Cloud

🔏
s0cm0nkey's Security Reference Guide
Search…
All of the Best Links and Resources on Cyber Security.
Cyber Intelligence
Red - Offensive Operations
Red - Web App Hacking
Blue - Defensive Operations
Blue - DFIR: Digital Forensics and Incident Response
Yellow - NetEng/SysAdmin
Cloud
Containers
Logging and Security Architecture
Yellow - Code and CLI
Grey - Privacy/TOR/OPSEC
Training and Resources
Cloud
General Cloud
Cloud Basics and design
​Cloud Computing for Science and Engineering - Ian Foster, Dennis B. Gannon (🚧 in process)
​Cloud Design Patterns​
​Designing Distributed Systems (account required)
​Multi-tenant Applications for the Cloud, 3rd Edition​
Cloud Security and Hardening
​SANS Cloud Security Checklist - Best practices and references for hardening your cloud infrastructure.
​https://cloudsecdocs.com/ - Great page with tons of detail on cloud and container security
​https://cloudsecwiki.com/ - Handy page with a few resources and hardening tips for cloud deployments.
Cloud Pen Testing
​https://github.com/CyberSecurityUP/Awesome-Cloud-PenTest - Huge collection of different offensive cloud tools and resources.
​https://hackingthe.cloud/ - Solid resource for cloud pentesting methodology and tooling.
Hacking: The next generation - Cloud Insecurity: Sharing the cloud with your enemy, pg. 121
Multi-Cloud Tools
Enumeration and Auditing
​cloud-enum - enumerates public resources matching user requested keywords in public clouds
​ScoutSuite - Scout Suite is an open source multi-cloud security-auditing tool, which enables security posture assessment of cloud environments. Using the APIs exposed by cloud providers, Scout Suite gathers configuration data for manual inspection and highlights risk areas. Rather than going through dozens of pages on the web consoles, Scout Suite presents a clear view of the attack surface automatically.
​https://www.youtube.com/watch?v=k8CQhvQAu7E​
​SkyArk - SkyArk helps to discover, assess and secure the most privileged entities in Azure and AWS
​PMapper - Principal Mapper (PMapper) is a script and library for identifying risks in the configuration of AWS Identity and Access Management (IAM) for an AWS account or an AWS organization. It models the different IAM Users and Roles in an account as a directed graph, which enables checks for privilege escalation and for alternate paths an attacker could take to gain access to a resource or action in AWS.
​gitoops - GitOops is a tool to help attackers and defenders identify lateral movement and privilege escalation paths in GitHub organizations by abusing CI/CD pipelines and GitHub access controls.
​cloudbrute - This package contains a tool to find a company (target) infrastructure, files, and apps on the top cloud providers
​https://0xsha.io/posts/introducing-cloudbrute-wild-hunt-on-the-clouds​
Offensive Frameworks
​ cloudsploit - CloudSploit by Aqua is an open-source project designed to allow detection of security risks in cloud infrastructure accounts, including: Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), Oracle Cloud Infrastructure (OCI), and GitHub. These scripts are designed to return a series of potential misconfigurations and security risks.
