Noah McDonald

@[email protected]
19 Followers
15 Following
26 Posts
GCP Consultant @ Google | Ex-Unit42 | Cloud Security
Noah McDonaldMar 30, 2023
@labssentinel breaking down AlienFox, a tool to harvest credentials from CSPs #cloud #attack #gcp #aws #azure https://www.sentinelone.com/labs/dissecting-alienfox-the-cloud-spammers-swiss-army-knife/
Dissecting AlienFox | The Cloud Spammer’s Swiss Army Knife

A sophisticated new toolset is being used to harvest credentials from multiple cloud service providers, including AWS SES and Microsoft Office 365.

SentinelOne
Noah McDonaldMar 29, 2023
Cado Security bling uncovering a “new” and useful artifact for AWS forensics, “ipcTempFile.log”. This artifact stores a copy of the AWS SSM terminal session #aws #incidentresponse #cloud https://t.co/pQKjeFwW6j
IPC YOU: How the Cado Platform Reveals Attacker Command Outputs  - Cado Security | Cloud Investigation

This blog covers how security teams can leverage the Cado platform to see the commands the attacker executed and the command outputs.

Cado Security | Cloud Investigation
Noah McDonaldMar 29, 2023
Attack path simulation coming to your nearest GCP! And now that SCC is more affordable, everyone should be testing this new feature #gcp #cloudsecurity https://t.co/8qRklDxoEH
Why (and how) Google Cloud is adding attack path simulation to Security Command Center | Google Cloud Blog

Google Cloud is adding attack path simulation technology to Security Command Center. Here’s why, and how it can help security teams.

Google Cloud Blog
Noah McDonaldJan 28, 2023
Well, unfortunately my talk was passed on by #RSA2023. Hopefully next year we have some better luck! #cloudsecurity #cloud
Show threadNoah McDonaldJan 19, 2023
The second part of the 3-part series was released today by both Invictus Incident Response and Cado Security: https://invictus-ir.medium.com/responding-to-an-attack-in-aws-dae857806aa7 #cloud #incidentresponse
Responding to an attack in AWS - Invictus Incident Response - Medium

This is the second of a three-part blog series written by Cado Security and Invictus Incident Response, where we are investigating an incident that was discovered during an account audit of an Amazon…

Medium
Noah McDonaldJan 17, 2023
Show threadNick FrichetteJan 17, 2023
What is unique about this finding however, is that it returns results. Allowing an attacker to perform specific IAM actions and get results without logging to CloudTrail! https://securitylabs.datadoghq.com/articles/iamadmin-cloudtrail-bypass/
AWS CloudTrail vulnerability: Undocumented API allows CloudTrail bypass | Datadog Security Labs

Public disclosure of a method to bypass CloudTrail for specific IAM actions.

Noah McDonaldJan 12, 2023
Fresh off the press from @wiz. This blog covers the recent #circleci breach and how to detect malicious post-exploitation within #gcp, #aws and #azure https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide
Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident | Wiz Blog

Learn how to detect malicious persistence techniques in AWS, GCP & Azure after potential initial compromise, like with the CircleCI incident

wiz.io
Show threadNoah McDonaldJan 12, 2023
Following up on this post, Permiso wrote a blog explaining how attackers are abusing Simple Email Service (SES). Two blogs within a week of each other talking about the SES service being exploited... hope you are paying attention and learning from these! https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/ #aws #cloud #threatdetection
Blog | SES-pionage

What do attackers do with exposed AWS access keys? We look inside AWS SES to give deeper insights into the service, why & how its targeted and how to detect it.

Noah McDonaldJan 11, 2023
How did I miss this gem of a blog by Lightspin https://blog.lightspin.io/the-guide-to-analyzing-kubernetes-runtime-detection-alerts-using-amazon-athena #cloud #aws #threatdetection
The guide to analyzing Kubernetes runtime detection alerts using Amazon Athena

Lightspin created a public repository with common use cases to simulate unusual/malicious activities within the Kubernetes cluster.

Noah McDonaldJan 7, 2023
Another great article posted today. @expel wrote an interesting blog about identifying threat actor activity and stolen access keys in AWS. This blog covers how one of the threat actors goals was to compromise and abuse the email service within AWS (SES). https://expel.com/blog/incident-report-stolen-aws-access-keys/. I have first hand performed incident response with a similar story to the ones our friends at Expel have wrote about. Along with crypto mining attacks, threat actors will attempt to exploit the SES service to send out malspam to thousands of people in result of furthering the scope of compromise. #aws #incidentresponse #cloud #threathunting
Incident report: stolen AWS access keys

Here we walk through what happens when attackers steal a set of AWS access keys. Recently, our SOC, threat hunting, and detection engineering teams collaborated on such an incident.

Expel