DetentionDodger: Finding rusted links on the chains of fate

AWSCompromisedKeyQuarantineV2 (v3 was released during the creation of this article) is an AWS policy that attaches to identities whose credentials are leaked. It denies access to certain actions, applied by the AWS team in the event that an IAM user's credentials have been compromised or exposed publicly. AWS recently modified their public documentation to include the following:

While it is not the intended use of the policy, many see it as the first line of defense for an exposed access key. In fact, we have observed several organizations preemptively assign this policy to sensitive identities to limit actions that can occur.

DetentionDodger was built as a tool to automate the process of enumerating the account for users with leaked credentials and finding out their privileges and the impact they will have on the account.

Breaking free from the chains of fate - Bypassing AWSCompromisedKeyQuarantineV2 Policy

Amazon's AWSCompromisedKeyQuarantineV2 policy is not the panacea it might seem. Join us on an adventure of all the myriad ways to work around this policy, when you discover leaked keys in the wild.
This presentation is a fun, multimedia exploration of all the shortcomings of the AWSCompromisedKeyQuarantineV2 policy that is attached whenever Amazon detects that a key and secret pair have been leaked in the wild. We'll include demos of actual exploitation and color commentary on how this policy and defender strategy can be improved.

Infrastructure Attack as Code, using Terraform for to attack cloud

Terraform is an IaC tool that allows provision, management and deletion of infrastructure resources automatically. It is used mostly by DevOps Engineers, as well as Administrators on both on-prem and cloud infrastructures.
One feature that Terrafom is mostly known about is its ability to be extended to allow for different deployments on different providers, using its plugins, which they call Providers. There are providers for GCP, Azure, and even one for ActiveDirectory based infrastructures.
This blog will use one of these providers, the AWS Terraform Provider, to look at what features can an attacker use to enumerate, compromise and persist in an AWS Based infrastructure and how those attacks can be detected.

Trust me, I got this: Dumping LSASS when Debug Privilege is disabled

LSASS Dump has become one of the goals that most penetration testers want to achieve on a machine. And for a good reason. LSASS contains a lot of credentials, from NTLM Hashes, to Cached Hashes, to even certificates.
For an attacker to be able to create a memory dump of LSASS, they need to have Local Administrator Rights and SeDebugPrivilege, which allows for the dumps to be created. What happens when an organization has prevented Local Administrators from having SeDebugPrivilege privilege? Can an attacker do anything?
In this talk, we will be looking at how TrustedInstaller's process acl can lead to dumping LSASS, even with an identity that is not allowed to. We will be looking at ways to achieve TrustedInstaller access, as well as ways to dump LSASS.

An Overview in Cloud Penetration Testing

With the increase of remote work, the decrease of on-premise applications support, and the need for cost efficiency, cloud is increasingly become the environment to implement all the services a business needs or offers. And as such, it needs to be secure, especially considering the "It's someone else's computer" fact.

This session, will give an overview on how different vendor manage their Idenities, Authentication, privileges and their services.

We will see how to do reconnaissance, enumeration, exploitation and post exploitation, persistence and exfiltration of information on AWS, Azure and GCP Cloud Infrastructures.

For reconnaisance, we will start by abusing different "features" in Cloud Vendors to find working services and users:
• AWS and GCP Bucket bruteforce
• Azure Services running by resolving hosts
• Check for Azure usage on a domain
• Fuzz users
• Access open buckets using OSINT

For initial access, we will get started using:
• Password spraying
• Phishing
• Finding credentials on code repositories
• Leveraging RCE and SSRF to access machine identities from meta data

For enumeration, we will start exploiting default privileges and check extra privileges from users:
• Azure default privileges
• Azure Reader, Contributor and Owner Permissions
• AWS User, Groups and Role Policies
• Enumerate virtual machines
• Enumerate Lambda and Azure Functions

For privilege escalation, we will see what privileges the identities have and leverage them to get higher privileges:
• Shadow Admins
• Access to storage
• Credentials on IoC code and User Data
• Privesc using Cloud Functions

For exfiltration, we will leverage our own buckets to collect and exfiltrate information from a target

For persistence, we will:
• Persist with a custom Container
• Persist with another Access ID
• Persist with Machine User Data
• Persist with IaC

By the end, we will have an idea on how to perform a pentest on cloud infrastructures and what misconfigurations can lead to compromises.