​serverless-prey - Serverless Prey is a collection of serverless functions (FaaS), that, once launched to a cloud environment and invoked, establish a TCP reverse shell, enabling the user to introspect the underlying container:
​Panther: AWS Lambda written in Node.js
​Cougar: Azure Function written in C#
​Cheetah: Google Cloud Function written in Go
canvas.png
723KB
Image
Azure - The Microsoft Cloud Environment
Basics
Reference Docs
​https://github.com/MicrosoftDocs/azure-docs​
​https://www.microsoft.com/en-us/msrc/pentest-rules-of-engagement - Azure Pentesting Rules of Engagement
​https://azurerange.azurewebsites.net/ - Azure IP Ranges
 https://www.cloudconformity.com/knowledge-base/azure/ - Azure Best Practices
​https://github.com/AzureAD/Deployment-Plans​
Resource Collections
​https://github.com/kmcquade/awesome-azure-security​
​https://github.com/Azure/Azure-Network-Security​
Azure Vulnerabilities
​https://rhinosecuritylabs.com/cloud-security/common-azure-security-vulnerabilities/​
​Azure Security Vulnerabilities and Pentesting | Rhino Security Labs 
​Top 20 Microsoft Azure Vulnerabilities and Misconfigurations - InfosecMatter 
Azure Tasks
​https://docs.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance?view=o365-worldwide#search-the-audit-log​
​https://gcits.com/knowledge-base/enabling-unified-audit-log-delegated-office-365-tenants-via-powershell/​
​https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#auditlogrecordtype​
​https://www.codetwo.com/admins-blog/how-to-export-office-365-mailboxes-to-pst-using-ediscovery/​
Azure Training
​The Developer’s Guide to Azure - Great free traing from Microsoft
​Awesome Azure Learning: numerous references for Azure learning, especially for the Azure Certs, Azure Architecture, and any other learning materials e.g. Security topics. ​
​​
​https://microsoftlearning.github.io/AZ500-AzureSecurityTechnologies/​
​Azure AZ 500 Study Guide: Study Guide for the Microsoft Azure Security Technologies Exam. ​
​​
​Azure AZ 500 Labs by Microsoft: Study Guide for the Microsoft Azure Security Technologies Exam. ​
​​
​Breaking and Pwning Apps and Servers on AWS and Azure: Course content, lab setup instructions and documentation of our very popular Breaking and Pwning Apps and Servers on AWS and Azure hands on training. ​
​​
​Learn Azure in a Month of Lunches - Iain Foulds (PDF)
​Azure for Architects, Third Edition (PDF) (email address or account required)
​Azure Functions Succinctly, Syncfusion (PDF, Kindle) (email address requested, not required)
Azure CLI
​https://docs.microsoft.com/en-us/cli/azure/​
​https://github.com/ferhaty/azure-cli-cheatsheet​
Operator Handbook: Azure CLI - pg. 39
Misc Azure Commands
Find if target org has Azure AD
Insert the username of your target in the URL below.
​https://login.microsoftonline.com/[email protected]<victimorganization>.onmicrosoft.com&xml=1​
Azure AD
​https://docs.microsoft.com/en-us/azure/active-directory/​
​Attacking & Defending the Microsoft Cloud​
Sentinel - The Azure SIEM
​What is Azure Sentinel? | Microsoft Docs 
​Azure Sentinel – Cloud-native SIEM | Microsoft Azure 
​What's New: PowerShell+Azure Sentinel notebooks to supercharge your hunting and investigations! - Microsoft Tech Community 
​PowerShell Gallery | AzSentinel 0.6.8​
​https://github.com/Azure/Azure-Sentinel/tree/master/Hunting%20Queries​
​https://github.com/Azure/Azure-Sentinel-Notebooks​
Azure Defender
​Overview of Azure Defender and the available plans | Microsoft Docs 
​Azure Defender | Microsoft Azure Detecting Microsoft 365 and Azure Active Directory Backdoors | FireEye Inc 
​Azure Security Basics: Log Analytics, Security Center, & Sentinel – Defensive Origins 
​https://github.com/Azure/Microsoft-Defender-for-Cloud​
Azure Pentesting Guides
​https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Cloud%20-%20Azure%20Pentest.md - Huge collection of tools, commands, and methodology.
​https://pentestbook.six2dez.com/enumeration/cloud/azure - Great personal gitbook with tools, commands and steps for enumerating and exploiting Azure.
​https://github.com/LennonCMJ/pentest_script/blob/master/Azure_Testing.md - Guide and reference documents for testing Azure security.
