This article details how attackers can misuse AWS CLI aliases to stealthily maintain persistence in cloud environments. It explains the mechanics of creating malicious aliases that preserve normal command functionality while executing harmful actions, such as credential exfiltration. A proof of concept demonstrates the technique in action.

Attackers can exploit AWS CodeBuild to gain long-term access to compromised accounts by configuring it as a GitHub Actions runner and backdooring an IAM role. This process allows them to persistently execute commands in the AWS environment, even after the original credentials are revoked. Defenders must monitor CloudTrail logs and audit IAM trust relationships to detect such abuses.