4/24 KPMG + Permiso LUCR-3 (Scattered Spider) Threat Briefing

REGISTER NOW
Illustration Cloud

Introducing CloudGrappler: A Powerful Open-Source Threat Detection Tool for Cloud Environments

Introduction

With the increased activity of threat actor groups like LUCR-3 (Scattered Spider) over the last year, being able to detect the presence of these threat groups in cloud environments continues to present a significant challenge to most security teams. While we have shared a lot of tips on detecting and hunting for cloud threat actors in previous blogs and briefings, we wanted to take it a step further and offer teams an open-source tool that will help them detect these threat actors in their cloud environments.

Introducing CloudGrappler

CloudGrappler is an open-source tool that is purpose-built for querying high-fidelity and single-event detections related to well-known threat actors in popular cloud environments such as AWS and Azure. Leveraging the capabilities of cloudgrep, developed by Cado Security, the tool queries activity in cloud environments that match known Tactics, Techniques, and Procedures (TTPs) of modern cloud threat actor groups. It’s like a cyber detective for activity in your AWS and Azure environments to find suspicious and malicious activity that are often missed or ignored in a flood of alerts.

Key Features

Threat Actor Querying

CloudGrappler specializes in querying for activity demonstrated by some of the most notorious threat actors in the cloud. Based on subset activity from Permiso’s library of hundreds of detection, It helps organizations detect threats targeting their cloud infrastructure.

Single-Event Detections

This open-source tool excels in detecting and analyzing single events and offers a granular view of potential security incidents lurking in your AWS and Azure environments. This gives security teams the ability to identify specific anomalies quickly and easily.

Integration with cloudgrep

Leveraging the robust capabilities of cloudgrep, CloudGrappler enhances its threat detection by incorporating a set of TTPs observed in the modern threat landscape and actual cloud environments.

How CloudGrappler Works

Scope Selector 

CloudGrappler features an integrated data_sources.json file that provides users with an easy-to-use interface to define the scope of their scanning. Within this file, users can specify the parameters for what and where they want to scan or have the option to do a comprehensive scan across both AWS and Azure environments. Users have the ability to scan specific resources within their environment or cast a wider net to include a broader range of cloud infrastructure services. Scan as little or as much as you want.


CloudGrappler-Scope-Selection

Query Selector

CloudGrappler includes a queries.json file which includes predefined TTPs commonly used by threat actors. Each line in the queries.json file includes the query's name, its source (AWS or AZURE), and a source modifier. Users can modify the source to a wildcard character (*) to scan the corresponding query across both AWS and Azure environments. Furthermore, users have the ability to add custom queries to the file or scan across other, multiple files.


Report Generator

Upon completion of the scanning process, CloudGrappler delivers a comprehensive report in a JSON format. The report hierarchically provides a detailed breakdown of the scan results. The hierarchy includes information such as the cloud platform (e.g., AWS), timestamp (2024-01-08 01:38 AM), specific resources (e.g., test-bucket), and additional details like prefixes or filenames (e.g., prefix/GetFileDownloadUrls.*secrets_json). These reports offer a easy to read, granular details of the findings to enable security team to address them as quickly as possible.


Use Examples

Help -h

|   python3 main.py -h

usage: main.py [-h] [-jo] [-f ADD_FILE] [-p] [-q QUERY] [-s SOURCE_TYPE] [-sd START_DATE] [-ed END_DATE] [-fs FILE_SIZE]

Process data.

options:
  -h, --help                      Show this help message and exit
  -jo, --json_output    Write output to a json file.
  -f ADD_FILE, --add_file ADD_FILE
                                              Add new queries json file.
  -p, --permiso_intel  Output permiso intel.
  -q QUERY, --query QUERY
                                              Add query/ies
  -s SOURCE_TYPE, --source_type SOURCE_TYPE
                                              Add source type to query for
  -sd START_DATE, --start_date START_DATE
                                               Optionally filter on Objects modified after a Date or Time. E.g. 2022-01-01
  -ed END_DATE, --end_date END_DATE
                                               Optionally filter on Objects modified before a Date or Time. E.g. 2022-01-01
  -fs FILE_SIZE, --file_size FILE_SIZE
                                               Optionally filter on Objects smaller than a file size, in bytes. Defaults to 100 MB. 

