← All talks

Grappling for Evil in the Cloud

BSides Prishtina15:5770 viewsPublished 2024-09Watch on YouTube ↗
Speakers
Andi Ahmeti
Tags
StyleTalk
About this talk
With all these cyber shenanigans on the rise, especially from the likes of LUCR3, LUCR1, TeamTNT - and they seem to love stirring up trouble during holidays - companies are feeling the heat. Our Permiso P0 lab crew noticed a bunch of these troublemakers causing problems during holiday seasons, so we decided to do something about it. That's why we came up with this cool tool. It's like our cyber detective, checking out your digital turf for the sneaky moves cloud troublemakers usually pull. Cloudgrapple is a purpose-built tool designed for effortless querying of high-fidelity and single-event detections related to well-known threat actors in popular cloud environments such as AWS and Azure. Leveraging the capabilities of cloudgrep in the background—an established tool developed by Cado Security, explicitly designed to do what its name suggests—the tool is crafted with our Tactics, Techniques, and Procedures (TTPs). This integration enables users to query for and gather the latest threat intelligence, making Cloudgrappler a robust asset for any organization keen on assessing potential security incidents and determining the impact of an attack. Come and learn how the open-source Cloudgrappler framework can provide clarity for threat hunters and detection engineers alike, helping defenders detect potential security incidents on their companies.
Show transcript [en]

good morning everyone thanks for coming to my talk about re grappling for Ev in the cloud where we'll discuss about our open source tool called CR gabal so a short presentation about me I'm and ATI I've been working as an associate threat researcher at permito security for almost a year now I have um I'm an author of A tool open source tool called Cloud Grappler and a callor to another tool which is cloud console cartographer which I had the pleasure to present with my manager deep Bo or Daniel banon at blackhead Asia two weeks ago let's start with the agenda we're going to talking about the introduction part about the role of logs the cloud logs for Defenders we're going

to hunt for evil with Cloud Grappler and lost a tool demo if you have time what is the role of locks in incidental response blue teaming any of the above a lock is a fact which could lead to a potential ined but not always locks or visibility having visibility on your environment you can see who does what and you can check the identities behind their action always make sure to enable them some Services enable them by default some others don't always make sure to enable them because if an attacker comes by they won't do that for you after enabling them always store them to a secondary location you don't want to have a single point of failure where an

attacker comes and deletes all of your locks so you are blindsided over there after storing them to a secondary uh location um aggregate them correlate them and most important thing hunt for evil in that environment because all of those previous bullet points have only one single purpose and that's finding the presence of evil on your environment next we're going to talk about clot logs for Defenders first of all they are determined by the cloud provider some Services choose to log different things that the other service won't one clear example is that the AWS console logs all your clickings including the read only ones and AER tends to do the uh not to do that not to

log anation uh clicks like listing users listing uh policies so that's a clear example you have a delay in log generation and that depends on many factors like network connection and the most important one the retention limit some Services choose to save your logs or to store them for 19 days period some others do 16 days period and that's the clear clear example of the first bullet point and the last and the most important one they are far more abstract than other and by other I mean the on premise logs if you were to check the on premise logs you can see there are they are forer granular you have file contents file writes system logs Etc so you kind of see that

the identity behind the uh actions that were taken they are kind of blurred out but we're going to make the M out of it and uh hunt for them now we know what cloud locks we know the cons of them where can you find it the first example is in AWS you can access them through the event history you can access them through the CLI using the uh cloud trail lookup events API moving down further to the AIA where you can access them through the activity log on the asure portal cool you know where to find them now let's go to the most important part the cloth attacks in the wild and uh during the past years

we've seen an increased activity of uh nonth actors like looker 1 or called as guil or looker 3 skater spider roset octopus they are the same and the detecting the presence of these threat actors in the cloud environment has posed a significant uh challenge for the security teams and uh even though we offered lots of tips and tricks uh with our blocks thread briefings we've decided to take it to the next level and actually publish an open source tool that acts like a cyber detective on your Cloud environment without further Ado we are presenting Cloud Grappler which is an open-source tool threat detection Fame framework that has only one single purpose and that's catching bad guys on

your Cloud environment and bringing out to your attention why Cloud Grappler it's a silly name it's a comp one I even misspelled it and lots of native English speakers do that too so we're going to start by the most important thing or the basic one which is a grap and it's funny that if you translate grab to Albanian the hook to Albanian is called a grab and it has one purpose and that's grabbing fish but we are not hunting for fish over here we're hunting for bad guys specifically in the cloud environment but how cloud is related over here there's an open other um command in Linux which is the uh grab command which has the purpose of uh uh doing a regular

expression on whatever you uh pipe it into turn it down to the cloud section we have the cloud grab open source tool which essentially does one thing is grapping for cloud storage and uh uh having Cloud grab plus the permisso Intel to know what to look for in your environment we have Cloud Grappler which has been released uh one month ago now let's go to the key features of this tool the first one is threat actor quering so this Tool uh specializes in quering for malicious activity in your C uh environment that are demonstrated by the most notorious threat uh actors so you query for your data in log you see if they match with r

