My talk at Black Hat USA 2023 is now on YouTube! 😁 "Evading Logging in the Cloud: Bypassing AWS CloudTrail" is a look at various methods for evading CloudTrail logging and attacking AWS environments silently.
XSS in the AWS Console? XSS in the AWS Console! I recently found and disclosed two instances of XSS in the AWS console. They are now fixed and here is the writeup. It has everything you can ask for: 0days in AWS, a CSP bypass, and memes.
As someone involved in the AWS offsec space, I want to share why I strongly do NOT recommend the HackTricks AWS Red Team Expert course. The author of it is a plagiarist, stealing content from other creators and is directly profiting off of it through sponsorships. A 🧵
Today is an interesting day! I read a report about a threat actor, and for once I'm impressed! This is the first I can remember in which a TA has displayed NEW tradecraft, before researchers have shared it widely. Let's review in this 🧵
For anyone interested, Hacking the Cloud now has a section for Capture the Flag projects! The first is, CI/CDon't, an AWS/GitLab CICD themed CTF. All you'd need is Terraform and an AWS account (it is deployed to your AWS account)
New cloud security research! We found a method to bypass CloudTrail logging for specific IAM actions via an undocumented API service! Attackers could perform some reconnaissance activities while being undetected.
It's a beautiful Sunday, so let's chat about hacking AWS environments! In this thread, I want to talk about an interesting quirk with Amazon Cognito, demo why least privilege is the most important thing in the cloud, and emphasize that mitigations aren't always enough. A 🧵
New cloud security research! We found a vulnerability in AWS AppSync that allowed us to trick the AppSync service to assume roles in other accounts, allowing us to access their resources.
I recently found a bug in the AWS API that allows you to enumerate certain permissions for a role without logging to CloudTrail. It affects 645 actions in 40 AWS services. In this thread I'll provide a short tl;dr.
You ever compromise an AWS account and want to run commands on the EC2 instances inside but forget the syntax? Yeah me too. Don't worry though, I've got you covered! Latest article on Hacking the Cloud is a cheat sheet on how to do this and Session Manager
For the past several months I've been working on a project to extract AWS API models from the console. There are a ton of "internal only" and undocumented services/operations. If you're involved in AWS security research you may find it useful.
This is probably the most requested page and it's finally here (well, mostly at least). Hacking The Cloud now has a list of IAM privilege escalation techniques. If you think I've missed some or you'd like to add screenshots/walkthroughs open a RP!
New cloud security research! We found a method to bypass CloudTrail logging for both read AND write API actions in AWS Service Catalog! In addition, we also reported an issue with a lack of CloudTrail logging in AWS Control Tower.
As security researchers, we don’t often discuss failed research projects. While it may be a bit embarrassing to not succeed, there are still lessons learned from the project. In this thread, I’d like to share research I’ve been doing on-and-off on identifying AWS honeytokens. 🧵
This isn’t a subtweet at any vendor or anything, but I’m pretty sure Twitter beats most threat intel feeds. When your staff are a part of the infosec community and current events, they can inform you faster than a third party vendor.
I wrote up some thoughts around using stolen IAM credentials. This covers how to check if they are valid, how to use them, and covers some operational security concerns along with some potential tips for defenders to detect shady activity.
Ya know, I used to think it was crazy that the OSCP exam was 24 hours long. But at around 3:30 this morning, when I rooted the last box, the delerium caused me to become enlightened. I now understand
#TryHarder
. I am the enumeration.
Yesterday a gentleman asked if I knew of a way to extract IAM credentials from an AWS console session. My first instinct was to refer them to
@christophetd
's previous work on the subject. That had me looking for more though. A 🧵
New on Hacking the Cloud! I started cataloging AWS IAM persistence methods, all in one place. This includes some used in the wild by real world adversaries. It's definitely not all possible methods, but it's a good start.
Want to get paid to commit felonies against a Fortune 40? (not really, but I hope that got your attention). My team is hiring/expanding again and we are looking for experienced Penetration Testers. Full remote too! Let me tell you why my team is neat...
If it's useful for anyone, I'm making my AWS API client public. This is what I used to uncover two XSS vulns in the AWS Console and is based off the silent permission enumeration research I did a while ago. I have to stress it is VERY hacky software.
Some exciting news! I'll be speaking at Black Hat USA in August! My talk, "Evading Logging in the Cloud: Bypassing AWS CloudTrail" was accepted! I'll do a deep dive into my research on defense evasion in CloudTrail.
My talk "What I Wish I Knew Before Pentesting AWS Environments" for SANS Pen Test Hackfest 2022 is now on YouTube! Check it out if you're interested in learning more ways to attack AWS environments.
New AWS vulns! We found more ways to bypass AWS CloudTrail! We also describe methods Penetration Testers and Red Teamers can use to evade detection in AWS environments!
So the bad thing I joked about happened. Slightly panicking. I accidentally activated AWS Shield Advanced while fuzzing earlier. It’s very expensive. I’m contacting support, but worried.
Pros of fuzzing AWS APIs: Big attack surface, oddities and inconsistencies everywhere.
