SkyArk is a cloud security project with two main scanning modules:
These two scanning modules will discover the most privileged entities in the target AWS and Azure.
The Main Goal – Discover The Most Privileged Cloud Users
It currently focuses on mitigating the new threat of Cloud Shadow Admins, and helps organizations to discover, assess and protect cloud privileged entities.
Stealthy and undercover cloud admins may reside in every public cloud platform and SkyArk helps mitigating the risk in AWS and Azure.
In defensive/pentest/risk assessment procedures – make sure to address the threat and validate that those privileged entities are indeed well secured.
Background
SkyArk deals with the new uprising threat of Cloud Shadow Admins – how attackers can find and abuse non-trivial and so-called “limited” permissions to still make it through and escalate their privileges and become full cloud admins.
Furthermore, attackers can easily use those tricky specific permissions to hide stealthy admin entities that will wait for them as an undercover persistence technique.
SkyArk was initially published as part of our research on the threat of AWS Shadow Admins, this research was presented at RSA USA 2018 conference.
The AWS Shadow Admins blog post:
https://www.cyberark.com/threat-research-blog/cloud-shadow-admin-threat-10-permissions-protect/
The recording of the RSA talk:
About a year later, we added the AzureStealth scan to SkyArk for mitigating the Shadow Admins threat in Azure!
Tool Description
It currently contains two main scanning modules AWStealth and AzureStealth.
With the scanning results – organizations can discover the entities (users, groups and roles) who have the most sensitive and risky permissions.
In addition, we also encourage organizations to scan their environments from time to time and search for suspicious deviations in their privileged entities list.
Potential attackers are hunting for those users and the defensive teams should make sure these privileged users are well secured – have strong, rotated and safety stored credentials, have MFA enabled, being monitored carefully, etc.
Remember that we cannot protect the things we don’t aware of, and SkyArk helps in the complex mission of discovering the most privileged cloud entities – including the straight-forward admins and also the stealthy shadow admins that could easily escalate their privileges and become full admins as well.
Discover the most privileged users in the scanned Azure environment – including the Azure Shadow Admins.
How To Run AzureStealth?
The full details are in the AzureStealth’s Readme file:
https://github.com/cyberark/SkyArk/blob/master/AzureStealth/README.md
In short:
(1) Import-Module .\SkyArk.ps1 -force
(2) Start-AzureStealth
AzureStealth needs only Read-Only permissions over the scanned Azure Directory (Tenant) and Subscription.
*You can also run the scan easily from within the Azure Portal by using the built-in CloudShell:
(1) IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/cyberark/SkyArk/master/AzureStealth/AzureStealth.ps1’)
(2) Scan-AzureAdmins
AzureStealth DEMO
Discover the most privileged entities in the scanned AWS environment – including the Azure Shadow Admins.
How To Run AWStealth?
The full details are in the AWStealth’s Readme file:
https://github.com/cyberark/SkyArk/tree/master/AWStealth
In short:
(1) Import-Module .\SkyArk.ps1 -force
(2) Start-AWStealth
AWStealth needs only Read-Only permissions over the IAM service of the scanned AWS environment.
AWStealth DEMO:
Quick Start
garak checks if an LLM can be made to fail in a way we don't…
Vermilion is a simple and lightweight CLI tool designed for rapid collection, and optional exfiltration…
ADCFFS is a PowerShell script that can be used to exploit the AD CS container…
Tartufo will, by default, scan the entire history of a git repository for any text…
Loco is strongly inspired by Rails. If you know Rails and Rust, you'll feel at…
A data hoarder’s dream come true: bundle any web page into a single HTML file.…