Permiso, the pioneer in real-time identity security, has released a suite of three open-source tools that help security teams bolster their detection capabilities for a variety of different attacks.
The P0 Labs team, the threat research arm of Permiso has launched a total of ten open-source tools to date, developed from their ongoing threat research and observations from real-world attacks.
YetiHunter, CloudGrappler
Earlier in 2024, Permiso launched YetiHunter, an open-source tool that detects indicators of compromise in Snowflake environments.
They also released CloudGrappler which queries high-fidelity and single-event detections related to well-known threat actors in popular cloud environments such as AWS and Azure.
Detection capabilities and rules
A subset of these rules has been incorporated into a multitude of open-source projects
Permiso, composed of former FireEye/Mandiant staff, has developed over 1,400 detection rules in their product as a result of their ongoing threat research.
A subset of these rules has been incorporated into a multitude of open-source projects that allow security teams to uplevel their detection capabilities in a variety of different environments.
Cloud detection
“The learning curve for detection in the cloud is steep, and our goal is to help security teams bolster their detections across their cloud environments without having to purchase commercial software solutions like a SIEM,” said Permiso Co-Founder and Co-CEO, Jason Martin.
He adds, “We are committed to providing resources that can help the broader security community defend against the TTPs of modern threat actors.”
DetentionDodger
DetentionDodger will list all the identities with a Quarantine Policy (version 1-3) and look for failed policy attachments
In the suite of projects is DetentionDodger which finds identities with leaked credentials and their potential impact.
DetentionDodger will list all the identities with a Quarantine Policy (version 1-3) and look for failed policy attachments of a Quarantine Policy in CloudTrail Logs to generate a list of users with leaked credentials.
It also lists all the inline and attached policies of the user and each group it is part of to determine the impact based on privileges.
BucketShield
BucketShield is a monitoring and alerting system built for AWS S3 buckets and CloudTrail logs. It ensures the consistent flow of logs from AWS services into S3 buckets and mitigates potential misconfigurations that could interrupt log collection.
With real-time tracking of IAM roles, KMS configurations, and S3 log flows, BucketShield ensures that every critical event is recorded, and your cloud remains audit-ready.
CAPICHE Detection Framework
CAPICHE Detection Framework is an open-source tool designed to simplify each step of the cloud API detection
Finally, CAPICHE Detection Framework (Cloud API Conversion Helper Express) is an open-source tool designed to simplify each step of the cloud API detection translation pipeline.
It enables any defender to instantly create a multitude of different detection rules from groupings of APIs, even if the complete API names are unknown.
Bolstering defences
“The collection of these three tools helps security teams immediately hone their detections and bolster their defences against a variety of cloud-based attacks,” said Principal Threat Researcher, Daniel Bohannon.
He adds, “This isn’t just to help better defend against future attacks but addresses key attack vectors in their environments that could be indicative of past or present compromise.”
