Mazin Ahmed

Secrets Patterns DB: Building Open-Source Regex Database for Secret Detection

2023-02-07T00:00:00-06:00

Ensuring the security of your organization’s sensitive information is critical for any security team, and detecting secrets within your AppSec program is a crucial part of this effort. However, even if you have implemented advanced security controls, your program may still be at risk if passwords and API keys are committed to GitHub and subsequently exposed in a production environment, whether through a live web application, a compiled mobile app, or minified JavaScript code. To mitigate this risk, it is essential to properly secure and manage these secrets at every stage of the development process.

Detecting secrets is possible and can be automated. There are open-source tools for it that do a good job of analyzing the Git tree for potential secrets through two approaches:

Regular Expressions

A dataset of regular expressions (Regex) rules that point to valid and known patterns of passwords, API keys, API Tokens, and Cloud API Keys.

Pros

If written correctly, it provides high-confidence findings and limited false-positive alerts.

Cons

It can only see a very limited and small side of the picture: If there’s an API Token, and the rules cover 40-80 patterns that do not cover this particular API Token, it would not be discovered.

Shannon’s Entropy Checks

Shannon’s Entropy is an estimation of the average amount of information stored in a random value. Shannon’s entropy measures the predictable information contained in a message. It has a variety of use cases in Computer Science, including data compression, validating cryptography, and here, finding passwords and secrets.

Pros

Context-agnostic: The algorithm can be applied against any language, framework, or codebase, and is trivial to compute.
Does not require the configuration of pre-defined Regular Expressions.
Can find secrets that would have never been found with pre-defined Regular Expressions.

Cons

The false-positive rate is high: It requires a manual validation of alerts before opening tickets about leaked secrets. Analysts would need to verify what type of secret it is. This will generate overhead in triaging findings.

We’re doing Regex scanning wrong. Let’s fix this, together

While several open-source tools utilize regular expressions to detect secrets in codebases, the number of built-in rules for these tools is limited. TruffleHog v2 offers approximately 40 rules, TruffleHog v3 offers around 790 patterns, and GitLeaks offers approximately 60 rules. While it’s a good start, it’s not enough.

This project was initially made before TruffleHog v3 was released. At that time, the largest rules database was GitLeaks with 60 rules available. TruffleHog v3 helped a lot in collecting large datasets, but it’s still in a format that can not be ingestible with other tools since the new detector format is placed as Golang modules for each detection rule. This means that we would have to use Trufflehog v3 if we would like to make use of their detection rules.

I have compiled and curated a database of regular expression patterns for secrets, API tokens, keys, and passwords to improve the detection of secrets in codebases. This project I built, Secrets-Patterns-DB, contains over 1600 patterns and is being open-sourced in the hope that security teams will contribute to and improve it.

To ensure the quality and effectiveness of these patterns, I have written scripts to validate them against ReDoS attacks and created CI jobs to load and validate the patterns. I have also manually cleaned up any invalid patterns.

I encourage security teams to use and contribute to Secrets-Patterns-DB to enhance the security of their codebases.

The project is in Beta. There’s a lot of room for improvement on the project. I’m looking forward to your Pull Requests and Issues on Github to enhance Secrets-Patterns-DB for everyone. Unified Pattern Format for all tools

The Secrets-Patterns-DB has a unified pattern format that can be converted to all tools of choice. If you use TruffleHog, GitLeaks, or other tools in your organization, Secrets-Patterns-DB can be exported to the format that your tool supports.

For Trufflehog v2

$> ./convert-rules.py ./db/rules.yml trufflehog

For Gitleaks

$> ./convert-rules.py ./db/rules.yml gitleaks

And then, you can use the output rules with your tool.

Project: github/mazen160/secrets-patterns-db

License

This project is licensed under Creative-Common. If you’re building a tool or a product that uses Secrets-Patterns-DB, you should explicitly reference Secrets-Patterns-DB.

Speaking at BlakcHat MEA 2022

2022-12-05T00:00:00-06:00

Riyadh, Saudi Arabia recently hosted BlackHat MEA (Middle East & Africa), the largest security conference in the Middle East and Africa region.

BlackHat MEA featured a range of events, including an Executive Summit, Technical tracks, a Drone Hacking village, a Car Hacking village, a live Tesla hacking event, and a startup competition..

My Talk

I have had the opportunity to speak this year at BlackHat, where I presented my latest research, titled “Demystifying Practical DDoS Attacks”.

What I liked at BlackHat, and why you should apply next year

When arriving at the Riyadh airport (King Khalid International Airport), this vehicle was waiting for all speakers.

This is just one of the nice tokens of hospitality the conference made. It honestly leaves an amazing impression about the conference.

The organization of the conference was impressive. It was clear that a lot of effort had gone into planning and coordinating the event. This was evident in the high quality of the talks, the smooth logistics of the venue, the activities designed for students, and the startup competition. Overall, it was a well-organized and professionally-run conference.

Awesome talks

I didn’t have the opportunity to see as many talks as I would have liked at BlackHat MEA due to the multiple tracks running simultaneously. However, I was able to catch a few really interesting presentations. I’m looking forward to the release of the conference recordings online so that I can catch up on the talks that I missed. For next year’s conference, I hope that there will be fewer tracks so that attendees can more easily plan which talks to attend.

“Disrupting Ransomware” By Lance James
“Assume Breach” By Caleb Sima
“Human Security Engineering – A Holistic Approach To Addressing Human Incidents” By Ira Winkler
“I Bet Nobody Ever Thought To Do This With A Camel..” By Chris Roberts
“Apt Hunting And The Threat Intelligence Dilemma” By Salah Altokhais
“Dotdumper: Automatically Unpacking Dotnet Based Malware” By Max Kersten
“Wipermania: An All You Can Wipe Buffet” By Max Kersten
“Turbocharging Ioc Validation: Become A More Efficient CTI Analyst” By Arwa Alomari
“So Many Devices, So Little Time” By Joseph Mccray
“Abusing Azure Virtual Machines” By Tarek Naja
“The Evolution Of Ios Security” By Prateek Gianchandani
“What The Waf: Scalable, Multi-cloud, Automated Security Using Waf” By Khaled Farah
“An Attacker’s Perspective” By Quinn Carman
“Supply Chain Attacks Are The New High Watermark” By Milad Aslaner
“Scaling Soc And Ir Teams To Defend Kubernetes Based Workloads” By Milad Alnaser

Photos for the memory 💚

Quinn Carman, the former NSA red team chief presented a talk on how adversaries are approaching targets and patterns seen across different engagements. Talk: An Attacker’s Perspective

Ira Winkler shared an interesting perspective about today’s industry approach to solving Human Security challenges, and how organizations can improve and address security awareness risks. Talk: Human Security Engineering – A Holistic Approach To Addressing Human Incidents

Lance James speaking about building a Ransomware remediation system. Talk: Disrupting Ransomware

Salah Altokhais giving a talk: “Apt Hunting And The Threat Intelligence Dilemma”

Arwa Alomari presented a talk on data enrichment of IOCs, and automating CTI analysis. Talk: Turbocharging Ioc Validation: Become A More Efficient CTI Analyst

Max Kersten presented an analysis of various wipers attacks in the past years, along with similarities in their development and execution. Talk: “Wipermania: An All You Can Wipe Buffet”

With Chris Roberts!

