During an assessment on a client that uses virtual desktop infrastructure in the cloud, a...

In a cloud-hosted VDI scenario, the highest-value next step is typically to identify cloud credentials and configuration artifacts that enable access beyond the single desktop instance. The .aws directory is a well-known location where AWS command-line tooling stores sensitive material such as credential profiles and configuration details (for example, access keys, session tokens, default regions, and named profiles). PenTest+ emphasizes post-exploitation enumeration that targets credential sources capable of expanding access and impact, especially in cloud environments where a single set of keys may permit interacting with storage, compute, identity, and management APIs.

While .ssh can contain private keys useful for pivoting to other servers, in many cloud deployments SSH keys are scoped to specific hosts, whereas cloud access keys can unlock broader control-plane capabilities depending on attached permissions. .zsh_history is valuable for discovering commands and potentially leaked secrets, but it is less direct than immediately checking for structured cloud credentials. User folders like Documents are lower priority compared to credential repositories that can rapidly escalate the assessment’s scope of access.