CyberArk, a cybersecurity company, launched an open-source tool to identify shadow Admin accounts in AWS (Amazon Web Services) and Microsoft Azure clouds. The tool will help organizations that use the cloud, detect and prevent Shadow Admins through targeting and securing the legitimate Admins in AWS and Azure.
Shadow Admins gain access to privileged information and are usually overlooked because they do not register as members of the Active Directory group. They are not easily detected because their permissions are directly assigned.
Attackers like using Shadow Admins because they provide access to high-profile environments while registering as low-profile accounts.
Simplifying a difficult task
Organizations may know who the admins are, but finding out who Shadow Admins are is much harder. In a complex environment, thousands of permission parameters exist, and knowing who has which permissions can be a challenge.
For example, AWS and Azure have over 5000 permissions each. A large number of permissions and the capabilities needed to monitor who gets what permissions is why the attackers can infiltrate high-profile access without being detected.
Attackers can give themselves full admin rights just by activating one permission. CyberArk named this tool SkyArk. It comes in two versions; AzureStealth and AWSStealth. The modules can be used to scan AWS and Azure cloud environments.
A handy security tool
The only permissions you give this tool are read-only. The task it undertakes, involves the querying of cloud entities and the assigned permissions of each, before analyzing the collected data and outputting the results.
Both red and blue teams can access the results for use in their respective fields. Red teams can use the results to test the strength of the system, and target Shadow Admin accounts through phishing, password matching, or targeted attacks.
Blue teams can use the results to plan defense. Everyone wins.