Our 971Sec Booth, is a UAE-based cyber security community. My favorite security community of all time.

BlackHat MEA venue at night.

Final Thoughts

I would like to thank the Saudi Federation for Cyber Security, Programming, and Drones for bringing BlackHat to the MENA region, and organizing an excellent event.

Till next year!

DoS Attacks are Dead: Demystifying Practical DoS Attacks

2022-12-04T00:00:00-06:00

I recently had the opportunity to speak at BlackHat MEA 2022, the largest security conference in the Middle East and Africa region. My talk, titled “Demystifying Practical DDoS Attacks”, focused on the increasing threat of DoS attacks and the need for improved defense solutions, and to practically validate current DDoS prevention solutions.

In my presentation, I shared my research on practical DoS attacks, including recent Application-Level DoS attacks and evasion techniques. I also discussed the discovery of unique DoS vectors in modern APIs and demonstrated how to simulate the largest Layer 7 DDoS attack that Google Cloud experienced in August 2022.

One of the key points I emphasized in my talk was the need to go beyond traditional volumetric DDoS attacks and focus on the more sophisticated and stealthy Layer 7 attacks. These attacks, which target the application layer of a network, can be harder to detect and mitigate, and can cause significant disruption to businesses and organizations.

I also discussed the importance of developing effective defense solutions and shared some of the techniques and approaches I have been researching in this area. This included discussing the use of machine learning and artificial intelligence to improve the detection and response to DoS attacks.

Overall, my talk was well-received by the audience at BlackHat MEA, and I was happy to have the opportunity to share my research on this important topic.

Talk Abstract

DoS attacks have been a nightmare that increases every day. While the news emphasizes notable Volumetric DDoS Attacks, there is much more to that that is not being publicly highlighted.

In my talk, I will share my research on practical DoS Attacks that I have been researching, Layer 7 DoS attacks and TTPs, and evasion of DDoS Defense Solutions. I’m also discussing the discovery approaches of unique DoS vectors in modern APIs. Lastly, I will run a drill on how to simulate the largest Layer 7 DDoS attack that Google Cloud faced in August 2022 (with a peak of 46M requests per second).

Slides

PDF: DoS Attacks are Dead: Demystifying Practical DoS Attacks - BH MEA 2022.pdf

Shennina Framework - Automating Host Exploitation with AI

2022-11-08T00:00:00-06:00

In 2019, Khaled Farah and I participated in a security competition for developing offensive security tools.

I enjoy building security tools, and this competition was funded by HITB (Hack-in-the-Box) with a reward of $100,000 for the winners. I thought it would be an interesting challenge to work on as a side project.

I met my friend Khalid, he was also interested in winning this competition. We signed up, and once accepted, we started meeting regularly to build this project.

Goals

The HITB CyberWeek AI Challenge had two categories:

Host Exploitation
Malware Evasion

Host exploitation sounds more relevant to our experience. The goal was to build a host exploitation framework using AI, and based on the concept of DeepExploit. The winning team should ideally prove the accuracy of the model, the improvement of the training and execution speed, and the technical features that have been added to the framework.

We started experimenting with DeepExploit, and how it works, and we decided to start a new project based on the ideas we had on how to improve the tool.

This eventually ended up having us develop Shennina, a host exploitation framework that does:

Automatically self-learning reliable exploits
Out-of-Band technique testing for exploitation checks.
Exploits clustering.
Scriptable attack method within the post-exploitation phase.
Automated exfiltration of important data on compromised servers.
Reporting capabilities.
Deception capabilities.
Ransomware simulation capabilities for Windows, macOS, and Linux.
Post exploitation capabilities

The project is 4 times faster than DeepExploit. We were excited about the results.

Demo

Running Exploitation Mode

Running Vulnerability Scanning mode

Deception Detection as a part of Post Exploitation

Shennina comes with a deception detection capability that detects if the machine being exploited is a Virtual Machine or Container, and then terminates post-exploitation once it’s detected. This feature is powered by Metasploit modules.

The Shenina Framework has qualified for the top 5 projects (out of 40 projects). We worked on developing the tool further to prepare for our final demo that will be live at HITB Abu Dhabi 2019.

Unfortunately, the rules of the competition and the judging criteria changed during the demo day.

We enjoyed HITB CyberWeek 2019. It was an amazing journey, and I enjoyed building the Shennina Framework. I also presented my research on JWT hacking at that time - it was a busy week :)

Future of Shennina?

We are planning to open-source the project and the experiment. There are no plans for further maintaining Shennina in the near future.

Special Thanks

I would like to thank Chris P, Chris Roberts, Rami Shaath, and the 971Sec community for their feedback.

I also would like to thank the judges of HITB Cyber Week Abu Dhabi.

Of course, I can’t forget to thank Dhillon Kannabhiran for organizing another excellent HITB conference.

Thanks for reading!

Github Repository: github.com/mazen160/shennina

Scan Terraform plans and changes with tfquery via SQL-powered framework

2022-10-27T00:00:00-05:00

New Release: tfquery now supports SQL queries for Terraform Plan Scanning

In case you’re an Infrastructure security engineer and have not tried tfquery yet, this will be a great blog post for you.

Tfquery is a framework that allows running SQL queries on Terraform code. It’s made to analyze your Terraform infrastructure, locate resources, run security compliance checks, spot misconfigured resources, develop CI benchmarks, and much more.

I developed it to solve an existing problem I’m facing: understanding large infrastructure quickly.

Last year, I spoke at DEFCON about the risks of running Insecure Terraform environments, and how attackers can make use of current Terraform Enterprise environments to compromise the entire infrastructure with normal employee access to Github.

There was no patch or workaround released by HashiCorp to limit external providers or prevent local-exec data sources.

Tfquery support was specific to tfstate. It was able to run SQL queries on the current Terraform workspace state - and also supports multi-workspaces when importing state files.

My plan is to add support for tfplan within tfquery to be able to scan Terraform plans and changes. This allows engineers to write Terraform misconfiguration checks as SQL queries.

semgrep HCL support vs. tfquery

Semgrep announced in October 2021 the support for scanning HCL files. The challenge with semantic scanning of HCL code (a similar approach to what tfsec, checkov, and similar tools are doing) is that it’s limited to non-dynamic HCL code. Terraform is much more complex and without having the final state of rendered infrastructure code, checks would not be as accurate as needed.

