Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: more cloud credential discovery #3018

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

feat: more cloud credential discovery #3018

wants to merge 1 commit into from

Conversation

ryananicholson
Copy link

Adding support for Azure, GCP, and OCI
Also fixed AWS check

Details:
Added file system searches for Azure, GCP, and OCI credentials:

  • Azure: #{file_path}/.azure with files named either msal_token_cache.json or accessTokens.json
  • GCP: #{file_path}/.config/gcloud with files named either credentials.db or access_tokens.json
  • OCI: #{file_path}/.oci/sessions with files named token

Also adjusted the find command for the AWS credential search as it would look outside of expected locations

Testing:
Here is the output of me performing all four searches on my local system (macOS):

  • AWS

    Invoke-AtomicTest T1552.001 -TestNames "Find AWS credentials" -InputArgs @{"file_path" = "/Users/nicholsr"}
    PathToAtomicsFolder = /Users/nicholsr/AtomicRedTeam/atomics

Executing test: T1552.001-1 Find AWS credentials                                
/Users/nicholsr/.aws/credentials                                                
Exit code: 0                                                                    
Done executing test: T1552.001-1 Find AWS credentials

  • Azure

    Invoke-AtomicTest T1552.001 -TestNames "Find Azure credentials" -InputArgs @{"file_path" = "/Users/nicholsr"}
    PathToAtomicsFolder = /Users/nicholsr/AtomicRedTeam/atomics

Executing test: T1552.001-15 Find Azure credentials                             
/Users/nicholsr/.azure/msal_token_cache.json                                    
Exit code: 0                                                                    
Done executing test: T1552.001-15 Find Azure credentials

  • GCP

    Invoke-AtomicTest T1552.001 -TestNames "Find GCP credentials" -InputArgs @{"file_path" = "/Users/nicholsr"}
    PathToAtomicsFolder = /Users/nicholsr/AtomicRedTeam/atomics

Executing test: T1552.001-16 Find GCP credentials                               
/Users/nicholsr/.config/gcloud/access_tokens.db                                 
/Users/nicholsr/.config/gcloud/credentials.db
Exit code: 0                                                                    
Done executing test: T1552.001-16 Find GCP credentials

  • OCI

    Invoke-AtomicTest T1552.001 -TestNames "Find OCI credentials" -InputArgs @{"file_path" = "/Users/nicholsr"}
    PathToAtomicsFolder = /Users/nicholsr/AtomicRedTeam/atomics

Executing test: T1552.001-17 Find OCI credentials                               
/Users/nicholsr/.oci/sessions/DEFAULT/token                                     
Exit code: 0

Associated Issues:
Previous version of T1552.001-1 exits with code 1 even if credentials are present. This PR fixes the find command to return 0.

@ryananicholson
feat: more credential discovery
ed0a987 
Adding support for Azure, GCP, and OCI
Also fixed AWS check
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@ryananicholson