New AWS vulns! We found more ways to bypass AWS CloudTrail! We also describe methods Penetration Testers and Red Teamers can use to evade detection in AWS environments!
securitylabs.datadoghq.com/articles/non-p… First, let's talk about silent permission enumeration. You know how threat actors steal AWS creds and then immediately spam a bunch of API calls looking for what they can access? That's great for defenders because it's fairly apparent when it occurs. We've found a way around that

It's a beautiful Sunday, so let's chat about hacking AWS environments! In this thread, I want to talk about an interesting quirk with Amazon Cognito, demo why least privilege is the most important thing in the cloud, and emphasize that mitigations aren't always enough. A 🧵 For the demo we have an Identity pool which supports guest access and has a user pool attached for authenticated access. The Identity pool does NOT have the classic flow enabled, and the user pool does NOT allow registration (this is important later).

As someone involved in the AWS offsec space, I want to share why I strongly do NOT recommend the HackTricks AWS Red Team Expert course. The author of it is a plagiarist, stealing content from other creators and is directly profiting off of it through sponsorships. A 🧵 The nature of the plagiarism depends per article. Sometimes it's entirely copy-pasted from another source. Sometimes it's only a couple paragraphs. Sometimes there is a "reference" (a link at the bottom of the page where it was copied from), but that hardly fits the meaning.

Today is an interesting day! I read a report about a threat actor, and for once I'm impressed! This is the first I can remember in which a TA has displayed NEW tradecraft, before researchers have shared it widely. Let's review in this 🧵
invictus-ir.com/news/the-curio… Okay, starting off rough. There was an access key that was exposed that had AdministratorAccess. This happens way too frequently and is always a major risk. Security Teams: Delete these keys and these IAM users! They are a major risk to you. Let's see what the TA does with this

As security researchers, we don’t often discuss failed research projects. While it may be a bit embarrassing to not succeed, there are still lessons learned from the project. In this thread, I’d like to share research I’ve been doing on-and-off on identifying AWS honeytokens. 🧵 (Side note before diving in: If you do find a way around this, I would love to feature your work on Hacking the Cloud)

Thinkst (who I love btw) has a great post about attackers targeting AWS API keys. I'd like to expand on this a bit and discuss a technique not mentioned in the post (but it is on Hacking the Cloud) 1/x hackingthe.cloud/aws/enumeratio…

https://twitter.com/ThinkstCanary/status/1490749432970850310

Please note: I'm not focusing on the CanaryToken product itself. Instead I'll be describing validating regular stolen AWS credentials.

Tremendous news everyone (in offsec)! There's a bypass for the new GuardDuty InstanceCredentialExfiltration finding! It's via VPC endpoints! (I caution this is with limited testing) So it looks like you can steal IAM credentials from a EC2 instance and then you can create your own EC2 but stick it in a private subnet along side a ton of VPC Endpoints (to be clear this is still remarkably painful and annoyting, but at least for now it wont show in GuardDuty

So uhh, someone managed to foil my plan of going to bed early tonight. I got a notification to my personal email that I successfully registered a Cloudflare account......I don't use Cloudflare. Join me in my journey to figure out what happened... This had me scrambling. Why would someone register a Cloudflare account in my name? What would someone get out of doing this? Did I accidentally do this? What do I know about Cloudflare? Is this phishing? (Couldn't be phishing, this is a terrible pretext. Domains checked out).