Also, you may need to write a logic to make sure that findings are not alerted for a codebase already existing in your Terraform workspace, otherwise, you would be blocking the CI pipeline where a member did not introduce any vulnerable code.

tfquery approach for Terraform Plan scanning

Whenever a PR is created for a Terraform change, you should be able to scan changes through tfquery.

You can now write SQL queries that are much more elegant to:

Check for providers if not matching an allowed list.
Check for wildcard AWS Policies.
Check for new IAM users.
Check for an S3 bucket with versioning not being enabled.
etc…

Try tfquery at: github.com/mazen160/tfquery

Find my DEFCON talk: mazinahmed.net/blog/attacking-terraform-environments

Thanks for reading!

Twitch Internal Security Tools: In-depth Analysis of the Leaked Twitch Security Tools

2022-06-01T00:00:00-05:00

How Twitch was hacked? What security controls did Twitch build?

The Twitch breach revealed more than 120 internal security tools developed by the Twitch security team.

I analyzed all the leaked security tools that were developed by Twitch Security. Check out the full research.

Background

Twitch is an interactive live-streaming service for content, gaming, entertainment, sports, and music. In 2015, Amazon acquired Twitch for $970 million, and after COVID-19 time, its market value skyrocketed as more people adapted live-streaming from home.

On October 6, 2021, it was announced that Twitch suffered a massive data breach that leaked their source-code, internal databases, revenue documents, and payouts documents of their members.

The security tools of Twitch were leaked during the breach. Twitch Security has clearly invested a lot of time and effort in building its security program. This can be seen from the tools published on the Internet; the majority of companies with mature security programs today do not have 50% of what Twitch security internally built over the years.

I analyzed all the security tools written by Twitch security. I thoroughly reviewed the source code, configurations, build config process, and everything that has been leaked and became public knowledge on the Internet within the breach.

In this blog post, I’m analyzing all the security tools that Twitch security built within their security program. I’m also tagging them based on the use case, services, and categories. This research should act as a reference to learn how modern security teams build their programs, and to hopefully get inspired into enhancing currently-running security programs.

At the end of the blog post, I will share my thoughts on the breach, how I feel about it, and what could have been done by Twitch to handle this breach in better ways.

Background
Leaked Tools
Final Thoughts
References

Who Am I?

I’m a cyber security engineer that specializes in AppSec, InfraSec and building security programs. Read more about my previous work at mazinahmed.net. I also built FullHunt.io, Stressful.io, tfquery, and few open-source security tools.

Leaked Tools

1) Tool: agentconn

Description: A simple Go package to open an ssh-agent socket.

Tags: script, package

2) Tool: apache-pf-deb-build

Description: Apache PingFederate Module Deb Package Builder.

PingFederate is an enterprise federation server that enables user authentication and single sign-on. It serves as a global authentication authority that allows employees, customers, and partners to securely access all the applications they need from any device.

This module is a builder for integrating PingFederate with Apache.

Tags: apache, authentication, authorization, pingfederate

3) Tool: AWS-Cloudtrail-Security-Configs

Description: Miscellaneous scripts for configuring AWS cloudtrails

Tags: aws, cloudtrails, config

4) Tool: AWS-Cloudtrail-Security-tform

Description: This is the terraform version of the configuration at AWS-Cloudtrail-Security-Configs.

Tags: terraform, aws, cloudtrails, config

5) Tool: bastion-squid-build

Description: A patch file for Squid config that is used on “Bastions” service.

Tags: squid, config

6) Tool: bastionmetrics

Description: An old script that pushes logs from a service called “Bastions”.

Tags: logging, automation

7) Tool: beholder

Description: An internal Python Flask app for Security to run reports against Jira and Google Sheets to get team program reports and metrics.

It also has a script to login to ECR using AWS aws role-assume with the duration of 900 seconds, and stores secrets within AWS Secrets Manager.

Tags: reporting, automation, google-spreadsheets, jira

8) Tool: beholder-terraform

Description: Configuration for deploying “beholder” project through Terraform.

Tags: terraform, config

9) Tool: cdn_finder

Description: This is a script to take zone files / DNS records, pull the CNAME, and determine what CDNs are in use based on the associated CNAME.

The script has an SSL certificate parser, but the data pulling capability is manual. It has instructions on how to pull DNS records from Infoblox (a cloud product that runs DNS management services), and AWS Route53

Tags: automation, cdn

10) Tool: cfn-templates

Description: Incomplete repository for AWS CloudFormation templates

Tags: aws, cloudformation

11) Tool: cloudflare-lambda

Description: A Lambda that continuously hits CloudFlare API, pulls requests logs, and pushes it to S3.

CloudFlare supports by default automated archiving to S3. It’s not clear why this option was made instead of using the CloudFlare option.

Tags: cloudflare, logging, automation

12) Tool: cloudflare-parsing

Description: A script to parse CloudFlare logs into a format that is easier to read.

It supports two formats, custom JSON format, and another format that is easier to use with AWS Athena.

Tags: aws, athena, cloudflare, logging

13) Tool: cloudflare 2 elasticsearch

Description: A script to push Cloudflare logs from a local machine to Elasticsearch.

Tags: cloudflare, elasticsearch

14) Tool: codename-generator

Description: A script to generate code names through the “pycorpora” Python package.

Tags: miscs

15) Tool: contingent-auth-policies

Description: A repo that stores a single AWS policy.

The policy seems to be permissive and allows actions that can be insecure. Also, it’s set to “*” wildcard resources. It’s not clear who has this policy assigned to.

Tags: aws

16) Tool: credentialchecker

Description: A lambda app that checks for leaked credentials against Twitch for risk calculation purposes. Also called “ Arstotzka”. It takes a list of breach lists (email:password, username:password), and runs the data against Twitch users. It runs manually; not when a user-logged in against the hash, so it’s unclear how passwords are stored internally (is it stored in plain text? that’s why this tool is made possible?).

Tags: passwords, aws, s3, lambda, sqs

17) Tool: credentialchecker-vendor

Description: Vendor packages for credentialchecker build.

Tags: miscs

18) Tool: ctfd

Description: Clone of the CTFd public platform repository.

Tags: ctf

19) Tool: cwijulia-sandbox

Description: A security experiment to evaluate the accuracy of results provided by AWS ECR vulnerabilities feeds.

Part 1: Terraform code is made to set up a network on AWS. It sets up EC2, VPC, route tables, and subnets through Terraform modules. Part 2: It deploys an ECR image that has a vulnerable Cron package. This image will be ideally scanned by AWS ECR. The goal is to find if AWS ECR will report the vulnerable Cron package through its identified vulnerabilities feeds. This process is automated through different scripts.