Attacking Azure AD
​AZURE AD INTRODUCTION FOR RED TEAMERS​
​I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Directory​
​Utilizing Azure Services for Red Team Engagements​
​Blue Cloud of Death: Red Teaming Azure​
​Azure AD Connect for Red Teamers​
​Red Teaming Microsoft: Part 1 – Active Directory Leaks via Azure​
​How to create a backdoor to Azure AD​
​https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html​
​Azurehound Cypher Cheatsheet​
​Keys of the kingdom: Playing God as Global Admin​
​https://danielchronlund.com/2022/01/07/the-attackers-guide-to-azure-ad-conditional-access/​
Check for open blobs
​https://www.youtube.com/watch?v=AWhag2K3AS8​
​https://xapax.github.io/security/#attacking_cloud_environment/attacking_azure/check_for_blobs/​
Offensive Techniques
​Abusing Azure AD SSO with the Primary Refresh Token: Most corporate devices have Primary Refresh Tokens - long term tokens stored on your laptop or other AD connected resources - for Single Sign On (SSO) against on-prem and Azure AD connected resources. See Dirk-jan Mollema's blog goes over abusing these tokens, which you can access if you have code execution on a target or on your laptop that is Azure AD joined.
​Attacking Azure Cloud Shell by Karl Fosaaen: Leveraging Azure Cloud Shell storage files with subscription contributor permissions to perform cross-account command execution and privilege escalation.
​Nuking all Azure Resource Groups under all Azure Subscriptions by Kinnaird McQuade(@kmcquade3): How to abuse Azure Resource hierarchy and tenant-wide god-mode Service Principals to nuke an entire Azure environment.
​Privilege Escalation and Lateral Movement on Azure by Hila Cohen (@hilaco10): some techniques for how a red team can gain a foothold in an Azure environment, escalate their privileges, and move laterally inside Azure infrastructure by using the Azure RBAC module and common Azure misconfigurations.
​Privilege Escalation in Azure AD by Jan Geisbauer (@janvonkirchheim): a breakdown of how Azure security principals (aka Enterprise applications) vs application objects (aka application registrations) and their associated permissions can be abused to impersonate an application.
​Privilege Escalation and Lateral Movement on Azure: some techniques for how a red team can gain a foothold in an Azure environment, escalate their privileges, and move laterally inside Azure infrastructure by using the Azure RBAC module and common Azure misconfigurations.
Operator Handbook: Azure_Exploit- pg. 44
Tools
Offensive
Recon and Enumeration
​BlobHunter - An opensource tool for scanning Azure blob storage accounts for publicly opened blobs.
​o365recon - Script to retrieve information via O365 with a valid cred
Exploitation frameworks
​PowerZure - PowerZure is a PowerShell project created to assess and exploit resources within Microsoft’s cloud platform, Azure. PowerZure was created out of the need for a framework that can both perform reconnaissance and exploitation of Azure, AzureAD, and the associated resources.
​Attacking Azure, Azure AD, and Introducing PowerZure – [email protected] 
​https://www.youtube.com/watch?v=AWhag2K3AS8​
​MicroBurst: A PowerShell Toolkit for Attacking Azure - MicroBurst includes functions and scripts that support Azure Services discovery, weak configuration auditing, and post exploitation actions such as credential dumping.
​lava - Microsoft Azure Exploitation Framework
​XMGoat - An open source tool with the purpose of teaching penetration testers, red teamers, security consultants, and cloud experts how to abuse different misconfigurations within the Azure environment. In this way, you learn about common Azure security issues.
Azure AD Exploitation tools
​AADInternals - AADInternals is PowerShell module for administering Azure AD and Office 365
​Stormspotter - Azure Red Team tool for graphing Azure and Azure Active Directory objects 
​ROADtools - ROADtools is a framework to interact with Azure AD.
​adconnectdump - Azure AD Connect password extraction
For Password Spraying
First check if the accounts is valid. https://github.com/LMGsec/o365creeper​
Perform password spraying attack: MailSniper - MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.)
Defensive
Logging and Alerting
​Azure security logging and auditing: Azure provides a wide array of configurable security auditing and logging options to help you identify gaps in your security policies and mechanisms.
​Azure Security Center - Alerts Reference Guide: This article lists the security alerts you might get from Azure Security Center and any Azure Defender plans you've enabled.
Security Auditing and Hardening
​CRT - Crowdstrike Reporting Tool for Azure: This tool queries the following configurations in the Azure AD/O365 tenant which can shed light on hard-to-find permissions and configuration settings in order to assist organizations in securing these environments.
