This suite provides tools for cloud privilege escalation across Azure, GCP, and AWS, targeting red teamers and security professionals. It enumerates principal permissions and maps them to potential attack vectors, leveraging HackTricks Cloud insights and an optional AI analysis.

How It Works

The suite comprises specialized scripts for each cloud provider: AzurePEAS, GCPPEAS, and AWSPEAS. Each tool enumerates permissions using provider-specific APIs and techniques, such as ARM/Graph API for Azure, IAM policy retrieval and testIamPermissions for GCP, and IAM policy enumeration, simulation, and brute-force API calls for AWS. This multi-pronged approach aims to maximize discovery of accessible resources and potential privilege escalation paths without modifying existing configurations.

Quick Start & Requirements

• AzurePEAS: python3 ./AzurePEAS.py --help requires Azure ARM and Graph API tokens, or FOCI refresh token/credentials for M365 enumeration.
• GCPPEAS: python3 ./GCPPEAS.py --help requires GCP access token or service account credentials. Enabling cloudresourcemanager.googleapis.com may be necessary.
• AWSPEAS: python3 ./AWSPEAS.py --help requires a configured AWS profile and the AWS CLI.

Highlighted Details

• AzurePEAS can enumerate Microsoft 365 services (SharePoint, OneDrive, Outlook, Teams) with appropriate credentials.
• GCPPEAS supports brute-forcing permissions via testIamPermissions and can use a billing project to bypass service enablement issues.
• AWSPEAS includes canary account detection and permission inference using aws-Perms2ManagedPolicies.
• All tools offer an option (--not-use-hacktricks-ai) to disable AI-driven permission analysis.

Maintenance & Community

The project is actively maintained by carlos.polop. Further community engagement details are not specified in the README.

Licensing & Compatibility

The README does not explicitly state a license. Compatibility for commercial use or closed-source linking is not detailed.

Limitations & Caveats

Some Azure permissions may require additional scopes. GCPPEAS might encounter false negatives if IAM policies are not directly accessible. AWSPEAS's canary detection might occur after initial API interaction.