Tags: research, aws, ecr, terraform, vulnerability

20) Tool: duo_logging

Description: CloudFormation configuration to configure a Lambda to write Duo Security logs to S3.

Tags: duo, lambda, aws, s3, cloudformation

21) Tool: duoauthproxy

Description: Duo Security Authentication proxy - Empty repository.

Tags: duo

22) Tool: duoauthproxy_build

Description: Duo Authentication Security - Build package.

Tags: duo

23) Tool: duoauthproxy-build

Description: Duo Authentication Security - Build package, made for Ubuntu.

Tags: duo

24) Tool: ephemeral cert

Description: A Golang package to generate self-signed TLS certificates and return tls.Certificate object with a default common name to “localhost”.

Tags: tls, certificate, golang

25) Tool: fluxo

Description: A tool to fetch data from an Amazon service that seems to be for threat intelligence, and stores it on Jira and Dynamodb.

Tags: cti, ti, threat-intel, amazon, jira, aws, dynamo

26) Tool: go-audit

Description: Clone of the public go-audit repository.

Tags: golang, miscs

27) Tool: go-audit-build

Description: Build package for go-audit.

Tags: miscs

28) Tool: go-sirtbot

Description: A Slack bot written in Golang - seems incomplete.

Tags: golang, slack, automation

29) Tool: go-squid-duoauth

Description: Squid Go Authentication Helper. Deprecated project.

Tags: golang, duo-security, squid

30) Tool: go-ykpiv

Description: An internal fork of go-ykpiv. go-ykpiv is a Golang interface to manage Yubikeys, including a crypto.Signer & crypto.Decrypter interface.

The changes related to this package are within the build process.

Tags: golang, yubi-keys, crypto

31) Tool: golang-x-crypto

Description: A clone of Golang crypto libraries.

Tags: golang, crypto

32) Tool: gophish-config

Description: Minimal configurations for GoPhish server.

Tags: golang, gophish, config

33) Tool: gravitational-teleport

Description: Clone for Gravitational Teleport, Certificate authority and access plane for SSH, Kubernetes, web applications, and databases.

Tags: golang, kubernetes, teleport, rbac

34) Tool: gsuite-hourly

Description: A script that pulls logs from Google Gsuite every hour, and store it into AWS S3.

Tags: gsuite, s3, logging

35) Tool: homebrew

Description: a Homebrew repository that hosts macOS software distributed by the security team.

Tags: macos, homebrew

36) Tool: hunts

Description: Threat Hunting playbooks. It consists of write-ups of running threat hunt activities for AWS, Duo Implementation, Command and Control activities, reverse TCP tunneling, and general suspicious activities.

Tags: threat-hunting, cti, aws, duo

37) Tool: Inquisitor

Description: A well-architectured secrets discovery tool that can identify secrets within JIRA tickets and Git commits. It also has an integration with alerting via modules, including standard screen logging, email alerting, and creating a ticket on Jira.

Tags: appsec, secret-detection, jira, git, automation

38) Tool: jupyterhub

Description: Shared notebook environment for SIRT.

Tags: jupyter, notebook

39) Tool: lambda-amazonsg

Description: Lambda function to manage security groups within AWS.

Tags: aws, lambda, security-groups

40) Tool: lambda-athenalert

Description: An AWS Lambda function that can automatically run an Athena query and raise an alert if there are any results. It is most useful when run on a cron via CloudWatch events.

Tags: aws, athena, cloudwatch, lambda

41) Tool: lambda-autocert

Description: A lambda function that automates the process of renewing TLS certificates from Let’s Encrypt using Route 53 and the ACME dns-01 challenge.

Tags: aws, lets-encrypt, lambda, tls

42) Tool: lambda-autosg

Description: An AWS Lambda function that can allow for dynamic security group egress rules based on DNS hostnames. It is most useful when invoked as a con job at regular intervals (e.g. 1 minute) to update rules when a DNS record changes.

Tags: aws, lambda, automation, dns

43) Tool: lambda-dogfish-sg

Description: An AWS Lambda function that consumes IP prefix information from Amazon Dogfish and writes them to a specified AWS security group.

Amazon Dogfish seems to be an internal Amazon service.

Tags: aws, lambda, dns, security-groups

44) Tool: lambda-teleportmon

Description: An internal service called “lambda-teleportmon”. It’s unclear on what the purpose of the service is.

Tags: aws, lambda

45) Tool: maxmind-backup

Description: An AWS Lambda function that downloads the latest release of the Maxmind DB, and stores it in S3.

Tags: aws, s3, lambda, maxmind

46) Tool: nabu

Description: Twitch Security internal security scanner. It seems to be a work-in-progress and has not been completed. It’s also unclear what it will cover or detect.

Tags: appsec, security-scanning

47) Tool: naive

Description: A repository for collecting Regular expressions that can be useful in different scenarios. The repository seems empty.

Tags: appsec, regex

48) Tool: netscrape

Description: A repository that hosts Cloudformation config. It’s described as a place to hold source code and other assets for the Netscrape campaign.

Tags: cloudformation

49) Tool: nice

Description: Nice is a suite of security-oriented static analysis tools for Go. It uses go/analysis framework to run static code analysis on Golang code.

Tags: golang, sast

50) Tool: notebook-template

Description: Notebook template for threat hunting

Tags: cti, threat-hunting

51) Tool: notebooks

Description: Another repository of notebooks for threat hunting. It covers machine-level checks, including device encryption, and checks for unmanaged devices.

Tags: cti, threat-hunting

52) Tool: nuget-security

Description: NuGet Package provided by Twitch Application Security.

Uses external project https://github.com/security-code-scan/security-code-scan) and the security rules of https://github.com/dotnet/roslyn-analyzers.

This is a C# and VB.NET static code analyzer that allows the detection of security vulnerabilities, including SQLI, RCE, XSS, etc. It also supports running within the CI pipeline and does its scanning through taint analysis for input data.

Tags: ci, vb.net, c-sharp, static-code-analysis

53) Tool: odds-n-ends

Description: A general repository for Security snippets. It includes one script that pulls SalesForce event logs and dumps logs into S3.

Tags: salesforce, automation, s3

54) Tool: opentoken

Description: This is a Go library that can encrypt and decrypt OpenTokens.

It is based on this RFC: https://tools.ietf.org/html/draft-smith-opentoken-02

OpenToken used to be a popular protocol for transmitting secure tokens.

Tags: opentoken, open-token, auth, golang

55) Tool: organizations-guardduty

Description: A Python script that enables AWS Guardduty, and sends logs into S3, so it can be easily monitored. By default, it’s not a straightforward process to configure this correctly, this script helps automate the majority of steps from enabling the operationalizing of logging for Guarduty.