Cons: Boy I hope I don't accidentally spawn something that will charge me a ton of money.
Someone brought up best practices when isolating an AWS EC2 instance today which reminded me about security group connection tracking. It's an important topic to know about if you're involved in securing AWS environments. Let's talk about it!
My talk from
@fwdcloudsec
is on YouTube! I talked about my research on various methods that have succeeded in bypassing CloudTrail and I shared a full-bypass for the EventBridge service (now fixed).
Some VERY cool research from Sam Cox of
@tracebit_com
: Using a VPC endpoint and discrepancies with logging to CloudTrail to enumerate the AWS account ID of an S3 bucket! Fantastic work!
New from Datadog Security Research! We found a vulnerability in AWS Amplify that exposed IAM roles associated with Amplify projects, making them assumable by anyone in the world! Both the Amplify CLI and Studio had this behavior.
It's official, I passed the OSCP exam on the first try after rooting all 5 exam machines! Shout out to
@offsectraining
for the incredible course and labs. Just a little while ago I never dreamed I could accomplish this.
How about another real world attacker critique thread?
@ExpelSecurity
just published a great piece on an intrusion they took care of (Great work team). A thread. 🧵
As the year is wrapping up, I wanted to post a little bit about how Hacking the Cloud is doing. In 2021 we had over 37,277 unique visitors with over 103,042 unique page views in total. That’s around 3000 visitors per month!
…..if you have upwards of 100,000 secrets in a single region in a single account, please DM me. I don’t need specifics, but I’m deeply curious what you’re doing.
AWS Secrets Manager now supports up to 500,000 secrets per account per region, up from 40,000 secrets, simplifying secrets management for SaaS and PaaS applications in
#AWS
:
AWS fixed an entire category of vulnerability before I could even publish a blog or do a conference talk 😅this would have been fun for pentesters and red teamers.
One final
@fwdcloudsec
appreciation post: It was legitimately the best con I have ever attended. Hands down. Gathering some of the brightest minds in the cloud security community for two days of AMAZING talks. I had never been in person before and now I will never miss it.
New research out of Datadog Security Labs! It's not every day that cloud security research involves a foreign government. Checkout this great research project from
@christophetd
-
I'll eat my hat if a security bulletin is released in the next few hours but as of right now there is not one. This is super interesting vulnerability! Kudos to those who found it! Why doesn't AWS have a public acknowledgement of it and explanation?
Hacking the Cloud has a pretty big update! We're using a better static site generator that will allow me to spend more time making content. Plus, it looks great!
It appears that there is a phishing campaign going around trying to steal AWS credentials. Be on the lookout in your organization! Major thank you to those sharing these in the AWS Security Forum.
I am so excited to share that I'll be speaking on the main stage of DEF CON next month! I'll be giving my talk "Kicking in the Door to the Cloud: Exploiting Cloud Provider Vulnerabilities for Initial Access". We'll cover some of my favorite AWS vulns!
I'll be speaking
@fwdcloudsec
EU this September on my research finding undocumented AWS APIs! Want a sneak peak? I'm releasing the full dataset that I've been gathering for over a year! The talk will cover how I found these and release a tool to do this!
Tremendous news everyone (in offsec)! There's a bypass for the new GuardDuty InstanceCredentialExfiltration finding! It's via VPC endpoints! (I caution this is with limited testing)
I’ll be
@fwdcloudsec
this year! I’m giving the talk “Trust Me Bro: Preexisting Trust is the New Initial Access Vector”! We’ll be kicking in the door to the cloud, covering some vulnerabilities I’ve found in AWS services to get initial access to victim environments.
Pen/Red Teams, if you’re not attacking CI/CD already you’re missing out. It’s RCEaaS. It will pay dividends to intimately know your org’s CI/CD stack, and know how to exploit it.
🛡️ Attacking and Securing CI/CD Pipelines
@rung
's talk covers why CI/CD pipeline security is important, relevant breaches, several attack scenarios, and how to defend
ATT&CK-like matrix for CI/CD Pipelines. Repo 👇
Yo, I don't want to fear monger right now. I feel like people smarter than me would have noticed this by now and put it on Twitter, so I may be wrong. If I'm wrong, please tell me and I will delete this thread. It appears the AWS WAF rule for log4j doesn't apply to headers.
New on Hacking the Cloud: I wrote a short article on using sts:GetFederationToken to maintain persistence, even when the underlying IAM access keys have been deactivated. This is a very important trick for incident responders to be aware of in AWS
@mx_redmond
I’d really recommend
@acloudguru
. Especially the Certified Architect Associate course. It covers all the major services in AWS. If you’re interested in offensive/defensive stuff in AWS you can check out . It’s a slowly growing repo for cloud sec stuff
Psst.. hey, Pentesters and Red Teamers. Do your clients/organizations use Terraform Enterprise? If it’s running in a cloud VM, you may be able to take advantage of a default config allowing you to access the instance metadata service of that host.
Want to mess with bypassing the new GuardDuty CredentialExfiltration finding? This project can build a setup for you! Quickly create an EC2 in a private VPC (no internet access), connect over SSM Sessions, and use the VPC Endpoints to connect to services.
