if __name__ == "__main__":
target = sys.argv[1] if len(sys.argv) > 1 else 'all'
main(target)Install CLIs (if needed):
brew install azure-cli awscli google-cloud-sdk kubernetes-cliExecute:
python cloud_lolbin_scanner.py all # Scan all
python cloud_lolbin_scanner.py az # Just Azure CLISample Output (Snippet for az):
## Scanning az (az --help)
### Flagged Risky Subcommands:
- **storage blob upload** (Risk: 9/10): Data exfil via blob storage
- **vm run-command** (Risk: 10/10): Remote code execution on VMs
- **keyvault secret list** (Risk: 8/10): Secret manipulation/dump
Total subcommands parsed: 156
RISKY_PATTERNS with new abuses (e.g., from Stratus Red Team or Kubernetes RBAC exploits).import json and dump risks to file for SIEM ingestion.tool --version and flag outdated versions (e.g., vulnerable Azure CLI <2.53.1).az storage blob --help) by recursing on high-risk groups.Pro Tip: Run this weekly via cron and alert on new matches. In 2025, with AI-augmented attacks, proactive scanning is your first line of defense.
Lab use only. Update patterns with latest threats. Stay vigilant—the cloud's "built-ins" are attackers' best friends.
Love it? Share this article:
wmicWMIC: The Forgotten Windows Admin Tool That Still Haunts Red Teams and Blue Teams in 2025
Even though Microsoft deprecated WMIC years ago, the binary remains present and fully functional on every modern Windows system in 2025. Red teams love it as a stealthy Living-Off-the-Land binary; blue teams hate it for the exact same reason. Deep-dive into why WMIC refuses to die, real-world abuse examples, detection strategies, and how to finally kill it in your environment.
Nov 29, 2025Tools
lolbinsCloud LOLBins - Living Off the Land in Azure, AWS & GCP (2025)
How attackers abuse cloud CLI tools like azure.exe, aws.exe, gcloud, and kubectl for persistence, lateral movement, and data exfiltration — with real-world code samples.
Nov 11, 2025Cybersecurity
red teamLiving Off the Land Binaries (LOLBins) - The Attacker's Built-in Toolkit
A deep-dive into Living Off the Land Binaries (LOLBins), how attackers abuse legitimate Windows utilities, real-world examples, and a safe lab demonstration with PowerShell and certutil.exe.
Nov 10, 2025Windows
cloudHacking the Cloud: Exploiting Misconfigurations and Identity Flaws
A deep dive into how attackers compromise cloud environments through misconfigurations and identity management weaknesses, with examples, attack paths, and defense strategies.
Aug 8, 2025Cybersecurity