Add Console /tb/creds endpoint credential extraction technique

[AI-redteam]

Adds a novel credential extraction technique that doesn't require CloudShell. The AWS Console fetches temporary IAM credentials from undocumented /{service}/tb/creds endpoints (e.g., /s3/tb/creds, /ec2/tb/creds) which can be intercepted via browser DevTools or automated with the clier browser extension.

Unlike CloudShell, this works on any Console page and captures service-scoped credentials passively. These credentials can be used outside the Console and bypass any and all IAM controls on cred access except sourceIP and sourceVPC conditions, which themselves break most access models. Does not provide perms further than what is available for that principal.

Includes manual replication steps, tool reference, and detection considerations.

References

• clier: https://github.com/AI-redteam/clier

[Frichetten]

Thank you for this! This is fantastic! I've never seen anyone take advantage (or even talk about) the temporary creds coming from the Console. I will review this post and tool and let you know if I run into any trouble.

Just wanted to drop you a note that I saw this and am working on it.

[AI-redteam]

Awesome, thank you! Yeah lmk if you need anything I can add more or less info :)

[Frichetten]

Hey there 👋 Everything looks good on my end! Two questions, do you have a preferred name I can put for you to be co-author of the article at the top? It's okay if you want to use an alias, or you can use your real name. Whichever you prefer.

Second, do you have preferred social media accounts? When we add new articles/content to the site I typically do a shoutout on LinkedIn, Twitter, Mastodon, and Bluesky so I would love to tag you. Totally optional, but let me know!

Once I have both of those we can release this Monday morning :D

[AI-redteam]

Hey, thank you! I am Ben Stevens!

https://www.linkedin.com/in/benjamin-stevens-analyst/

And

https://x.com/AI_red_team

[Frichetten]

Awesome, thank you again!