Thank you to everyone who came to my talk at Black Hat! It was an incredible experience. I’ll be doing it again tomorrow at the
@cloudvillage_dc
! Come hear about all the ways to bypass AWS CloudTrail. There is more research coming out soon!
New from Datadog Security Research! Here's the story of how tracking SNS enumeration activity across multiple customer environments led to the takedown of a phishing site that was impersonating the French government.
First impressions of
@fwdcloudsec
: "Wow, literally everyone in cloud security is here"
If you're looking to expand your reach for your business and want to get in front of some of the brightest minds in cloud security, consider sponsoring the event next year!
Did you know you can potentially escalate privileges in an AWS account with just iam:PassRole and ec2:RunInstances? Maybe this showed up during a Penetration Test, or maybe it came from an automated tool such as Cloudsplaining(which is awesome btw). Here is what it means... 🧵
If you missed my talk at summer camp it's now on YouTube! Evading Logging in the Cloud: Bypassing AWS CloudTrail. Major thank you to the organizers of
@cloudvillage_dc
!!
Exciting news! In addition to Black Hat, I'll be speaking at the DEF CON Cloud Village in August! My talk is titled, "Evading Logging in the Cloud: Bypassing AWS CloudTrail". Depending on some timelines I'll likely have some not-previously-made-public things to share!
I'm kinda surprised there isn't a Serverless AWS Specialty cert. Obviously certs are a dubious show of knowledge (This comes from someone who has too many), but because Serverless is such a huge topic in AWS/Cloud in general you'd think they'd enshrine it with its own cert.
AWS recently added data event logging for SNS. This was a problem because I used sns:Publish to do a cloud version of "whoami" without logging to CloudTrail (which GetCallerIdentity does). I've updated Hacking the Cloud with a new method! Happy Hacking!
I’m glad AWS is taking action on this but (constructive criticism) this is a trend for AWS. You point out something is a problem, AWS looks at it and says “works as intended”, then it hits the community and AWS back pedals. It would be great if they took it seriously to start.
Thank you to everyone who brought this article to our attention. We agree that customers should not have to pay for unauthorized requests that they did not initiate. We’ll have more to share on exactly how we’ll help prevent these charges shortly.
#AWS
#S3
How an empty S3
ATTENTION: THIS IS NOT A DRILL! "public facing security program" in a job listing for a TPM for a "AWS Bug Bounty". AWS Public Bug Bounty confirmed? LEEEEEETTS GOOOOOOO!!!!!!!
New on Hacking the Cloud - AWS Organizations Defaults: A short post on the default behavior of AWS Organizations and how compromising the management account can lead to the compromise of the entire organization.
Great research from the
@wiz_io
team. I think this really highlights the importance of independent cloud security research. We need more people hunting for these vulnerabilities so they can be properly disclosed before adversaries find them. Attackers ARE targeting CSPs.
⚡️💻 BREAKING: Wiz Research reveals surprising elements of the recent Microsoft Storm-0558 incident — it's much bigger than you thought!
Here's what you need to know:
An incredible study on the state of cloud security across the main cloud service providers. A ton of effort went into this study, and there is a ton to learn from here.
I'm going to put out a blog post soon with more details, but wanted to put this out there for anyone interested. One of the challenges with investigating undocumented AWS APIs at scale is that every single API call needs to be evaluated carefully.
New on Hacking the Cloud! Have you ever wanted to exploit a 3.5 year old AWS bug? Now you can! Read here about bypassing Amazon Cognito’s user enumeration controls.
Inspired by
@dagrz
's blog on "Getting into AWS cloud security research as a n00bcake", I'm writing a blog post on getting started in AWS security research. What questions would you have for an AWS security researcher? What do you want to know/learn about?
My
@fwdcloudsec
talk is on YouTube already! "Trust Me Bro: Preexisting Trust is the New Initial Access Vector" is a look at AWS vulns which allowed me to get initial access to victim AWS environments.
I was reminded about this talk today. It's a little over a year old but everything I mentioned should still work. I'd like to do another talk on pentesting AWS next year with some more tricks and tips.
New cloud security research! I found and reported an undocumented AWS API that could be used to leak the account ID of an Amplify app. AWS has since disabled the API.
Nothing major but I've been looking to SSM for post-exploitation type fun. Long story short, with access to an EC2 instance you can block EC2 Messages (like send-command) and SSM sessions, send arbitrary responses, or snoop on communications.
Me: I'm gonna learn about AWS Amplify today! 😀
10 minutes later: Why are the official docs telling me to create an IAM user with an access key? Especially when there is a functional workaround to use SSO 😠
I'm really surprised that Cloudsplaining has been archived. It was an incredibly useful tool for evaluating IAM policies for known problems. I can't imagine it was a burden to maintain considering its benefits.
I wrote a short post on abusing misconfigured resource-based policies of AWS ECR private registries. They (hopefully) come up rarely, but it can be tricky to remember the syntax to authenticate with them. This step-by-step guide makes it easy :)