{
	"id": "568edfb6-79a2-4d72-b007-4e21b60c312c",
	"created_at": "2026-04-06T00:18:25.533149Z",
	"updated_at": "2026-04-10T03:19:58.457905Z",
	"deleted_at": null,
	"sha1_hash": "1106a71a0f319709cddd41041b1bb66509ec10cd",
	"title": "Exploiting AWS ECR and ECS with the Cloud Container Attack Tool (CCAT)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 793753,
	"plain_text": "Exploiting AWS ECR and ECS with the Cloud Container Attack\r\nTool (CCAT)\r\nBy Jack Ganbold\r\nPublished: 2019-08-27 · Archived: 2026-04-05 21:17:23 UTC\r\nUPDATE: As of 10/03/19, CCAT now supports Container Registry on GCP!\r\nIntroduction\r\nDocker and other container technologies are becoming increasingly popular and are being adopted by many\r\ncompanies. In recent cloud pentesting engagements, we have similarly noticed that many of our clients use\r\ncontainer technology to run their systems. Although there has been research and tool development on containers\r\nand their security, most of those are focused on image analysis and finding known vulnerabilities. \r\nDue to this lack of tools, we decided to build one for ourselves and named it the Cloud Container Attack Tool\r\n(CCAT for short). CCAT is different in that it utilizes containers for exploitation in the cloud through backdoors\r\nand malicious Docker images.  In this post, we will dive into what this tool does and how to use it to leverage\r\nDocker for attacks against AWS ECS and ECR.\r\nDocker Containers on AWS\r\nAWS supports running Docker in order to provide users with a “highly reliable, low-cost way to build, ship, and\r\nrun distributed applications.” For those unfamiliar, the following are a few different services built for working\r\nwith containers in AWS.\r\nAmazon ECS, EKS, and ECR\r\nOne method of running containers on AWS is through Amazon Elastic Container Service (ECS). Amazon ECS is\r\n“a highly scalable, high-performance container management service.” \r\nAmazon Elastic Container Service for Kubernetes (EKS) is another service that can be used to run containers on\r\nAWS. It allows you to “deploy, manage, and scale containerized applications using Kubernetes on AWS.”\r\nAmazon Elastic Container Registry (ECR) is a container repository used to store Docker images. The images are\r\nencrypted and compressed at rest so that they are quick to pull and secure.\r\nBoth Amazon ECS and EKS can pull Docker images directly from Amazon ECR when deploying containers.\r\nThrough this, we can use backdoored containers to compromise massive environments with ease.\r\nThe Cloud Container Attack Tool\r\nhttps://rhinosecuritylabs.com/aws/cloud-container-attack-tool/\r\nPage 1 of 5\n\nWe created the Cloud Container Attack Tool (CCAT) for testing the security of cloud container environments.\r\nCurrently, CCAT (pronounced “sea cat”) is only compatible with AWS, however, we are working on expanding it\r\nto support other cloud vendors and adding more exciting features. \r\nYou can find CCAT on our GitHub here.\r\nHow to Install CCAT\r\nBelow are the prerequisites for installing CCAT:\r\nPython 3.5+ is required.\r\nDocker is required. Note: CCAT is tested with the Docker Engine 19.03.1 version.\r\nAWS named profile is required.\r\nOnce you have all of the prerequisites, there are a few different ways to install CCAT–from source code or\r\nusing CCAT’s Docker image.\r\nInstalling from source code:\r\ngit clone https://github.com/RhinoSecurityLabs/ccat.git\r\ncd ccat\r\npython3 setup.py install\r\npython3 ccat.py\r\nInstalling using CCAT’s Docker image:\r\ndocker run -it -v ~/.aws:/root/.aws/ -v /var/run/docker.sock:/var/run/docker.sock -v ${PWD}:/app/ rhi\r\n-v ~/.aws:/root/.aws/ \r\nhttps://rhinosecuritylabs.com/aws/cloud-container-attack-tool/\r\nPage 2 of 5\n\nThis argument mounts your local AWS configuration files into the Docker container when it is launched. This\r\nmeans that any user with access to the container will have access to your host computer’s AWS CLI credentials.\r\n-v /var/run/docker.sock:/var/run/docker.sock\r\nThis argument mounts your local Unix socket that Docker daemon listens on by default into the Docker container\r\nwhen it is launched. This means that users with access to the container will have access to your Docker daemon,\r\nmeaning they could escape to your host computer with ease.\r\nExploitation Walkthrough with CCAT\r\nIn order to demonstrate how to use CCAT, we will run through a small example scenario below, where an attacker\r\nuses CCAT to abuse compromised AWS credentials for further exploitation in the AWS environment.\r\n1. The attacker explores the AWS environment and discovers they are able to list ECR repositories using\r\ncompromised AWS credentials.\r\nUsing the “Enumerate ECR” module to collect information about ECR repositories and list the collected\r\nrepositories\r\n2. The attacker finds that their target uses an NGINX Docker image and pulls that Docker image from ECR.\r\nhttps://rhinosecuritylabs.com/aws/cloud-container-attack-tool/\r\nPage 3 of 5\n\nUsing the “Pull Repos from ECR” module to download the target ECR repository\r\n3. The attacker decides to create a reverse shell backdoor in the pulled NGINX Docker image.\r\nThis module generates a Dockerfile on the fly and builds new a Docker image from that file.\r\nUsing the “Docker Backdoor” module to generate a Dockerfile, add the reverse shell configuration, and overwrite\r\nthe default CMD command\r\n4. Finally, the attacker pushes the backdoored Docker image to ECR.\r\nhttps://rhinosecuritylabs.com/aws/cloud-container-attack-tool/\r\nPage 4 of 5\n\nUsing the “Push Repos to ECR” module to push a backdoored image\r\nIf you encounter any issues with the installation or usage of CCAT, please open an issue on the GitHub page.\r\nConclusion\r\nWe built CCAT to help the community better understand the security implications of container-based services,\r\nespecially due to containers’ increasing popularity and the lack of offensive tools in the space. We are actively\r\nworking to add more exciting container exploitation features and to support multi-cloud vendors.\r\nFor defensive purposes, you can use the Docker Bench for Security scripts to check common best practices for\r\ndeploying Docker containers in production. For Kubernetes, you can also use Kube-hunter to hunt for security\r\nissues in your Kubernetes clusters. \r\nIf you’d like to talk AWS security or get some help with CCAT from the developers, join our community Slack\r\nteam: the Pacu/CloudGoat/CCAT community Slack.\r\nSource: https://rhinosecuritylabs.com/aws/cloud-container-attack-tool/\r\nhttps://rhinosecuritylabs.com/aws/cloud-container-attack-tool/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://rhinosecuritylabs.com/aws/cloud-container-attack-tool/"
	],
	"report_names": [
		"cloud-container-attack-tool"
	],
	"threat_actors": [],
	"ts_created_at": 1775434705,
	"ts_updated_at": 1775791198,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1106a71a0f319709cddd41041b1bb66509ec10cd.pdf",
		"text": "https://archive.orkl.eu/1106a71a0f319709cddd41041b1bb66509ec10cd.txt",
		"img": "https://archive.orkl.eu/1106a71a0f319709cddd41041b1bb66509ec10cd.jpg"
	}
}