云安全 – 攻击

AWS

在 AWS VPN 客户端中将权限升级为 SYSTEM

• https://rhinosecuritylabs.com/aws/cve-2022-25165-aws-vpn-client/

AWS WorkSpaces 远程代码执行

• aws/cve-2021-38112-aws-workspaces-rce/

CloudFormation 模板中的资源注入

• rhinosecuritylabs.com/aws/cloud-malware-cloudformation-injection/

下载和探索 AWS EBS 快照

• https://rhinosecuritylabs.com/aws/exploring-aws-ebs-snapshots/

CloudGoat ECS_EFS_Attack 演练

• cloud-security/cloudgoat-aws-ecs_efs_attack/

GKE Kubelet TLS Bootstrap 提权

• cloud-security/kubelet-tls-bootstrap-privilege-escalation/
• 

武器化 AWS ECS 任务定义以窃取正在运行的容器中的凭证

• weaponizing-ecs-task-definitions-steal-credentials-running-containers/

CloudGoat AWS 场景演练：“EC2_SSRF”

• cloud-security/cloudgoat-aws-scenario-ec2_ssrf/

掠夺硬编码机密的 AWS ECS 任务定义

• aws/pillaging-ecs-task-definitions-two-new-pacu-modules/

在 AWS 中滥用 VPC 流量镜像

• https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/

使用云容器攻击工具 (CCAT) 利用 AWS ECR 和 ECS

• https://rhinosecuritylabs.com/aws/cloud-container-attack-tool/

使用 AWS API Gateway 绕过基于 IP 的封锁

• https://rhinosecuritylabs.com/aws/bypassing-ip-based-blocking-aws/

在 AWS 上使用 MFA 钓鱼用户

• https://rhinosecuritylabs.com/aws/mfa-phishing-on-aws/

AWS IAM 特权升级 – 方法和缓解措施

• aws/aws-privilege-escalation-methods-mitigation/

渗透测试 AWS 存储：踢 S3 存储桶

• penetration-testing/penetration-testing-aws-storage/

云安全风险 (P2)：AWS CloudTrail 中的 CSV 注入

• https://rhinosecuritylabs.com/aws/
  cloud-security-csv-injection-aws-cloudtrail/

亚马逊的 AWS 配置错误：在 Amazon Go 中上传任意文件

• amazon-aws-misconfiguration-amazon-go/

权限升级攻击：攻击 AWS IAM 权限错误配置

• https://payatu.com/blog/mayank.arora/iam_privilege_escalation_attack

IAM 易受攻击 – AWS IAM 特权升级游乐场

• https://bishopfox.com/blog/aws-iam-privilege-escalation-playground

通往云的自动扶梯：AWS 中的 5 个 Privesc 攻击向量

• https://bishopfox.com/blog/5-privesc-attack-vectors-in-aws

易受攻击的 AWS Lambda 函数——云攻击中的初始访问

• https://sysdig.com/blog/exploit-mitigate-aws-lambdas-mitre/

通过 Amazon Web Services 的 EC2 进行特权升级攻击

• inside-a-privilege-escalation-attack-via-amazon-web-services-ec2/

AWS 攻击

• https://pentestbook.six2dez.com/enumeration/cloud/aws

AWS 影子管理员

• Shadow-admin-permissions-and-your-AWS-account

通过 API 密钥获得 AWS 控制台访问权限

• gaining-aws-console-access-via-api-keys/

为 EC2 自动创建 AWS AMI 并复制到其他区域

• automate-aws-ami-creation-for-ec2-and
  -copy-to-other-region-or-disaster-recovery

Instance Connect – 将 SSH 密钥推送到 EC2 实例

• connect-to-your-ec2-instance-using-ssh-the-modern-way/

黄金 SAML 攻击

• golden-saml-newly-discovered-attack-technique-forges
  -authentication-to-cloud-apps
• blog.sygnia.co/detection-and-hunting-of-golden-saml-attack

从云中的域控制器窃取哈希

• cloudcopy-stealing-hashes-from-domain-controllers-in-the-cloud

AWS PenTest 方法论

• [Methodology%20and%20Resources/Cloud%20-%20AWS%20Pentest](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology and Resources/Cloud – AWS Pentest.md)

