{
	"id": "062428f6-3500-45ac-86a2-8acd7073b35c",
	"created_at": "2026-04-06T00:18:29.893038Z",
	"updated_at": "2026-04-10T13:12:39.469691Z",
	"deleted_at": null,
	"sha1_hash": "2655e95379141e91dbe90935508eff56d79d4407",
	"title": "GitHub - RhinoSecurityLabs/ccat: Cloud Container Attack Tool (CCAT) is a tool for testing security of container environments.",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 394011,
	"plain_text": "GitHub - RhinoSecurityLabs/ccat: Cloud Container Attack Tool\r\n(CCAT) is a tool for testing security of container environments.\r\nBy jack-ganbold\r\nArchived: 2026-04-02 11:49:55 UTC\r\nrhino ooffffeennssiivvee || ttooooll\r\n ppyytthhoonn 33..55 || 33..66 || 33..77 lliicceennssee BSD PRs wweellccoommee\r\nCloud Container Attack Tool (CCAT) is a tool for testing security of container environments.\r\nQuick reference\r\nWhere to get help: the Pacu/CloudGoat/CCAT Community Slack, or Stack Overflow\r\nWhere to file issues: https://github.com/RhinoSecurityLabs/ccat/issues\r\nMaintained by: the Rhino Assessment Team\r\nRequirements\r\nPython 3.5+ is required.\r\nDocker is required. Note: CCAT is tested with Docker Engine 19.03.1 version.\r\nNamed profile is required for using AWS functionality.\r\nA service account or access token is required for using GCP functionality.\r\nhttps://github.com/RhinoSecurityLabs/ccat\r\nPage 1 of 3\n\nInstallation\r\nWe recommend using the provided Docker image to run CCAT, so that you will not face any difficulty\r\nwith the required dependencies on your own system.\r\nInstall CCAT from source\r\n $ git clone https://github.com/RhinoSecurityLabs/ccat.git\r\n $ cd ccat\r\n $ python3 setup.py install\r\n $ python3 ccat.py\r\nUse CCAT's Docker Image\r\nWarning: Running this command will mount your local AWS configuration files into the Docker\r\ncontainer when it is launched. This means that any user with access to the container will have access to\r\nyour host computer's AWS credentials.\r\nWarning: Running this command will mount your local Unix socket that Docker daemon listens on by\r\ndefault into the Docker container when it is launched. This means that users with access to the container\r\nwill have access to your Docker daemon, meaning they could escape to your host computer with ease.\r\n $ docker run -it -v ~/.aws:/root/.aws/ -v /var/run/docker.sock:/var/run/docker.sock -v ${PWD}:/app/ rhinosecu\r\nGetting Started\r\nExample Usage\r\nBelow is an example scenario to demonstrate the usage of CCAT.\r\nStarting with compromised AWS credentials, the attacker enumerates and explores ECR repositories. Then, the\r\nattacker found that they use NGINX Docker image and pulled that Docker image from ECR. Furthermore, the\r\nattacker creates a reverse shell backdoor into the target Docker image. Finally, the attacker pushes the backdoored\r\nDocker image to ECR.\r\nExploitation Route:\r\nVIDEO Exploitation Route Walkthrough with CCAT:\r\nhttps://github.com/RhinoSecurityLabs/ccat\r\nPage 2 of 3\n\nExploitation Route Walkthrough with CCAT:\r\nVisit Step by Step Scenario Page.\r\nRoadmap\r\nContainer Escape Features\r\nAmazon ECS Attack Features\r\nAmazon EKS Attack Features\r\nAzure Container Related Attack Features\r\nGCP Container Related Attack Features\r\nOpenShift Container Related Attack Features\r\nIBM Cloud Container Related Attack Features\r\nAlibaba Cloud Container Related Attack Features\r\nDisclaimer\r\nCCAT is tool that comes with absolutely no warranties whatsoever. By using CCAT, you take full\r\nresponsibility for any and all outcomes that result.\r\nSource: https://github.com/RhinoSecurityLabs/ccat\r\nhttps://github.com/RhinoSecurityLabs/ccat\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://github.com/RhinoSecurityLabs/ccat"
	],
	"report_names": [
		"ccat"
	],
	"threat_actors": [
		{
			"id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31",
			"created_at": "2023-01-06T13:46:38.376868Z",
			"updated_at": "2026-04-10T02:00:02.949077Z",
			"deleted_at": null,
			"main_name": "Cleaver",
			"aliases": [
				"G0003",
				"Operation Cleaver",
				"Op Cleaver",
				"Tarh Andishan",
				"Alibaba",
				"TG-2889",
				"Cobalt Gypsy"
			],
			"source_name": "MISPGALAXY:Cleaver",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434709,
	"ts_updated_at": 1775826759,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2655e95379141e91dbe90935508eff56d79d4407.pdf",
		"text": "https://archive.orkl.eu/2655e95379141e91dbe90935508eff56d79d4407.txt",
		"img": "https://archive.orkl.eu/2655e95379141e91dbe90935508eff56d79d4407.jpg"
	}
}