botocore>=1.24.46 boto3>=1.28.0 boto3-stubs>=1.20.49 python-dateutil==2.8.1 types-python-dateutil==2.8.13 pytest==7.2.0 moto==4.2.2 timeout-decorator==0.5.0 black==23.9.1 pip-audit==2.6.1 azure-storage-blob==12.18.3 azure-core==1.29.4 azure-identity==1.14.1 google-cloud-storage==2.12.0 setuptools==68.2.2 yara-python-wheel==4.4.0
https://github.com/Permiso-io-tools/CloudGrappler.gitcd CloudGrapplerpip3 install -r requirements使用样例一:使用默认查询文件运行CloudGrappler
{"AWS": [ {"bucket": "cloudtrail-logs-00000000-ffffff","prefix": ["testTrails/AWSLogs/00000000/CloudTrail/eu-east-1/2024/03/03","testTrails/AWSLogs/00000000/CloudTrail/us-west-1/2024/03/04" ] }, {"bucket": "aws-kosova-us-east-1-00000000" } ],"AZURE": [ {"accountname": "logs","container": ["cloudgrappler" ] } ]}python3 main.pypython3 main.py -p[+] Running GetFileDownloadUrls.*secrets_ for AWS[+] Threat Actor: LUCR3[+] Severity: MEDIUM[+] Description: Review use of CloudShell. Permiso seldom witnesses use of CloudShell outside of known attackers.This however may be a part of your normal business use case.使用样例三:生成报告
python3 main.py -p -joreports└── json ├── AWS │ └── 2024-03-04 01:01 AM │ └── cloudtrail-logs-00000000-ffffff-- │ └── testTrails/AWSLogs/00000000/CloudTrail/eu-east-1/2024/03/03 │ └── GetFileDownloadUrls.*secrets_.json └── AZURE └── 2024-03-04 01:01 AM └── logs └── cloudgrappler └── okta_key.json使用样例四:根据日期或时间过滤日志
python3 main.py -p -sd 2024-02-15 -ed 2024-02-16使用样例五:手动添加查询和数据源类型
python3 main.py -q “GetFileDownloadUrls.*secret”, ”UpdateAccessKey” -s '*'使用样例六:使用自己的查询文件运行CloudGrappler
python3 main.py -f new_file.json原文始发于微信公众号(FreeBuf):CloudGrappler:针对云环境的威胁行为与安全事件检测工具
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论