This article details how attackers can misuse AWS CLI aliases to stealthily maintain persistence in cloud environments. It explains the mechanics of creating malicious aliases that preserve normal command functionality while executing harmful actions, such as credential exfiltration. A proof of concept demonstrates the technique in action.

PowerDodder is a stealthy post-exploitation utility that embeds execution commands into frequently accessed but rarely modified script files, minimizing detection by traditional security measures. It scans for potential script files, allows users to append payload commands, and preserves the original file's modification timestamps to evade scrutiny. The tool's name reflects its method of attaching to host scripts for persistent execution.