██████ ▄▄▄█████▓ ██▀███ ██▓ █████▒▓█████ ▄▄▄▄ ▒█████ ▄▄▄█████▓
▒██ ▒ ▓ ██▒ ▓▒▓██ ▒ ██▒▓██▒▓██ ▒ ▓█ ▀ ▓█████▄ ▒██▒ ██▒▓ ██▒ ▓▒
░ ▓██▄ ▒ ▓██░ ▒░▓██ ░▄█ ▒▒██▒▒████ ░ ▒███ ▒██▒ ▄██▒██░ ██▒▒ ▓██░ ▒░
▒ ██▒░ ▓██▓ ░ ▒██▀▀█▄ ░██░░▓█▒ ░ ▒▓█ ▄ ▒██░█▀ ▒██ ██░░ ▓██▓ ░
▒██████▒▒ ▒██▒ ░ ░██▓ ▒██▒░██░░▒█░ ░▒████▒░▓█ ▀█▓░ ████▓▒░ ▒██▒ ░
▒ ▒▓▒ ▒ ░ ▒ ░░ ░ ▒▓ ░▒▓░░▓ ▒ ░ ░░ ▒░ ░░▒▓███▀▒░ ▒░▒░▒░ ▒ ░░
░ ░▒ ░ ░ ░ ░▒ ░ ▒░ ▒ ░ ░ ░ ░ ░▒░▒ ░ ░ ▒ ▒░ ░
░ ░ ░ ░ ░░ ░ ▒ ░ ░ ░ ░ ░ ░ ░ ░ ░ ▒ ░
░ ░ ░ ░ ░ ░ ░ ░
░
This repo contains a selection of guides, scripts, and tools for running purple team exercises against Snowflake, mainly focusing on automating the "red" side of the purple team.
Partially threat intel based, specifically based on previous snowflake compromises:
- https://cloud.google.com/blog/topics/threat-intelligence/unc5537-snowflake-data-theft-extortion
- https://services.google.com/fh/files/misc/snowflake-threat-hunting-guide.pdf
Other techniques are theoretical attacks that are possible within the platform but not observed in real life.
Layout:
- scripts: SQL scripts for automating malicious snowflake actions
- cloud_inf: tf scripts for deploying AWS resources to exfil to
- tools: Other tools, e.g password brute forcing
Playbooks contains the guides for attacking / defending Snowflake. Structured by MITRE phases, there are guides on the core attacks, applicable security controls, monitoring strategies, and the test case commands themselves. Following these should allow you to conduct the actual purple team
playbooks
├── README.md
├── blue
└── red
├── README.md
├── 00_general.md
├── 01_initial_access.md
├── 02_discovery.md
├── 03_persistence.md
├── 04_privesc.md
├── 05_defense_evasion.md
├── 06_credential_access.md
├── 07_collection.md
├── 07_exfiltration.md
└── 09_impact.md
The cloud inf folder contains terraform templates for several AWS resources we can deploy, to facilitate exfiltration. These have been written to be quick and convienient, not to be long term secure deployments, so bear in mind the fact that these involve role assumption relationships + public S3 buckets, so ensure you know what you're deploying and use with caution.
Modules:
- lambda_api: deploys a public API gateway, that when invoked logs the caller to a cloudwatch resource. This can be used to exfiltrate data via snowflake external functions
- S3: various models of S3 access, including public buckets, role assumption, IAM user key based access
cloud_inf
├── lambda_api
├── s3_iam_user
├── s3_public
├── s3_role_assumption
└── vars.tfvars
All cloud templates use tags based on shared variables, use as follows:
COST_CENTRE="Cost_centre_here"
EMAIL="[email protected]"
cat > vars.tfvars << EOF
aws_region = "eu-west-1"
cost_center = "$COST_CENTRE"
contact = "$EMAIL"
deployment_name = "ew1-purple-snowflake" # The root name for the resources, use this however you want to track things. S3 buckets will be given pseudo random animal names, to ensure uniqueness.
EOFThe best guide to test cases is the playbook code snippets, however some key commands are also present as individual script files for ease of repetition. A variety of scripts are stored in the scripts folder:
- backdoor_user_key.sql
- create_external_access_WIP.sql
- create_external_function_exfil.sql
- create_security_integration.sql
- create_stored_procedure.sql
- create_user.sql
- delete_history.sql
- disable_external_function.sql
- enum_api_integrations.sql
- enum_functions_external.sql
- enum_functions_secrets.sql
- enum_network_policies.sql
- enum_roles.sql
- enum_secrets.sql
- enum_security_integrations.sql
- enum_sessions.sql
- enum_tables.sql
- exfil_copy_s3_private.sql
- exfil_copy_s3_public.sql
- exfil_get.sql
- grant_db_ownership.sql
- grant_role_accountadmin.sql
- grant_role_ownership.sql
- invoke_external_function_exfil.sql
- read_history.sql
- reset_password.sql
Currently these should be examined and executed manually, as some require variables to be set, and this has not been automated. However these serve as a basis for malicious actions that can be performed within Snowflake
The following resources were invaluable in understanding the attacks against Snowflake that occurred, and constructing blue team strategies: