Pathfinding Labs introduces intentionally vulnerable AWS environments that complement the pathfinding.cloud catalog by letting defenders, red teamers, and tool builders deploy, exploit, and clean up real misconfiguration scenarios in a sandbox. The project spans more than 100 Terraform-based labs, a plabs Go CLI, and validation workflows for privilege escalation, cross-account access, CSPM testing, and graph-based cloud security analysis. #pathfinding.cloud #PathfindingLabs #plabs #StratusRedTeam
Keypoints
- Pathfinding Labs is a collection of intentionally vulnerable AWS environments designed for safe deployment in sandbox accounts.
- The project includes a catalog, more than 100 Terraform labs, and the plabs Go CLI for enabling, deploying, demoing, and disabling labs.
- Each lab includes a documented exploit path, CTF-style hints, and a demo_attack.sh script that validates the misconfiguration end to end.
- The labs cover privilege escalation, CSPM misconfigurations, toxic combinations, multi-hop attacks, and cross-account attack paths.
- Pathfinding Labs is positioned as the CSPM counterpart to Stratus Red Team, which is used for Cloud SIEM detection validation.
- The labs are meant to help teams test whether CSPM tools detect exploitable cloud misconfigurations before attackers can abuse them.
- The project warns users to deploy only in isolated sandbox accounts and to destroy resources after use with plabs destroy.
MITRE Techniques
- [T1078 ] Valid Accounts – Attack paths often involve obtaining permissions of another principal and moving through roles or credentials to reach the target (‘an attacker lands on a workload, retrieves credentials, assumes a role, invokes a function, and reaches the data they were after’).
- [T1098 ] Account Manipulation – The labs focus on AWS IAM privilege escalation paths where one principal can gain the permissions of another through misconfiguration (‘a catalog of AWS IAM privilege escalation techniques’).
- [T1552 ] Unsecured Credentials – The text describes attackers retrieving credentials as part of the cloud compromise sequence (‘retrieves credentials’).
- [T1562 ] Impair Defenses – The project is designed to test whether security controls detect exploitable misconfigurations before exploitation, including overly permissive roles and public resources (‘does your CSPM identify each type of exploitable misconfiguration before an attacker can exploit it?’).
- [T1021 ] Remote Services – Cross-account and multi-hop paths rely on chained access to cloud services and roles (‘multi-hop and cross-account privilege escalation path’).
- [T1484 ] Domain or Policy Modification – The labs simulate AWS IAM privilege escalation through role and permission configuration issues (‘overly permissive roles’).
Indicators of Compromise
- [URL ] project resources and documentation – pathfinding.cloud/labs, github.com/DataDog/pathfinding-labs
- [File/Script Name ] lab automation and cleanup – plabs, demo_attack.sh, plabs destroy
- [AWS Resource Type ] vulnerable cloud assets used in labs – publicly accessible S3 buckets, internet-facing Lambda functions, administrative users
- [Infrastructure as Code ] lab deployment format – Terraform modules, Terraform repository clone, and 100+ deployable labs
Read more: https://securitylabs.datadoghq.com/articles/introducing-pathfinding-labs/