​AzureADRecon - AzureADRecon is a tool which gathers information about the Azure Active Directory and generates a report which can provide a holistic picture of the current state of the target environment. 
​ROADTools - ROADtools is a framework to interact with Azure AD. It currently consists of a library (roadlib) and the ROADrecon Azure AD exploration tool.
​azucar - Security auditing tool for Azure environments
​AzureADAssessment - Tooling for assessing an Azure AD tenant state and configuration
DFIR
​AzureHunter - A Cloud Forensics Powershell module to run threat hunting playbooks on data from Azure and O365
​https://www.kitploit.com/2021/11/azurehunter-cloud-forensics-powershell.html?m=1​
​https://azurehunter.readthedocs.io/​
​Sparrow - Sparrow.ps1 was created by CISA's Cloud Forensics team to help detect possible compromised accounts and applications in the Azure/m365 environment.
​hawk - Powershell Based tool for gathering information related to O365 intrusions and potential Breaches
​https://cloudforensicator.com/​
​DFIR-O365RC - The DFIR-O365RC PowerShell module is a set of functions that allow the DFIR analyst to collect logs relevant for Office 365 Business Email Compromise investigations.
​AzureADIncidentResponse - Tooling to assist in Azure AD incident response
AWS - Amazon Cloud Services
Basics 
Reference Docs
​https://docs.aws.amazon.com/​
​https://github.com/awsdocs​
​https://ip-ranges.amazonaws.com/ip-ranges.json - AWS IP Ranges
​amazon-ec2-user-guide - The open source version of the Amazon EC2 User Guide for Linux.
​AWS Well-Architected Framework (PDF, HTML)
​https://github.com/aws-samples/aws-security-reference-architecture-examples​
 Best practices and hardening
 https://www.cloudconformity.com/knowledge-base/aws/ - AWS Best Pratices
​https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-cis.html​
Misc Articles
​https://expel.io/blog/finding-evil-in-aws/​
​https://expel.io/blog/following-cloudtrail-generating-aws-security-signals-sumo-logic/​
Operator Handbook: AWS Terms- pg. 35
AWS CLI
​https://aws.amazon.com/cli/​
​https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html​
​https://github.com/eon01/AWS-CheatSheet​
Operator Handbook: AWS CLI - pg. 20
AWS Pentesting Guides
​https://aws.amazon.com/security/penetration-testing/​
​https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Cloud%20-%20AWS%20Pentest.md​
​AWS IAM explained for Red and Blue teams | by Security Shenanigans​
​Penetration Testing Amazon Web Services (AWS) - Rhino Security Labs 
​AWS Penetration Testing Part 1. S3 Buckets - Virtue Security 
​AWS Penetration Testing Part 2. S3, IAM, EC2 - Virtue Security​
​https://pentestbook.six2dez.com/enumeration/cloud/aws​
​https://www.getastra.com/blog/security-audit/aws-penetration-testing/​
Operator Handbook: AWS Tips and tricks- pg. 20
The Hacker Playbook 3: Cloud Recon and Enumeration - pg. 37
AWS Services and their Attack Surfaces
AWS Service
Attack Surface
EC2
EC2 does in fact have a public attack surface similar to traditional physical infrastructure. Vulnerabilities that affect the OS will manifest exactly as they would on their hardware based counterpart. Things start to differ when you deal with anything that interacts with the local network or system. A vulnerability allowing command execution may allow an attacker to move laterally if configured with STS. Access tokens may also be stolen with SSRF vulnerabilities by reaching out to metadata IP addresses. More information: EC2 Pentesting in Depth​
S3
S3 requires careful consideration for bucket-level and object-level permissions. The S3 bucket itself can grant permissions to ‘Everyone’ or ‘Authenticated Users’. The ‘Authenticated Users’ permissions will grant access to all AWS users. Because of this a pentester must check both anonymous permissions as well as semi-public permissions with their own access tokens. More information: S3 Pentesting in Depth​
ELB/ALB
Did you know an ELB can introduce HTTP Request Smuggling? This commonly overlooked configuration can allow attackers to inject requests into other user’s sessions.