Querying for Threat Activity

Before being able to scan your environment, you will need to first define the scope of what you will be scanning in the data.sources.json file. Users have the flexibility to define the scope based on their specific cloud infrastructure configuration. The following example showcases a structured data_sources.json file for both AWS and Azure environments:

CloudGrappler-Threat-Query

|   python3 main.py 

Gather Threat Intelligence

In addition to detecting suspicious and malicious activity in your environment CloudGrappler output provides teams with additional intelligence based on the events it’s detecting to provide teams with a deeper understanding of the potential risk in their environment.

This additional context provides security professionals with threat intelligence for modern to advanced threat actors and helps them develop more comprehensive targeted response strategies.

  • -p ⇒ permiso_intel

|   python3 main.py -p

CloudGrappler-Threat-Intel

[+] Running GetFileDownloadUrls.*secrets_ for AWS 
[+] Threat Actor: LUCR3 
[+] Severity: MEDIUM 
[+] Description: Review use of CloudShell. Permiso seldom witnesses use of CloudShell outside of known attackers.This however may be a part of your normal business use case. 

------------------------------------------------------------------------------------------------------------------------------
[+] Running s3_secret for AZURE 
[+] TTP: LUCR3 
[+] Severity: MEDIUM 
[+] Description: Typical query searched by LUCR3 Threat Actor 

------------------------------------------------------------------------------------------------------------------------------
[+] Running DisassociateFromMasterAccount for AWS 
[+] Threat Actor: LUCR3 
[+] Severity: MEDIUM 
[+] Description: An attacker exploiting the DisassociateFromMasterAccount eventName might gain unauthorized access, escalate privileges, disrupt operations, manipulate or steal data, and potentially impersonate legitimate entities within the system. 

------------------------------------------------------------------------------------------------------------------------------
[+] Running EnableSerialConsoleAccess for AWS 
[+] Threat Actor: LUCR3 
[+] Severity: MEDIUM 
[+] Description: An attacker could potentially leverage 'EnableSerialConsoleAccess' to bypass regular security measures and gain unauthorized entry or control over a system through direct access to its serial console.

(Snippet from running the tool with Permiso threat intel provided)

Filtering logs based on date or time

You can filter on Objects modified before or after a specified date or time

  • -sd ⇒ START_DATE
  • -ed ⇒ END_DATE

 python3 main.py -p -sd 2024-02-15 -ed 2024-02-16

Adding custom queries and data source types

CloudGrappler provides the ability to add custom queries and data sources to scan for.

In this example we’re scanning for two queries and appending the wild character inside the source type. This means the tool will check for hits on both cloud environments specified in the data_source.json file.

  • -q ⇒ QUERY
  • -s ⇒ SOURCE_TYPE

 python3 main.py -q “GetFileDownloadUrls.*secret”, ”UpdateAccessKey” -s ‘ * ‘

Generate Reports

Below is an example of the report generated in a json format containing the scan results and Permiso’s intel related to those events.

  • -p ⇒ permiso_intel
  • -jo ⇒ json_output

 python3 main.py -p -jo

reports
└── json
    ├── AWS
    │   └── 2024-01-16 01:01 AM
    │       └── aws-cloudtrail-logs--
    │           └── testTrails_AWSLogs
    │               └── GetFileDownloadUrls.*secrets_.json
    └── AZURE
        └── 2024-01-16 01:01 AM
            └── storagetest
                └── cloudgrepping
                    └── andi.ahmeti@permiso.io.json

You can get CloudGrappler on GitHub: https://github.com/Permiso-io-tools/CloudGrappler 

Illustration Cloud

Related Articles

Introducing Cloud Console Cartographer: An Open-Source Tool To Help Security Teams Easily Understand Log Events Generated by AWS Console Activity

Introduction While most cloud CLI tools provide a one-to-one correlation between an API being invoked and a single corresponding API event being generated in cloud log telemetry, browser-based interactive console sessions differ profoundly across

An Adversary Adventure with Cloud Administration Command

Introduction As the cybersecurity landscape rapidly evolves, organizations are implementing multi-cloud solutions to advance their digital transformation initiatives. On the other hand, threat actors are unrelenting in developing sophisticated

Azure Logs: Breaking Through the Cloud Cover

Permiso consistently observes that engineers and analysts often struggle with interpreting Azure Monitor Activity Logs, facing confusion and achieving only a partial understanding even after gaining experience. To address this, Permiso aims to level

View more posts