{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/gcloud/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["gcloud","azd","gh","aws","kubectl","doctl","oci"],"_cs_severities":["high"],"_cs_tags":["credential-access","cloud","cli","token-harvesting"],"_cs_type":"advisory","_cs_vendors":["Elastic","Google","Microsoft","GitHub","DigitalOcean","Oracle"],"content_html":"\u003cp\u003eThis threat brief focuses on detecting command-line credential harvesting across multiple cloud platforms. Attackers may attempt to steal application access tokens or extract credentials from files by executing specific commands via command-line interfaces (CLIs) for GCP, Azure, AWS, GitHub, DigitalOcean, Oracle, and Kubernetes. This activity is particularly concerning when originating from the same host within a short time frame (e.g., five minutes), potentially indicating automated credential theft. This technique can lead to unauthorized access to cloud resources, data breaches, and lateral movement within cloud environments. Defenders should monitor for suspicious command-line activity involving cloud CLIs and credential access patterns.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system, possibly via compromised credentials or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a shell (cmd.exe, PowerShell, bash, etc.) to execute cloud CLI commands.\u003c/li\u003e\n\u003cli\u003eThe attacker executes commands to list available credentials or tokens (e.g., \u003ccode\u003eaws configure list\u003c/code\u003e, \u003ccode\u003eaz account list\u003c/code\u003e, \u003ccode\u003ekubectl config view\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker executes commands to print access tokens for various cloud providers (e.g., \u003ccode\u003egcloud auth print-access-token\u003c/code\u003e, \u003ccode\u003eaz account get-access-token\u003c/code\u003e, \u003ccode\u003egh auth token\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker uses credential harvesting commands across multiple cloud platforms within a short timeframe.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the harvested credentials to a remote location.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials to access sensitive cloud resources and data.\u003c/li\u003e\n\u003cli\u003eThe attacker performs lateral movement within the cloud environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to unauthorized access to sensitive cloud resources, data breaches, and lateral movement within cloud environments. The impact includes potential data exfiltration, service disruption, and financial loss. The number of affected victims will depend on the scope of the compromised credentials and the attacker\u0026rsquo;s ability to exploit them.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Multi-Cloud CLI Token and Credential Access Commands\u0026rdquo; to your SIEM to detect suspicious command-line activity related to cloud credential harvesting.\u003c/li\u003e\n\u003cli\u003eReview \u003ccode\u003eEsql.process_command_line_values\u003c/code\u003e in the rule output to identify the exact commands executed and determine if the activity was legitimate or malicious.\u003c/li\u003e\n\u003cli\u003eCorrelate the detected activity with authentication, Kubernetes audit, and cloud API logs to confirm unauthorized access and misuse of printed tokens.\u003c/li\u003e\n\u003cli\u003eImplement monitoring and alerting for unusual CLI activity originating from user workstations or build servers, focusing on the CLIs mentioned in the Overview section.\u003c/li\u003e\n\u003cli\u003eFollow vendor-specific guidance to revoke compromised credentials, such as revoking tokens and rotating secrets, as outlined in the rule\u0026rsquo;s \u0026ldquo;Response and remediation\u0026rdquo; section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:30:00Z","date_published":"2024-01-03T14:30:00Z","id":"/briefs/2024-01-multi-cloud-cli-token-harvesting/","summary":"This rule detects command-line activity indicative of credential access across multiple cloud platforms (GCP, Azure, AWS, GitHub, DigitalOcean, Oracle, Kubernetes), looking for specific commands used to print or access tokens and credentials, flagging hosts where multiple cloud targets are accessed within a five-minute window, suggesting potential credential harvesting activity.","title":"Multi-Cloud CLI Token and Credential Access via Command-Line Harvesting","url":"https://feed.craftedsignal.io/briefs/2024-01-multi-cloud-cli-token-harvesting/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Agent Auditd Manager","EKS","Azure","gcloud","Docker"],"_cs_severities":["high"],"_cs_tags":["credential-access","linux","auditd"],"_cs_type":"advisory","_cs_vendors":["Elastic","Amazon","Microsoft","Google","Docker"],"content_html":"\u003cp\u003eThis detection focuses on identifying unauthorized access to sensitive identity files on Linux systems. It leverages Auditd to monitor file access events and flags processes that are commonly used for copying, scripting, or staging files from temporary directories. The targeted files include Kubernetes service account tokens, kubelet configurations, cloud CLI configurations for AWS, Azure, and Google Cloud, root SSH keys, and Docker configurations. These files are critical for authentication and authorization within the system, and unauthorized access could lead to credential theft, privilege escalation, or lateral movement. This is especially important in cloud environments and containerized deployments where these files are commonly used for managing access to resources. The rule is designed to exclude user home paths to avoid false positives and focus on system-level access.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Linux system through various means, such as exploiting a vulnerability or compromising credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a utility like \u003ccode\u003ecp\u003c/code\u003e, \u003ccode\u003ecat\u003c/code\u003e, or \u003ccode\u003ecurl\u003c/code\u003e to access sensitive files such as \u003ccode\u003e/var/run/secrets/kubernetes.io/serviceaccount/token\u003c/code\u003e or \u003ccode\u003e/root/.ssh/id_rsa\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAuditd logs the file access event, capturing details about the process, user, and file path.\u003c/li\u003e\n\u003cli\u003eThe detection rule identifies the suspicious process based on its name, executable path (e.g., \u003ccode\u003e/tmp/*\u003c/code\u003e), or command-line arguments.\u003c/li\u003e\n\u003cli\u003eThe rule checks if the accessed file is in the list of sensitive identity files.\u003c/li\u003e\n\u003cli\u003eIf both conditions are met, the rule triggers an alert, indicating potential unauthorized access to sensitive credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the stolen credentials or uses them to move laterally within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials to access cloud resources or other sensitive systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the compromise of sensitive credentials, allowing attackers to gain unauthorized access to critical systems and data. This can result in data breaches, service disruptions, and financial losses. The targeted files contain credentials for Kubernetes clusters, cloud environments (AWS, Azure, Google Cloud), and SSH keys, potentially impacting a wide range of resources. The impact is particularly severe in environments where these credentials are used for managing critical infrastructure or accessing sensitive data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Auditd Manager integration with the specified audit rules in the provided setup steps to monitor access to sensitive identity files on Linux systems. Ensure auditd is properly configured and running (\u003ccode\u003eauditctl -l\u003c/code\u003e) to generate the necessary logs.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided to detect suspicious processes accessing sensitive identity files and tune them for your environment by excluding legitimate processes or users as needed.\u003c/li\u003e\n\u003cli\u003eInvestigate alerts generated by the Sigma rules, focusing on the process name, executable, parent command line, and the accessed file path to determine the legitimacy of the access.\u003c/li\u003e\n\u003cli\u003eReview and harden file permissions on shared credential stores to prevent unauthorized access. Rotate exposed keys and tokens and invalidate cloud sessions if a compromise is suspected, as suggested in the rule\u0026rsquo;s documentation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-sensitive-identity-file-access/","summary":"This rule detects suspicious processes, such as copy utilities or scripting tools, accessing sensitive identity files on Linux systems, including Kubernetes tokens, cloud CLI configurations, and root SSH keys, indicating potential credential theft.","title":"Suspicious Process Accessing Sensitive Identity Files via Auditd","url":"https://feed.craftedsignal.io/briefs/2024-01-sensitive-identity-file-access/"}],"language":"en","title":"CraftedSignal Threat Feed — Gcloud","version":"https://jsonfeed.org/version/1.1"}