SNS/SQS
Misconfigured topics or queues can allow unauthorized users to subscribe to topics or push messages to queues. Testing of this can be done with the AWS CLI.
RDS/Aurora/Redshift
Databases on AWS are relatively straightforward, although a penetration test should check for databases configured with public access.
EBS
EBS volumes can be made publicly available. The AWS CLI can be used to verify if EBS snapshots are publicly accessible.
Cognito Authentication
An AWS pentest should determine if the Cognito configuration is appropriate for intended application behavior. This includes checking for self-signups, and enabling advanced security.
Tools
Offensive Tools
Enumeration and scanning
​Bucket_finder - Tool for finding and exploiting Amazon buckets.
​https://digi.ninja/blog/whats_in_amazons_buckets.php​
​bucket-stream - Find interesting Amazon S3 Buckets by watching certificate transparency logs.
​S3Scanner - Scan for open S3 buckets and dump the contents
Offensive Frameworks
​PACU - Pacu is an open-source AWS exploitation framework, designed for offensive security testing against cloud environments.
​https://github.com/RhinoSecurityLabs/pacu/wiki/​
​https://www.kali.org/tools/pacu/​
​https://rhinosecuritylabs.com/aws/pacu-open-source-aws-exploitation-framework/​
Operator Handbook: Pacu- pg. 31
​Nimbostratus - Tools for fingerprinting and exploiting Amazon cloud infrastructures.
Operator Handbook: Nimbostratus - pg. 30
​weirdAAL - WeirdAAL (AWS Attack Library)
​https://github.com/carnal0wnage/weirdAAL/wiki​
Defensive tools
​Arsenal of AWS Tools - Tool collection of cloud security researcher Toni de la Fuente
​aws-security-toolbox - The above toolkit but in a portable docker container
​aws-forensic-tools - Forensic toolkit made by the same researcher
Security Assessment and Hardening
​Cloudsplaining - Cloudsplaining is an AWS IAM Security Assessment tool that identifies violations of least privilege and generates a risk-prioritized report.
​https://cloudsplaining.readthedocs.io/en/latest/​
​Prowler -  Prowler is a security tool to perform AWS security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness. 
​cloudsploit - Cloud Security Posture Management (CSPM)
​cloudmapper - CloudMapper helps you analyze your Amazon Web Services (AWS) environments.
​cloudtracker - CloudTracker helps you find over-privileged IAM users and roles by comparing CloudTrail logs with current IAM policies.
​aws-recon - Multi-threaded AWS inventory collection tool with a focus on security-relevant resources and metadata.
​review-security-groups - A small set of scripts to summarize AWS Security Groups, and generate visualizations of the rules.
DFIR
​aws_ir - Python installable command line utility for mitigation of host and key compromises.
​acquire-aws-ec2 - Handy script for capturing EC2 instances in IR scenarios
Threat Hunting
​https://github.com/schwartz1375/aws - Repo for threat hunting in AWS.
AWS Training
​https://www.udemy.com/course/cloud-hacking/​
​https://cloudacademy.com/course/aws-security-fundamentals/introduction-74/​
Gcloud
Guides and Reference
​https://cheatsheet.dennyzhang.com/cheatsheet-gcp-a4​
​https://cloud.google.com/architecture/security-controls-and-forensic-analysis-for-GKE-apps?hl=it​
​https://cloud.google.com/pubsub/docs/quickstart-cli​
​https://support.google.com/cloud/answer/6262505?hl=en - Google rules on pentesting
​https://pentestbook.six2dez.com/enumeration/cloud/gcp​
​https://github.com/irgoncalves/gcp_security​
​https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation​
Hardening - https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster​
Operator Handbook: GCP CLI - pg. 70
Operator Handbook: GCP Exploit - pg. 75
​
​
Yellow - NetEng/SysAdmin
Containers
Last modified 3d ago