Security Archives - Christophe Tafani-Dereeper

The New PKCE Authentication in AWS SSO Brings Hope (Mostly)

christophetd 29 November 2024 29 November 2024 Leave a Comment

In 2021, I wrote about how offensive actors can leverage AWS SSO device code for phishing, rendering modern security controls like FIDO authentication or identity provider device posture ineffective: Phishing for AWS credentials via AWS SSO device code authentication. In this post, we’ll take a closer look at the newly-released PKCE support for AWS SSO authentication flows. A Short History of Device Code Phishing As highlighted in the original article, Device Code phishing isn’t new or specific to AWS. In fact, it had previously been demonstrated in the context of Azure AD. However, following the publication, the technique gained notableContinue reading… The New PKCE Authentication in AWS SSO Brings Hope (Mostly)

Stop worrying about ‘allowPrivilegeEscalation’

christophetd 14 June 2024 14 June 2024 Leave a Comment

Kubernetes’ ‘allowPrivilegeEscalation’ is a useful but poorly understood security hardening setting. Let’s dive into how it works and debunk some common myths about it.

IMDSv2 enforcement: coming to a region near you!

christophetd 10 April 2024 28 March 2024 Leave a Comment

On March 25, AWS released a new feature that helps enforcing IMDSv2 at the region level by default for newly-launched instances. This represents a long-awaited and feature, that still has some quirks.

Hiding in Plain Sight: Unlinking Malicious DLLs from the PEB

christophetd 26 April 2023 21 April 2023 Leave a Comment

In this post, we take a look at an anti-forensics technique that malware can leverage to hide injected DLLs. We dive into specific details of the Windows Process Environment Block (PEB) and how to abuse it to hide a malicious loaded DLL.

MitM at the Edge: Abusing Cloudflare Workers

christophetd 29 June 2022 29 June 2022 Leave a Comment

Cloudflare Workers provide a powerful serverless solution to run code that sits between every HTTP request and response. In this post, we’ll see how an attacker compromising a Cloudflare account can abuse Workers to establish persistence and exfiltrate sensitive data.

Introducing Stratus Red Team, an Adversary Emulation Tool for the Cloud

christophetd 21 March 2022 28 January 2022 Leave a Comment

Today, I’m thrilled to release a new open-source project I’ve been working on in the past few weeks: Stratus Red Team, an adversary emulation and purple teaming tool, focused on emulating common attack techniques in cloud environments.

Implementing a Vulnerable AWS DevOps Environment as a CloudGoat Scenario

christophetd 11 January 2022 11 January 2022 1 Comment

I’m a huge fan of disposable security labs, both for offensive and defensive purposes (see: Automating the provisioning of Active Directory labs in Azure). After writing Cloud Security Breaches and Vulnerabilities: 2021 in Review, I wanted to build a “purposely vulnerable AWS lab” with a typical attack path including static, long-lived credentials and with a supply-chain security element.

Cloud Security Breaches and Vulnerabilities: 2021 in Review

christophetd 14 March 2022 22 December 2021 10 Comments

As 2021 fades away, we look back on cloud data breaches and vulnerabilities that were publicly disclosed this year. Last updated: March 14th, 2022.

Phishing for AWS credentials via AWS SSO device code authentication

christophetd 28 November 2024 9 June 2021 3 Comments

When using AWS in an enterprise environment, best practices dictate to use a single sign-on service for identity and access management. AWS SSO (newly referred to as “Identity Center”) is a popular solution, integrating with third-party providers such as Okta and allowing to centrally manage roles and permissions in multiple AWS accounts. In this post, we demonstrate that AWS SSO is vulnerable by design to device code authentication phishing – just like any identity provider implementing OpenID Connect device code authentication. This technique was first demonstrated by Dr. Nestori Syynimaa for Azure AD. The feature provides a powerful phishing vectorContinue reading… Phishing for AWS credentials via AWS SSO device code authentication

Retrieving AWS security credentials from the AWS console

christophetd 28 August 2023 5 June 2021 3 Comments

In this short blog post, we describe how to retrieve AWS security credentials (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and AWS_SESSION_TOKEN) when authenticated in the AWS Console.