Tags: aws, guardduty, s3, continuous-monitoring, alerting

56) Tool: osiris

Description: Osiris is a library for building and deploying serverless web apps on Amazon Web Services, with a focus on simplicity and ease of use. It provides a simple way to build the application and tools to deploy it to AWS.

An application built with Osiris is deployed to AWS as a Lambda function and an API Gateway API. Configuration is generated for CloudFormation to define the application resources.

This repository includes configurations for app deployments within Twitch Security.

Tags: osiris, aws

57) Tool: osiris-admin

Description: A bash script to automate the management of osiris.

Tags: osiris, automation

58) Tool: osiris-app

Description: A deployment configuration for osiris.

Tags: osiris, automation

59) Tool: osiris-config

Description: Configuration for deploying Osiris through AWS CloudFormation.

Tags: osiris, automation, cloudformation

60) Tool: osiris-debs3-proxy

Description: Empty repository.

Tags: osiris

61) Tool: osiris-health

Description: Osiris health check script.

Tags: osiris

62) Tool: osiris-pki-server

Description: Internal PKI server that covers Duo Security, and YubiKey

Tags: osiris, duo-security, yubi-key

63) Tool: osiris-registration

Description: This is a Lambda function that automates the registration process for a new Osiris stack instance. It primarily manages the DNS delegation process, subject to the requisite authorization checks (which are stored in a DynamoDB table).

Tags: osiris, aws, lambda

64) Tool: osiris-selfservice

Description: Empty repository.

Tags: osiris

65) Tool: osiris-static-site

Description: CloudFormation template to deploy static sites through Osiris.

Tags: osiris

66) Tool: osiris-update-stack

Description: Lambda function for scheduled updates of the Osiris CloudFormation stack.

Tags: osiris

67) Tool: osiris-v2

Description: A deprecated repository.

Tags: osiris

68) Tool: osiris-yubikey-client

Description: This is the client for the osiris-pki-server, with a focus on issuance of certificates for Yubikeys.

Tags: osiris, yubi-key

69) Tool: ovpnmetrics

Description: This python script scrapes metrics from OpenVPN Access Server (using the local SQLite log database) and writes them to graphite.

Tags: openvpn, graphite

70) Tool: pandora-mvp

Description: An internal project that uses SSM, S3, and EC2 APIs.

Tags: aws, s3, ec2, ssm

71) Tool: pandora-prototype

Description: Testing repository with CloudFormation configuration.

Tags: cloudformation

72) Tool: password-exploration

Description: An experiment that hosts passwords from 000webhoost, antipublic_combo, exploit.in database leaks. It uses AWS Athena and S3 to store datasets. The playbook shows queries to search compromised accounts that were leaked by Twitch employees.

Tags: database-leaks, passwords, aws, athena

73) Tool: rpm-s3

Description: A Clone of https://github.com/crohr/rpm-s3 that is made to work with the newer Python boto3 library.

Tags: rpm, aws, s3

74) Tool: secretsurfer

Description: A secret detection tool that scans for secrets in Git commit history, and reports whenever it finds a secret. It has the capability to validate specific findings for AWS credentials, Slack webhooks, and Twitch 0Auth tokens.

It seems that Twitch has put major efforts into having multiple tools for preventing secrets at scale. This is not the only tool that does secrets detection that was internally developed by Twitch.

Tags: secret-detection

75) Tool: securitycenter-jira

Description: This repository contains Twitch v1.0.0 of the Tenable SecurityCenter-JIRA integration originally written by Tenable Network Security.

The official release by Tenable was v1.1.1, which has been archived and is available in the security/securitycenter-jira-archive repository for historical knowledge.

The project ingests findings from Tenable, and stores it into JIRA tickets for tracking vulnerabilities.

Tags: jira, tenable, security-scanning

76) Tool: securitycenter-jira-archive

Description: An archive of securitycenter-jira.

Tags: jira, tenable, security-scanning

77) Tool: shuffle

Description: Shuffle is a small piece of automation that can make OpenVPN ACL changes. It is useful when a service’s IP addresses change.

It is made of two components:

An AWS Lambda function that runs in response to an SNS trigger. The message from SNS contains details about the service and the change.
A Python script (“shuffle-applier”) that runs on the OpenVPN AS server. It is responsible for the low-level ACL changes.

The Lambda function triggers the applier script via Amazon Systems Manager.

Tags: aws, lambda, openvpn

78) Tool: sift-aws

Description: SIFT AMI for Twitch SIRT. This is a collection of Ansible playbooks that builds and provisions a SIFT workstation.

The SIFT Workstation is a collection of free and open-source incident response and forensic tools designed to perform detailed digital forensic examinations in a variety of settings.

Tags: sift, forensics, ansible

79) Tool: sirt_alerts

Description: A Git repository of SIRT alerts and playbooks. It seems to be categorized according to the MITRE ATT&CK framework. It also covers playbooks for several TTPs on macOS, Windows and AWS.

Tags: mitre, att&ck, ttps, macos, windows, aws, incident-response

80) Tool: sirt_alerts_archive

Description: A Git repository that seems to be an archive of sirt_alerts. It covers a large number of playbooks and incidents detection write-ups.

Tags: mitre, att&ck, ttps, macos, windows, aws, incident-response

81) Tool: sirt_lookup_tables

Description: Several CSV files that acts as a lookup table. It includes files for: TOR exit nodes, URLHAUS malicious urls, Pacu User-Agents, malicious Chrome extensions, and low-reputation IPs.

This seems to be used in threat detection.

Tags: threat-detection, cti, tor, urlhaus

82) Tool: sirt_range_dev

Description: Empty repository.

Tags: empty

83) Tool: sirt-520

Description: sirt-520 contains a single HTML/JavaScript file with no details. Reading the code, it seems to be a malware piece that acts as wormable payloads for pulling contacts from Google Contacts and then sending malware emails. The TTP used here is novel. The URL that is being sent to contacts is an authorization page for Google apps, where the app is authorized to get emails and contacts.

The concept bypasses Google Safe url checks as the url being shared in the email points to https://accounts.google.com.

Tags: phishing, TTP, google-apps, gsuite, exploit

84) Tool: sirt-detection-ec2-instances

Description: This repository contains provisioning scripts that initialize Windows and macOS machines and install detection agents. The detection agents used in the scripts are: CrowdStrike Falcon and Uptycs.

It uses Terraform to deploy the machine, Bash for macOS machines, and Powershell for Windows machines.

Tags: crowdstrike, uptycs, aws, terraform, ec2

85) Tool: sirt-dns_report

Description: This script is made for continuous monitoring purposes of the DNS infrastructure of Twitch. Twitch has a service called “changelog” that contains the DNS records of Twitch, and can be called through a REST API.

