25 Oct 2024

Permiso, the pioneer in real-time identity security, released SkyScalpel, an open-source tool that helps both offensive and defensive security professionals understand how policies could be obfuscated by threat actors in order to go undetected in an environment.

JSON-based policies in cloud environments, particularly in AWS, dictate what resources users and systems can access and the actions they can perform. However, these policies can be susceptible to obfuscation—a technique where bad actors manipulate the policy’s syntax and semantics to hide their true intentions. This makes it difficult for security teams to detect and prevent unauthorised access effectively.

Obfuscation techniques

Some obfuscation methods are detectable in runtime events during yield but sanitised upon storage

Obfuscation of cloud policies, remote administration command scripts and various permissions parameters are an often-overlooked attack vector with implications at several stages of the detection engineering pipeline. 

Threat actors can utilise obfuscation in their policies such that "Allow" becomes "Al\u006Cow" and "iam:PassRole" becomes "iam:P*ole.” Some obfuscation techniques are detectable in runtime events during creation but silently sanitised upon storage and/or later retrieval by corresponding APIs. 

Obfuscation scenarios 

Other techniques persist into the storage of created entities (e.g., IAM policies). These obfuscation scenarios can evade string-based detections, break policy rendering pages in Management Consoles, and even selectively overwrite policy contents of an attacker's choosing based on the defender's viewing method.

Additionally, we identified subtle differences between official cloud provider tooling (CLI, SDKs, Management Console) that further facilitate and complicate the generation and detection of these obfuscation scenarios.

Cloud environments

SkyScalpel addresses this issue by providing a robust solution for scanning, analysing

SkyScalpel addresses this issue by providing a robust solution for scanning, analysing, and normalising obfuscated policies. It ensures that security teams can quickly identify and rectify policies that may compromise the security of their cloud environments. 

Given a policy containing some obfuscation, the custom tokeniser parses and decodes the syntactical obfuscation techniques - enabling access to the underlying values while still preserving the original values for comparison (or reassembly of the original input policy).

Obfuscated JSON documents

SkyScalpel will help teams detect obfuscated JSON documents, with additional rules and de-obfuscation capabilities targeting numerous syntactical and logical evasions that affect IAM policies (and the plethora of runtime events that contain policy statements),” said Permiso Principal Threat Researcher Daniel Bohannon. 

Attackers employing these obfuscation techniques can quite effectively evade traditional string-based detections, with some techniques persisting after JSON deserialisation."

Azure and AWS environments

Bohannon added: "SkyScalpel also includes a full obfuscation suite of functions so red teams can automate the multi-layer obfuscation of any input JSON document with additional obfuscation techniques applied to IAM policies to more thoroughly test an organisation’s defences against such evasion techniques.”

Permiso has launched several other open-source tools within the past year, including CloudGrappler, which helps security teams quickly detect threat actors in their Azure and AWS environments, as well as YetiHunter, a tool that combines several Indicators of compromise in Snowflake environments.