ttps so the TTP is a tactic technique or procedure that is performed by by a threat actor until now Cloud Grappler has 60 ttps and is constantly being updated by our team with the latest Intel that we find going down further we have the single event detection where this tool excels in uh quering for high fedility and single event detection across both AWS and uh Asia environments there are some here I presented some uh examples of single event prodctions in both ews and Asia and the last thing is the integration with Cloud grab which I mentioned so we're using the robust capabilities of this tool and wrap it up with our ttps but how how Cloud Grappler works

first we have the scope selector where we are defining the scope of your scanning so you can Define uh two cloud services AWS and uh asure uh going down to the AWS part you can Define the bucket and the prefix but if you go further down you can see a bucket that has no pref so you can search for a specific resource or you can go to a broader one and that depends on um how how much time do you have for the scanning also the aure one where you can uh Define the account name and the container you want to query at this is the query selector the query. Json file is the file that has the ttps

predefined by us and if you can uh see every uh TDP has a name has a source of uh ews or Asia has the Intel which tells which actor is known for this CDP was the severity and the short description about it and last upon completion of the scanon from the cloud Grappler uh we uh a report is generated in the Json format and we're going to uh talk about it uh later on the tool demo and last is the tool demo

so now starting we're going to uh change the data sources. Json file where going to append our scope of the scanning we're starting with only AWS where we are adding the bucket the prefix you want to uh scan at and another bucket which has no prics at all now let's go on the CLI part we're going to be running the uh help command to see what features Cloud Grappler has to offer and uh as you can see there are many uh uh flags that the user can append in order to make this work we're going to start with the most simple one which is just running the main.py function and what this tool does after hitting enter is

checking if there are any new updates on the repository for any new tdps and if the current uh project that you have is outdated is going to do perform a g p action to get the uh latest version of this tool so the tool tool is started uh scanning we can see on the red lines that is checking for hits in the bucket that uh uh we added and the prefix and it's checking for all of the followings uh Wares over here that are tied to the AWS service on the green part we can see that we found one hit about the get file download URLs which is a event um in ews and pended at the back of it it has a

secret value which says if a file that contains the uh Secrets as a file name mark it as a hit and on the other uh bucket we see that or no it's found that's good news now we're going to start and explore more about the tool we're going to add the minus minus periso Intel U flag which essentially adds some additional data about the query that is being run also the start date and the end date which essentially does what it says it's looking for a timeline that you give as an input and that's a a really cool feature if you want to scan only a certain uh period on your uh logs so we should be hitting enter

now and this essentially will do the uh same same results but adding the uh permisso Intel so going further up we can see that for the uh first query we're adding the threat actor that this query is tied to we have the severity and also a short description about this uh event and the Damage it could have if is misused by a threat actor

going further down we see that the scanning is completed and we have the same results cool let's add the J flag which is the report generator or saying like do adjacent output of all your uh findings so we're going to hit enter we're going to see the uh same results and uh after the scanning is uh finished we're going to see the uh reports structure of the scanning cool let's do a three command on the reports folder and we can see the hierarchy of the uh reports where it has a time stamp where you started running the tool it has the bucket the prefix and the file name in Json format if there was a hit

cool we have three main takeaways from our presentation threat actors continue to Target Cloud environments for various purposes Financial ones uh uh political always configure the necessary Cloud logging options for retention forwarding quering capabilities that are required to detect and analyze the special logs and the most important one use cloud Grappler which is a brand new open source threat detection framework where you can find potential presence of bad guys in your environment thanks everyone for your attention great thanks Andi do we have any question that was great presentation we're going to give a shout out to to Daniel if he's watching us and to promisa thank you guys for doing awesome job there was a question on this

side uh thank you for the presentation also I think it's really awesome that you made the tool open source uh my question is do you plan on expanding the tool to work with uh Google Cloud as well actually that's a great question uh enl which uh shout out to him also has said that the next steps is are adding more tdps and actually having coverage on gcp so yes my answer is yes we will okay any other question do I see any ends up no and thank you so much and good luck with everything that you guys have going and we look forward seeing other tools thank you

Related talks

39:59
Cloud Warfare: Grappling With Scattered Spider - Abian Morina and Andi Ahmeti
BSides Tirana
29:54
Déjà Vu With Scattered Spider: Are Your SaaS Doors Still Unlocked? - Andi Ahmeti & Abian Morina
BSides Munich
39:40
The Dark Side of Wireless Networks: Intro to Wi-Fi Hacking
BSides Prishtina
1:09:05
Demystifying Bug Bounties: Insights from a Decade of Experience
BSides Prishtina
39:04
Hacking the Hackers: Analysis of a Cobalt Strike Remote Command Execution Vulnerability - Rio Sherri
BSides Prishtina · 2023
23:08
Hacking Back Scammers - BSides Prishtina 2022
BSides Prishtina · 2022