The script pulls all the changelog, and sends an alert for changes to Twitch security email that automatically creates a JIRA ticket based on the email.

Tags: jira, email, smtp, dns, infrasec

86) Tool: sirt-gophish

Description: Re-deployable gophish infra for SIRT to run phishing exercises. It also includes Terraform code for deploying gophish with all the required configuration.

Tags: gophish, phishing, golang, terraform

87) Tool: sirt-jira-issue-escalator

Description: A Lambda function that pulls data from JIRA through a JQL query that fetches tickets not marked as “Done”, and then pushes metrics to CloudWatch.

Tags: cloudwatch, jira

88) Tool: SIRT-JiraBot

Description: JiraBot is modeled after Dropbox’s SecurityBot https://github.com/dropbox/securitybot.

It includes JQL queries, interactive messages for Slack.

The purpose of the tool is to allow interaction with security projects on JIRA. It runs on AWS Lambda.

Tags: jira, securitybot, slack, aws, lambda

89) Tool: sirt-jirahandler

Description: An incomplete project. It manages Jira tickets through the Jira Python library.

Tags: jira

90) Tool: sirt-misp-cdk

Description: CloudFormation port of a MISP deployment in Pulumi. A work-in-progress project.

Tags: pulumi, cloudformation

91) Tool: sirt-pulumi

Description: A customized version of https://github.com/MISP/misp-docker.

Tags: misp, docker, pulumi

92) Tool: sirt-report

Description: A script that pulls open incidents from JIRA and sends it as an email to Twitch security team as a report.

Tags: jira, incident-response, reporting

93) Tool: sirtbot

Description: A Slack bot that is based off a fork of https://github.com/lins05/slackbot.

Tags: slack

94) Tool: SIRTGuardDutyRole-cloudformation

Description: A cloudformation config to enable Twitch SIRT to access GuardDuty in the target account.

Tags: aws, guardduty, cloudformation

95) Tool: sirtjira

Description: Another library to interact with Jira. It has the capability to create issues, manage issues, add comments, and other similar features.

Tags: jira

96) Tool: sirtlib

Description: An automation Python library to interact with Splunk, Uptycs, Amazon Anamoli (Internal Amazon Security service), and Salesforce IDM.

Tags: python, splunk, amazon, salesforce, uptycs

97) Tool: slaughter_bot

Description: An automation bot that can send emails, pull open risks and incidents from Jira, and put them into Spreadsheet.

Tags: spreadsheet, jira, email

98) Tool: sonarvet

Description: A report parser for SonarQube written in Golang.

Tags: sonarqube

99) Tool: spark_from_athena_uptycs

Description: A script to generate queries for AWS Spark and AWS Glue. It seems to use AWS Athena and Uptycs for the queries.

Tags: aws, athena, aws-athena, aws-spark, aws-glue, uptycs

100) Tool: splunk-hec-go

Description: Splunk HEC Golang Library. It’s a forked version of https://github.com/fuyufjh/splunk-hec-go.

Tags: splunk

101) Tool: splunk-saved-searches

Description: Repository to manage the configuration for saved searches/alerting in Splunk to be integrated with an automated deployment lambda function.

Tags: splunk, incident-response

102) Tool: squidmetrics

Description: Squid statsd publisher. This python script scrapes metrics from Squid (using the local manager interface) and writes them to statsd/statsite.

Tags: squid, metrics

103) Tool: ssm-logging-enrollment

Description: ssm-logging-enrollment. A simple script to enable CloudWatch logging for SSM session manager.

Tags: aws, cloudwatch, ssm, session-manager, logging

104) Tool: subdomain_checker

Description: Subdomain Takeover Checker. Check if a list of sites is vulnerable to an S3 Bucket or Cloudfront CNAME Hijack.

It has a feature to automatically claim vulnerable CloudFront and AWS S3 buckets that are not publicly claimed.

Tags: aws, subdomain-takeover, s3, cloudfront

105) Tool: tails

Description: Empty repository.

Tags: empty

106) Tool: takeover_check

Description: SIRT Takeover DNS Checker. Sweeps across domains to find subdomain takeover vulnerabilities.

It checks for AWS Beanstalk, CloudFront, S3, and signs of misconfiguration.

Tags: aws, cloudfront, s3, subdomain-takeover

107) Tool: teleport

Description: Teleport configuration repository.

Tags: teleport

108) Tool: teleport-configuration

Description: Teleport Configuration. This repository contains configuration files in YAML format for Teleport.

Tags: teleport

109) Tool: teleport-dashboard

Description: Teleport dashboard.

Tags: teleport

110) Tool: teleport-dns-guardian

Description: Teleport DNS Guardian. A small Python utility intended to be run as an AWS Lambda function. It can be used as part of a DNS round robin load balancing setup to keep the list of IPs in the DNS record updated based on Consul. It’s best to run once per minute.

Tags: teleport

111) Tool: teleport-enterprise-build

Description: Teleport Enterprise package builder.

Tags: teleport

112) Tool: teleport-remote

Description: This includes the components to build and manage remote Teleport clusters.

Tags: teleport

113) Tool: teleport-util

Description: This contains utilities used for managing or automating the Teleport deployment at Twitch.

Tags: teleport

114) Tool: terraform

Description: Security-related Terraform configuration.

Tags: terraform

115) Tool: tf-asg

Description: A Terraform module to create and manage autoscalling group.

Tags: terraform

116) Tool: tf-lambda-dogfish-sg

Description: Terraform module to manage “dogfish” project.

Tags: terraform

117) Tool: tf-teleport

Description: Terraform module for setting up teleport.

Tags: terraform

118) Tool: tf-teleport-auth-lb

Description: Terraform module that creates a network loadbalancer for Teleport auth service.

Tags: terraform

119) Tool: tf-teleport-dns-guardian

Description: Terraform module for setting up a lambda function to manage Teleport’s DNS round robin records.

Tags: terraform

120) Tool: threat-modeling

Description: A repository that hosts a threat-modeling diagram built with PlantUML about a portion of Twitch threat-model.

Tags: threat-modeling

121) Tool: tshproxy

Description: This is a shim meant to wrap tsh and ssh for use in a ProxyCommand. It primarily exists to automatically install or renew an SSH certificate if it is expired or doesn’t exist.

Tags: ssh, proxy

122) Tool: twitch-bastion-util

Description: This script will automate the client-side configuration steps process for the Twitch Bastion (an internal service). Specifically, it will install the Teleport client software and configure the ssh client to access production via a bastion host.

Tags: teleport

123) Tool: twitch-glitch-bot

Description: Slack bot that interacts with Jira, Slack and PagerDuty.

Tags: pagerduty, slack, jira

124) Tool: twitch-public-s3-bucket

Description: A CloudFormation template that provisions an internal S3 bucket.