An Overview in Cloud Penetration Testing

With the increase of remote work, the decrease of on-premise applications support, and the need for cost efficiency, cloud is increasingly become the environment to implement all the services a business needs or offers. And as such, it needs to be secure, especially considering the "It's someone else's computer" fact.
This session, will give an overview on how to do reconnaissance, enumeration, exploitation and post exploitation, persistence and exfiltration of information on AWS, Azure and GCP Cloud Infrastructures.

Deep Dive into Clouded Waters - An overview in Digital Ocean's Pentest and Security

Digital Ocean has been around for some time and has given it's users a cheap, bur quite reliable Cloud Platform.
That doesn't mean it's fully secured. Or that admins can set it up securely. Especially considering that most Infrastructure Based Attacks come from misconfigurations.
In this talk, we'll look at how to attack Digital Ocean's Services, how to abuse them as attack vectors and how to defend against them.

We'll start with Reconnaissance, looking at what services can be found online and where to look for them.

Then, we'll look at how to get access to the Infrastructure, including and not limited to Phishing, Droplet Attacks, App Attacks, Function Attacks, etc.

We'll look at what privileges can we get from different Initial access methods and what can be enumerated/abused to get Admin rights.

Privilege Escalation and Lateral Movement comes next.

Second to last is Persistence. We'll look at how to persist, using what Digital Ocean provides.

And lastly, Exfiltration. We'll get data out and try to make it stealthily.

By the end of it, if you do not get lost, you'll get a better idea on how to "Make Digital Ocean Great Again".

Encrypting buckets for compliance and ransom - How Attackers Can Use KMS to Ransomware S3 Buckets

A successful ransomware attack is the culmination of numerous steps by a determined attacker: gaining initial access to the victim’s environment, identifying sensitive data, exfiltrating sensitive data, encrypting original data, etc.

We can all agree that Ransomware is tough. It’s hard on the target, but harder for the Attacker. The logistics of attacking, storing the data, encrypting it locally, uploading, making it as undetectable as possible until they don’t need to anymore. It’s a mess.
So, as everybody does it these days, they are paying for a Cloud Service to help with it.

This talk will outline how an attacker can abuse the principle of Least-Privilege on KMS keys to encrypt the data on its target's buckets, making them unaccessable.

This talk will also show how a defender can protect or detect against these attacks, rendering them useless.

Nebula: A Case Study in Penetrating Something as Soft as a Cloud

Nebula is a cloud C2 Framework, which at the moment offers reconnaissance, enumeration, exploitation, post exploitation on AWS, but still working to allow testing other Cloud Providers and DevOps Components.
It started as a project to unify all Cloud + DevOps Pentest and Security Techniques for a better assessment of the Infrastructures. It is build with modules for each provider and each functionality. As of April 2021, it only covers AWS, but is currently an ongoing project and hopefully will continue to grow to test GCP, Azure, Kubernetes, Docker, or automation engines like Ansible, Terraform, Chef, etc.

https://www.blackhat.com/eu-21/arsenal/schedule/index.html#nebula-a-case-study-in-penetrating-something-as-soft-as-a-cloud-25174

Nebula - 3 years of kicking butts and taking usernames

Nebula is a Cloud Penetration Testing framework. It is build with modules for each provider and each functionality. It covers AWS, Azure (both Graph and Management API, which includes Entra, Azure Subscription based resources and Office365) and DigitalOcean.
Currently covers:
- Public Reconnaissance
- Phishing
- Brute-force and Password Spray
- Enumeration of internal resources after initial access
- Lateral Movement and Privilege Escalation
- Persistence

Ever since I pushed the last update, the tool has changed drastically. Now you will get a teamserver based tool, with a client and server split, authentication to access the tool, user management and a MongoDB database to save the results into.

https://www.blackhat.com/us-24/arsenal/schedule/index.html#nebula----years-of-kicking-butts-and-taking-usernames-39388