CloudGoat 官方攻略系列：“rce_web_app”

• https://rhinosecuritylabs.com/aws/cloudgoat-walkthrough-rce_web_app/

Azure

GKE Kubelet TLS Bootstrap 提权

• cloud-security/kubelet-tls-bootstrap-privilege-escalation/

云安全风险（第 1 部分）：Azure CSV 注入漏洞

• cloud-security-risks-part-1-azure-csv-injection-vulnerability/

SaaS 公司的安全性：利用 Infosec 实现商业价值

• security-saas-companies-leveraging-infosec-business-value/

常见的 Azure 安全漏洞和错误配置

• rhinosecuritylabs.com/cloud-security/
  common-azure-security-vulnerabilities/

枚举有效的电子邮件

• https://zigmax.net/enumerate-valid-emails-accounts%EF%BF%BC/

枚举 Azure 子域

• cloud-penetration-testing/enumerating-azure-services/
• Subdomain-Takeover-Azure-CDN.html

Azure 攻击

• https://pentestbook.six2dez.com/enumeration/cloud/azure

Azure Active Directory 帐户枚举

• azure-active-directory-account-enumeration/

滥用 Microsoft 的 Azure 域来托管网络钓鱼攻击

• abusing-microsofts-azure-domains-host-phishing-attacks

防御 EvilGinx2 MFA 绕过

• microsoft-entra-azure-ad/defending-against
  -the-evilginx2-mfa-bypass/mp/501719
• defending-against-evilginx2-in-office-365/

365-Stealer 简介 – 理解和执行非法许可授予攻击

• https://www.alteredsecurity.com/post/introduction-to-365-stealer
• detection-and-mitigation-consent-grant-attacks-azuread/

Azure AD 密码喷洒；从攻击到检测（和预防）。

• password-spray-from-attack-to-detection-and-prevention-87c48cede0c0
• protecting-against-password-spray-attacks-with-azure-sentinel-and-azure-ad/

通过 PASS-THE-PRT 横向移动到云端

• ateral-movement-to-the-cloud-pass-the-prt/
• pass-the-prt-attack-and-detection-by-microsoft-defender-for

Azure AD 通过证书

• https://medium.com/@mor2464/azure-ad-pass-the-certificate

如何通过 SSH 连接到特定的 Azure Web App 实例

• https://codez.deedx.cz/posts/how-to-ssh-into-web-app-instance/

攻击 Azure、Azure AD 并介绍 PowerZure

• attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a

未检测到的 Azure Active Directory 暴力破解攻击

• undetected-azure-active-directory-brute-force-attacks

Azure AD 如何容易受到暴力破解和 DOS 攻击

• https://medium.com/hackernoon/azure-brute-farce-17e27dc05f85

如何在 Azure 和 O365 中绕过 MFA

• https://secwise.be/how-to-bypass-mfa-in-azure-and-o365-part-1/

AWS 安全工具

• github.com/toniblyx/my-arsenal-of-aws-security-tools
• https://github.com/blackbotsecurity/AWS-Attack
• https://github.com/awslabs/aws-cloudsaga
• https://github.com/awslabs/aws-support-tools
• https://github.com/0xVariable/AWS-Security-Tools
• https://cybersecurityup.github.io/awstrm/index.html
• CloudPentestCheatsheets/blob/master/cheatsheets/AWS.md
• https://github.com/RhinoSecurityLabs/cloudgoat

Azure 安全工具

• Invoke-EnumerateAzureBlobs.ps1
• https://microsoft.github.io/Azure-Threat-Research-Matrix/
• https://github.com/Cloud-Architekt/AzureAD-攻击-防御
• CloudPentestCheatsheets/blob/master/cheatsheets
• https://github.com/Kyuu-Ji/Awesome-Azure-Pentest
• https://github.com/ine-labs/AzureGoat
• https://github.com/kmcquade/awesome-azure-security
• https://github.com/nccgroup/azucar

欢迎关注公众号：