Tags: s3, aws, cloudformation

125) Tool: TwitchyOmega

Description: A forked version of https://github.com/FelisCatus/SwitchyOmega.

Tags: proxy, SwitchyOmega, chrome, chrome-extension

126) Tool: UbuntuVulnData

Description: A report parser tool that contextualizes vulnerability reports on Ubuntu AMIs that are not enriched with additional vulnerability details.

Tags: vulnerability-management

127) Tool: vacation-calendar

Description: A Google Suite App that syncs team calendar when a member takes a vacation.

Tags: google-suite, gsuite, automation, productivity

128) Tool: wireguard-gateway

Description: Wireguard gateway: a framework to setup a full Wireguard infrastructure on AWS.

Tags: wireguard

129) Tool: yeti-infra

Description: An incomplete project. It’s a Terraform module for deploying YETI project for threat-intelligence.

Tags: terraform, threat-intelligence

Final Thoughts

Twitch Security invested thousands of hours in building its security tools and security program. I consider the tools developed internally to be advanced, well-thought and has done with excellent use-cases. At the time of writing the blog post, Twitch has not released a postmortem yet about the Twitch breach, how it happened, and technical details about the breach.

Although the leaked security data covers the tools, it doesn’t cover the security architecture and the security program details. It’s hard to come up with a definite conclusion of how the breach could have happened.

I can see that there is less focus on the tools for Identity Management and Access Control. Also, I can not see tools or references for the Security automation of SAST to scan the CI pipeline. Assets Discovery is done well, but I can not see AWS-related checks for AWS Policies and Role-Based access validation.

The continuous security scanning from an AppSec perspective seems limited from seeing the developed tools. It’s possible that Twitch is running COTS tools instead of building their tools internally, but this also is not clear, as I haven’t seen ingestion for commercial DAST tools.

The Twitch breach acts as a reality check on organizations and companies that are building their security program. The possibility of a breach is always there, organizations can take the next step and work in “assume-breach” playbooks and build additional security controls for their security program.

About FullHunt.io

FullHunt is the Next-Generation Attack Surface Management Platform. FullHunt enables companies to discover all of their attack surfaces, monitor them for exposure, and continuously scan them for the latest security vulnerabilities and risks. We help companies around the world in securing their external attack surface using our technologies that are scanning millions of Internet-connected assets and cloud resources.

Are you an enterprise that is looking to build security for their External Attack Surface? Please reach out to us at fullhunt.io, and we will be happy to solve your challenges.

References

https://www.bbc.com/news/technology-58817658
https://www.theverge.com/2021/10/6/22712365/twitch-data-leak-breach-security-confirmation-comments
https://www.nytimes.com/2021/10/06/technology/twitch-data-breach.html

Attacking Modern Environments Series: Attack Vectors on Terraform Environments

2022-01-29T00:00:00-06:00

I have given a talk about my latest research, “Attack Vectors on Terraform Environments”.

About the talk

Ever come across an environment in an engagement that uses Terraform for IAAC (infrastructure-as-code) management? Almost every modern company does now.

In this talk, I will be sharing techniques and attack vectors to exploit and compromise Terraform environments in engagements, as well as patterns that I have seen that achieve successful infrastructure takeover against companies. I will be also covering detection and prevention methods for each attack vector discussed in my talk.

This is part of my work-in-progress research in cloud security and attacking modern environments.

Recorded Talk

Watch on Youtube

Download: Slides (PDF)

Download: Slides (PPTX)

Interview With the AppSec Podcast: Terraform Security

2021-10-17T00:00:00-05:00

I did an interview with the AppSec Podcast to talk about IAC and Terraform. We discussed Terraform, why IAAC is important to your organization, technical risks brought when running Terraform on your environment, and few discussions related to my DEFCON talk about Attack Vectors on Terraform Environments.

Listen to the Podcast

Watch on Youtube

Listen on Spotify

Listen on Apple Podcast

tfquery: Run SQL queries on your Terraform infrastructure

2021-04-28T00:00:00-05:00

Have you ever tried analyzing Terraform environment with thousands of cloud resources for security and DevOps? It’s used to be hard, until now!

I’m open-sourcing my newest project, tfquery: a framework that allows running SQL queries on Terraform code. It saved me dozens of hours in analysis.

Tfquery is made to help in answering questions that are hard to answer about your infrastructure-as-code. It allows querying resources and analyzing its configuration using a SQL-powered framework.

I built it out of a real-world problem where I need to understand an extremely large Terraform environment. Has been highly helpful in making work easier.

This is a starting point for an awesome project. Feel free to read more at the Github repository.

Github Repository: https://github.com/mazen160/tfquery

DDoS is not Dead: Building a Scalable DDoS Framework

2021-04-13T00:00:00-05:00

Abstract

I’m releasing my latest project, Stressful.io, an advanced DDoS framework for testing DDoS defenses at scale. I’m also providing a fully free simulation to non-profit organizations and startups focused on privacy and digital rights.

I have always been fascinated by DDoS attacks. You may have the most sophisticated defenses, yet, your organization can be directly affected by a DDoS attack that takes down your payment gateway for 3 hours. DDoS attacks are a real concern that needs to be put on the organization’s radar, not on a postmortem after an attack happens.

Time is Money, Especially on Downtime

The cost of downtime is high and expensive for businesses, and it varies from one industry to another. A payment gateway processor downtime can affect many customers that solely rely on the payment gateway to operate. An hour’s downtime costs millions of dollars in losses.

The same goes for an E-Commerce website, some E-Commerces have more than 30% of their revenue coming from Black Friday each year. A DDoS attack that disrupts users from making purchases on Black Friday can cause major losses for the E-commerce business.

Furthermore, when a DDoS attack hits a SAAS platform and causes an outage, it will indirectly disrupt thousands (if not millions) of businesses and people’s lives around the world. Think of this as your day-to-day email provider, a CDN that delivers JavaScript for your websites, or even Google Docs that I’m using to write this blog post.

ProtonMail DDoS Attack Changed My Perspective

Back when I was working at ProtonMail, I had the opportunity to witness one of the largest attacks that happened in Europe in 2015 1 and 2018 2. These attacks were devastating and changed my perspective on DDoS attacks and their effectiveness.

ProtonMail security has some of the most talented people that I have had the chance to work with. I can’t imagine how this attack could have been handled without the work of all the amazing ProtonMail team.

We had built up awesome technologies to prevent attacks that could breach the data of ProtonMail, yet, a massive DDoS attack allowed attackers to disrupt the availability of ProtonMail to users. A DDoS attack is not capable of risking the security nor the privacy of ProtonMail, but it was effective to put us in a stressful situation to fight back and return the services back to normal.

