Cyber security

CloudGrappler – Elevating Cloud Security In AWS And Azure

CloudGrappler is a purpose-built tool designed for effortless querying of high-fidelity and single-event detections related to well-known threat actors in popular cloud environments such as AWS and Azure.

Notes

To optimize your utilization of CloudGrappler, we recommend using shorter time ranges when querying for results.

This approach enhances efficiency and accelerates the retrieval of information, ensuring a more seamless experience with the tool.

Required Packages

pip3 install -r requirements.txt

Cloning Cloudgrep Locally

To clone the cloudgrep repository locally, run the clone.sh file. Alternatively, you can manually clone the repository into the same directory where CloudGrappler was cloned.

chmod +x clone.sh
./clone.sh

Input

This tool offers a CLI (Command Line Interface). As such, here we review its use:

Example 1 – Running The Tool With Default Queries File

Define the scanning scope inside data_sources.json file based on your cloud infrastructure configuration. The following example showcases a structured data_sources.json file for both AWS and Azure environments:

Note

Modifying the source inside the queries.json file to a wildcard character (*) will scan the corresponding query across both AWS and Azure environments.

{
  "AWS": [
    {
      "bucket": "cloudtrail-logs-00000000-ffffff",
      "prefix": [
        "testTrails/AWSLogs/00000000/CloudTrail/eu-east-1/2024/03/03",
        "testTrails/AWSLogs/00000000/CloudTrail/us-west-1/2024/03/04"
      ]
    },
    {
      "bucket": "aws-kosova-us-east-1-00000000"
    }

  ],
  "AZURE": [
    {
      "accountname": "logs",
      "container": [
        "cloudgrappler"
      ]
    }
  ]
}

Run command

python3 main.py

Example 2 – Permiso Intel Use Case

python3 main.py -p

[+] Running GetFileDownloadUrls.*secrets_ for AWS 
[+] Threat Actor: LUCR3 
[+] Severity: MEDIUM 
[+] Description: Review use of CloudShell. Permiso seldom witnesses use of CloudShell outside of known attackers.This however may be a part of your normal business use case. 

Example 3 – Generate Report

python3 main.py -p -jo

reports
└── json
    ├── AWS
    │   └── 2024-03-04 01:01 AM
    │       └── cloudtrail-logs-00000000-ffffff--
    │           └── testTrails/AWSLogs/00000000/CloudTrail/eu-east-1/2024/03/03
    │               └── GetFileDownloadUrls.*secrets_.json
    └── AZURE
        └── 2024-03-04 01:01 AM
            └── logs
                └── cloudgrappler
                    └── okta_key.json

Example 4 – Filtering Logs Based On Date Or Time

python3 main.py -p -sd 2024-02-15 -ed 2024-02-16

Example 5 – Manually Adding Queries And Data Source Types

python3 main.py -q “GetFileDownloadUrls.*secret”, ”UpdateAccessKey” -s '*'

Example 6 – Running The Tool With Your Own Queries File

python3 main.py -f new_file.json

Running In Your Cloud And Authentication cloudgrep

AWS

Your system will need access to the S3 bucket. For example, if you are running on your laptop, you will need to configure the AWS CLI. If you are running on an EC2, an Instance Profile is likely the best choice.

If you run on an EC2 instance in the same region as the S3 bucket with a VPC endpoint for S3 you can avoid egress charges. You can authenticate in a number of ways.

Azure

The simplest way to authenticate with Azure is to first run:

az login

This will open a browser window and prompt you to login to Azure.

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Recent Posts

Install MySQL on Ubuntu 20.04: Setup, Security, and Root Access

MySQL is the most popular open-source relational database management system. It is fast, reliable, and a…

4 hours ago

Install Git on Ubuntu 20.04: Apt, Source, and Configuration

Git is the most widely used version control system in the world. It was created by…

4 hours ago

Install Go on Ubuntu 20.04: Download, Setup, and First Program

Go (also called Golang) is an open-source programming language built by Google. It is designed to…

4 hours ago

Install VS Code on Ubuntu 20.04: Snap Package and Apt Guide

Visual Studio Code (VS Code) is an open-source code editor developed by Microsoft. It is one…

5 hours ago

Install Nginx on Ubuntu 20.04: Setup, Firewall, and Config Guide

Nginx (pronounced "engine x") is an open-source, high-performance web server and reverse proxy. It is used…

5 hours ago

Install Apache on Ubuntu 20.04: Setup and Virtual Host Guide

Apache is one of the most widely used open-source web servers in the world. It is…

1 day ago