SkyArk - Helps To Discover Assess and Secure the Most Privileged Entities in Azure & AWS

SkyArk is a cloud security project with two main scanning modules:>

1. Azure Sleath: scan Azure environments.
2. Aw Sleath: scan AW environments.

These two scanning modules will discover the most privileged entities in the target AWS and Azure. The module provides new valuable insights from cloud trail logs. Security teams can use the results file to investigate sensitive actions, discover the entities that look those action and reveal additional valuable details on each executed and logged actions.

The Main Goal Discover the Most Privileged Cloud Users:

SkyArk is focusing on mitigating the new threat of cloud shadow admins, and help the organizations to discover, assess and protect cloud privileged entities. Stealthy and undercover admins may reside in every public cloud platform and SkyArk helps mitigating the risk in AWS and Azure.

Background:

SkyArk deals with the new uprising threat of cloud shadow admins how attackers find and abuse non-trivial and so called limited permissions to still make it through and escalate their privileges and become full cloud admins. Furthermore attackers can easily use those tricky specific permissions to hide stealthy admin entities that will wait them as undercover persistence technique. SkyArk was initially published as a part of research on the threat of AWS shadow admins, this research was presented at RSA USA 2018 conference.

Tool Description:

SkyArk currently contain two main scanning module Azure stealth and AWS stealth. With the scanning results organizations can discover the entities that have more sensitive and risky permissions. Potential attackers are hunting for those and defensive teams should make sure this privileged users are well secured have strong, rotated and safety store credentials, being monitored carefully, etc. Remember that we cannot protect the things we don’t aware of and SkyArk helps in complex mission of discovering the most privileged cloud entities including the straight forward admins and also the stealthy shadow admins that could easily escalate their privileges and become full admin as well as.

1. Azure Stealth Scan:

Azure stealth is a PowerShell script that uses free Azure’s PowerShell modules, it requires PowerShell version 5.1+.

How To Run It:

1. Download/sync the locally the script file Azure Stealth .ps1.
2. Open the PowerShell in the Azure stealth folder to run the script.
3. Running the followings commands:
   1. Import-Module ./AzureS.
   2. Scan-Azure admins.
4. Optional command:
   1. (-)Scan-Azure admins -UseC
   2. (-)Scan-Azure admins -GetP
5. IF you encounter with Azure connections errors, you can manually connect to Azure and then run the scan:
   1. Import-Module ./AzureS.
   2. Connect-AzAccount.
   3. Connect-AzureAD.
   4. Scan-Azure admins -UseC.

2. Aws Stealth Scan:

SkyArk runs in PowerShell and uses free AWS PowerShell Module, you can download AWS tools for Windows PowerShell in advance:

How To Run It:

Open the PowerShell SkyArk folder with running script permissions.

1. If you want to use only AW Stealth from SkyArk tool:
   1. Import-Module ./AWStealth.ps1-.
2. Perform AWStealth scan:
   1. Scan-AWShadowAdmins-accesskeyi.

Download the SkyArk Tool: https://github.com/cyberark/SkyArk