If there is a main lesson I learned from this experience is DDoS simulations matter. If we simulate a DDoS attack with similar capabilities and TTPs (tactics, techniques, and procedures), we would be prepared and possibly more ready to handle an attack with this size. Putting DDoS and availability risks on the map became important for me when building a security program of any size.

Building the Dream Product: Stressful Framework

I explored the current market and haven’t found a professional service that satisfies my vision of what should be available to companies. My vision is clear: as a customer, I want to have a trusted platform where I can consult for verifying the existing DDoS defenses, to show me what’s wrong based on research and proven tests, and to show me how to patch weaknesses.

Trusting a security vendor blindly is always a bad idea, companies in the market can easily sell snake oil, promising 100% protection. Without verification testing, I do not trust a security product in preventing attacks.

When I didn’t find a solution, I started the journey of building Stressful.io.

Researching TTPs

The most difficult part in having this project come to reality was the research part. I started collecting repositories and historical archives for attacks that have been witnessed in the past 15 years. I also monitored darknet sources for new trends and techniques. Every new research that involves DDoS attacks has been passionately reviewed and analyzed, and I built up a lab in the cloud to replicate attacks and rate researches and techniques I have been seeing.

I also reverse-engineered tools published in the black market that are being used to conduct active attacks. I studied TTPs of different groups and built up my internal knowledge-base for everything related to DDoS attacks.

This was majorly a side project that I have been imagining over the years, and in 2020, I took serious focus to complete the product.

Quality vs. Quantity Attacks

One factor that the market is fully relying on measuring the complexity of DDoS attacks is the total quantity the threat group was able to generate against the target. The thing is, generating traffic today is much easier than before. A 50 GBPS DDoS attack today is much easier to generate than 10 years ago, where the cloud era wasn’t as huge as before. Infrastructure deployment 10 years ago wasn’t as accessible as today. Today, Infrastructure-as-code became the de-facto for deploying a fully scalable infrastructure within minutes. The same goes for defense, mitigating quantity DDoS attacks became much better over the years with cloud and CDN providers.

On the other side, DDoS attacks that focus on Application-layer exploitation were being dismissed by most deployments I have personally reviewed over the years. Additionally, DoS vectors that exploits and abuses a security vulnerability of a given product or application are patterns that I have been seeing.

Application-layer DDoS attacks are harder to defend, much difficult to understand, and most security vendors do not protect against them. If a security vendor claims to protect against Application-layer DoS attacks, I would be happy to provide a demo to showcase all their weaknesses using the Stressful.io framework.

Stressful.io Architecture

I’m planning to release technical documentation in the future about the architecture I built for Stressful.io that fully relies on being cloud-native to scale.

After building the app on Stressful.io, I integrated the CD pipeline with Terraform to deploy the infrastructure used in simulations. I have built the integration with Microsoft Azure, Amazon AWS, and there will be an integration with Google Cloud soon.

Engine

Language of Choice?

I wrote the framework in Golang as I have been seeing great potential for DDoS in Golang. The networking API in Golang is much reliable, and the concurrency and state management in projects are much promising. Golang is the future for scalable and resource-extensive applications. I have been doing benchmarks on the Stressful, and I’m impressed by various features Golang allows and provides.

Modules

I have built modules to support attacks for different vectors.

This is an example of modules I have been building in the framework:

HTTP SlowPost Attack
HTTP Slowloris attack (GET)
HTTP Web Cache-Poisoning Attack
HTTP SlowLoris (Infinite Headers)
Amazon AWS Denial of Wallet Attacks
Microsoft Azure Denial of Wallet Attacks
HTTP/2 DoS Attacks
HTTP DoS via Headless Browsers
WordPress Resource Exhaustion
HTTP Hash Collision Attack
HTTP Memory Exhaustion
Xerxes Attack
SOAP XML Quadratic Blowup Attack
SOAP XML Billion Laughs Attack
HTTP Keep-Alive Flood Attack
HTTP Unlimited Downloads
HTTP GET Flood
HTTP SlowPost (Infinite Uploads)
HTTP HULK Attack
MySQL Resource Exhaustion

This is just part of the modules I have developed. I also develop modules based on specific use-cases and scenarios. Lastly, I will be also keeping an up-to-date arsenal for DoS attacks and modules on the framework.

What’s next?

Contact me on info@Stressful.io to get a free consultation demo for your organization. I’m also providing a fully free simulation to non-profit organizations and startups focused on privacy and digital rights.

Interested in DDoS capabilities for your company? Let’s have a chat and see how I can help!

Are you a researcher interested in the DDoS market and DDoS defenses?

Let’s connect and share thoughts. My contact details are available on the website.

Mazin Ahmed

Secrets Patterns DB: Building Open-Source Regex Database for Secret Detection

Regular Expressions

Shannon’s Entropy Checks

We’re doing Regex scanning wrong. Let’s fix this, together

For Trufflehog v2

For Gitleaks

Project: github/mazen160/secrets-patterns-db

License

Speaking at BlakcHat MEA 2022

My Talk

What I liked at BlackHat, and why you should apply next year

Awesome talks

Photos for the memory 💚

Final Thoughts

DoS Attacks are Dead: Demystifying Practical DoS Attacks

Talk Abstract

Slides

Shennina Framework - Automating Host Exploitation with AI

Goals

Demo

Running Exploitation Mode

Running Vulnerability Scanning mode

Deception Detection as a part of Post Exploitation

Future of Shennina?

Special Thanks

Github Repository: github.com/mazen160/shennina

Scan Terraform plans and changes with tfquery via SQL-powered framework

semgrep HCL support vs. tfquery

tfquery approach for Terraform Plan scanning

Try tfquery at: github.com/mazen160/tfquery

Twitch Internal Security Tools: In-depth Analysis of the Leaked Twitch Security Tools

Background

Table of Contents

Who Am I?

Leaked Tools

Final Thoughts

About FullHunt.io

References

Attacking Modern Environments Series: Attack Vectors on Terraform Environments

About the talk

Recorded Talk

Watch on Youtube

Download: Slides (PDF)

Download: Slides (PPTX)

Interview With the AppSec Podcast: Terraform Security

Listen to the Podcast

Watch on Youtube

Listen on Spotify

Listen on Apple Podcast

tfquery: Run SQL queries on your Terraform infrastructure

Github Repository: https://github.com/mazen160/tfquery

DDoS is not Dead: Building a Scalable DDoS Framework

Abstract

Time is Money, Especially on Downtime

ProtonMail DDoS Attack Changed My Perspective

Building the Dream Product: Stressful Framework

When I didn’t find a solution, I started the journey of building Stressful.io.

Researching TTPs

Quality vs. Quantity Attacks

Stressful.io Architecture

Engine

Language of Choice?

Modules

What’s next?

Are you a researcher interested in the DDoS market and DDoS defenses?