Introduction
Welcome to Break The Cloud.
Here you will find resources (books, articles, tools, commands, attacks, defenses etc.) to protect cloud environments. This website is a work in progress so keep checking in every now and then. To contribute please send a direct message via twitter to @yaksas443
Cloud Security Standards and Frameworks
- CSA Cloud Controls Matrix (CCM)
- OWASP Cloud Top 10 2017
- OWASP Cloud Native Security Top 10
- ISO/IEC 27017:2015
Books
General cloud security
- Practical Cloud Security by Chris Dotson
- Enterprise Cloud Security and Governance by Zeal Vora
- Cloud Native Security by Chris Binnie, Rory McCune
- Cloud Security Automation by Prashant Priyam
- CCSP Certified Cloud Security Professional All-in-One Exam Guide by Daniel Carter
- CCSK Certificate of Cloud Security Knowledge All-in-One Exam Guide by Graham Thompson
Azure security
- Penetration Testing Azure for Ethical Hackers - Book Review
- Pentesting Azure Applications by Matt Burrough - Book Review
- Microsoft Azure Security Technologies Certification and Beyond
AWS Security
- Hands-On AWS Penetration Testing with Kali Linux by Karl Gilbert, Benjamin Caudill
- AWS Penetration Testing by Jonathan Helmus
Trainings
Azure
- Introduction to Azure Penetration Testing - Free (Registration required)
Articles
Azure
| Title | Short Description |
|---|---|
| Attacking Azure, Azure AD, and Introducing PowerZure | A quick overview of Azure and introduction to PowerZure |
| Azure AD introduction for red teamers | Exploiting PHS |
| Azure AD Connect for Red Teamers | Exploiting PHS and PTA |
| Azure AD Pass The Certificate | Exploiting Azure P2P Certificates |
| Detecting privilege escalation with Azure AD service principals in Microsoft Sentinel | Talks about Azure Service principals privilege escalation techniques and defenses. |
| Lateral Movement with Managed Identities of Azure Virtual Machines | Azure Managed Identities deep-dive and lateral movement to Key Vaults, Storage accounts and Azure VMs |
| What I have learned from doing a year of Cloud Forensics in Azure AD | Threat hunting in Azure and Microsoft 365 |
| Exfiltrating data by transfering it to the cloud with Azcopy | Using Azure Storage accounts for data exfiltration |
| Everything about Service Principals, Applications, and API Permissions | As the title says. |
| Malicious Azure AD Application Registrations | Using Azure Apps to grab OAuth token via phishing |
| Azure SAS Tokens for Web Application Penetration Testers | Describes the anatomy of a Shared Access Signature (SAS) token and ways to exploit SAS tokens with weak permissions. |
| New Azure Active Directory password brute-forcing flaw has no fix | Describes exploiting Azure AD feature (autologon) to launch an undetected brute-force attack. |
| Illogical Apps – Exploring and Exploiting Azure Logic Apps | Exploiting Logic Apps and API Connections. |
Talks and Videos
Azure
- Attacking and Defending the Microsoft Cloud (Office 365 & Azure AD)
- I’m in your cloud, reading everyone’s emails - hacking Azure AD via Active Directory -
- Summary: Talks about PHS, extracting ADConnect credentials (mcrypt.dll, registry, DPAPI, discovering crpto parameters, decrypt using these and extract clear text password). Using ADConnectionDump (custom tool) to extract ADConnect credentials remotely. Run DC sync with the credentials of AD sync account. Hunting Azure AD admins using AAD Powershell and MSOnline modules. Syncing AAD account to on-premise account using SMTP Matching. Using this access to assign privileges to read mailbox (fixed my MS does not work anymore). Privielge Escalation via Azure Application Admin Role and application permissions. Abusing Seamless SSO to compromise Azure AD if Active Directory is already compromised. Configuring constrained delegation on Azure SSO account to enable attacker controlled account to impersonate any AzureAD user using Kerberos (if MFA is not enabled).
Blogs
Azure
Tools
Multi-cloud
Information Gathering
Azure
Information Gathering
- o365Creeper
- Blob Hunter
- Get-MsolRolesAndMembers.ps1
- AzureHound
- o365Recon
- CrowdStrike Reporting Tool for Azure
- MFASweep
- Storm Spotter