SaaS Attack Matrix Tool

Tools:

GitHub - pushsecurity/saas-attacks: Offensive security drives defensive security. We're sharing a collection of SaaS attack techniques to help defenders understand the threats they face. #nolockdown

Offensive security drives defensive security. We're sharing a collection of SaaS attack techniques to help defenders understand the threats they face. #nolockdown - pushsecurity/saas-attacks

github.com

Summary:

The attached tool created and maintained by Push Security is a detailed mapping of various tactics and techniques used by adversaries during cyber attacks, aligned with the MITRE ATT&CK framework. The table is organized by different tactics (e.g., Reconnaissance, Initial Access, Execution, Persistence, etc.) and lists specific techniques used under each tactic. Here’s a summary:

1. Reconnaissance:
• Techniques include SAML enumeration, subdomain tenant discovery, slug tenant enumeration, DNS reconnaissance, and username enumeration. These methods help attackers gather information about the target's systems and environment.
2. Initial Access:
• Methods listed include consent phishing, poisoned tenants, SAMLjacking, account ambushing, credential stuffing, app spraying, email phishing, IM phishing, IM user spoofing, nOAuth, MFA fatigue, device code phishing, hijack OAuth flows, AiTM phishing, and device enrollment. These techniques are used to gain initial entry into the target system.
3. Execution:
• Techniques such as shadow workflows, OAuth tokens, client-side app spoofing, device code phishing, and device enrollment are used to execute malicious code or activities once initial access has been gained.
4. Persistence:
• Methods like API keys, OAuth tokens, evil twin integrations, malicious mail rules, link sharing, system integrations, ghost logins, client-side app spoofing, inbound federation, and device enrollment help attackers maintain their presence within the target system.
5. Privilege Escalation:
• Techniques such as link backdooring and abuse of existing OAuth integrations are used to gain higher privileges within the system.
6. Defense Evasion:
• Techniques listed include API keys, OAuth tokens, evil twin integrations, malicious mail rules, link sharing, system integrations, ghost logins, client-side app spoofing, and session cookie theft. These methods help attackers avoid detection and continue their activities.
7. Credential Access:
• Methods like password scraping and API secret theft are used to obtain credentials, allowing further access and control over the system.
8. Discovery:
• Techniques such as email discovery, app directory lookup, and OAuth token enumeration help attackers identify valuable information and additional targets within the system.
9. Lateral Movement:
• Techniques include link backdooring, abuse of existing OAuth integrations, API secret theft, passwordless logins, account recovery, in-app phishing, automation workflow sharing, SAMLjacking, inbound federation, and session cookie theft. These methods allow attackers to move laterally across the network, expanding their control.
10. Exfiltration:
• Methods listed include takeout services, webhooks, shadow workflows, IM user spoofing, and session cookie theft. These techniques are used to extract valuable data from the target system.

This tool provides a comprehensive overview of the various techniques used by attackers at different stages of an attack, helping cybersecurity professionals understand and mitigate these threats effectively.

Attack Specifics:

1. Reconnaissance
1. SAML enumeration: Attackers enumerate Security Assertion Markup Language (SAML) to identify valid user accounts.
2. Subdomain tenant discovery: Attackers discover subdomains associated with different tenants within a SaaS application to identify targets.
3. Slug tenant enumeration: Attackers enumerate tenant-specific slugs in URLs to discover valid tenants.
4. DNS reconnaissance: Attackers use DNS queries to gather information about the target’s network and services.
5. Username enumeration: Attackers identify valid usernames through direct queries or error messages.
2. Initial Access
1. Consent phishing: Attackers trick users into granting OAuth permissions to malicious applications.
2. Poisoned tenants: Attackers compromise tenant configurations to introduce malicious elements.
3. SAMLjacking: Attackers hijack SAML assertions to gain unauthorized access.
4. Account ambushing: Attackers create accounts that mimic legitimate ones to gain trust and access.
5. Credential stuffing: Attackers use previously stolen credentials to gain unauthorized access.
6. App spraying: Attackers attempt to gain access by spraying common passwords across multiple accounts.
7. Email phishing: Attackers use phishing emails to trick users into divulging credentials or installing malware.
8. IM phishing: Attackers use instant messaging platforms to conduct phishing attacks.
9. IM user spoofing: Attackers impersonate legitimate users on instant messaging platforms.
10. nOAuth: Attackers exploit misconfigured OAuth implementations to gain access.
11. MFA fatigue: Attackers overwhelm users with multi-factor authentication requests to trick them into approving access.
12. Device code phishing: Attackers trick users into entering device codes on malicious websites.
3. Execution
1. Shadow workflows: Attackers create hidden workflows to execute malicious actions.
2. OAuth tokens: Attackers steal or misuse OAuth tokens to gain unauthorized access.
3. Client-side app spoofing: Attackers create malicious applications that mimic legitimate ones.
4. Device enrollment: Attackers enroll malicious devices to gain access.
4. Persistence
1. API keys: Attackers steal or misuse API keys to access services.
2. OAuth tokens: Attackers steal or misuse OAuth tokens to gain unauthorized access.
3. Evil twin integrations: Attackers create malicious integrations that mimic legitimate ones.
4. Malicious mail rules: Attackers create mail rules to forward or delete specific emails.
5. Link sharing: Attackers share malicious links to compromise systems.
6. System integrations: Attackers exploit integrations between systems to move laterally.
7. Ghost logins: Attackers maintain persistent access through unnoticed logins.
8. Client-side app spoofing: Attackers create malicious applications that mimic legitimate ones.
9. Inbound federation: Attackers exploit federated identity systems to gain access.
10. Device enrollment: Attackers enroll malicious devices to gain access.
5. Privilege Escalation
1. Link backdooring: Attackers create backdoors through malicious links.
2. Abuse existing OAuth integrations: Attackers exploit legitimate OAuth integrations for unauthorized access.
3. Evil twin integrations: Attackers create malicious integrations that mimic legitimate ones.
4. Malicious mail rules: Attackers create mail rules to forward or delete specific emails.
5. Link sharing: Attackers share malicious links to compromise systems.
6. System integrations: Attackers exploit integrations between systems to move laterally.
6. Defense Evasion
1. API keys: Attackers steal or misuse API keys to access services.
2. OAuth tokens: Attackers steal or misuse OAuth tokens to gain unauthorized access.
3. Evil twin integrations: Attackers create malicious integrations that mimic legitimate ones.
4. Malicious mail rules: Attackers create mail rules to forward or delete specific emails.
5. Link sharing: Attackers share malicious links to compromise systems.
6. System integrations: Attackers exploit integrations between systems to move laterally.
7. Ghost logins: Attackers maintain persistent access through unnoticed logins.
8. Client-side app spoofing: Attackers create malicious applications that mimic legitimate ones.
9. Device code phishing: Attackers trick users into entering device codes on malicious websites.
10. Session cookie theft: Attackers steal session cookies to hijack user sessions.
7. Credential Access
1. Password scraping: Attackers extract passwords from various sources.
2. API secret theft: Attackers steal secrets used in API communications.
8. Discovery
1. Email discovery: Attackers discover email addresses to use in further attacks.
2. App directory lookup: Attackers explore application directories for information and vulnerabilities.
3. OAuth token enumeration: Attackers enumerate OAuth tokens to find valid ones.
9. Lateral Movement
1. Link backdooring: Attackers create backdoors through malicious links.
2. Abuse existing OAuth integrations: Attackers exploit legitimate OAuth integrations for unauthorized access.
3. API secret theft: Attackers steal secrets used in API communications.
4. Passwordless logins: Attackers exploit passwordless login mechanisms to gain access.
5. Account recovery: Attackers exploit account recovery processes to gain unauthorized access.
6. In-app phishing: Attackers conduct phishing attacks within applications.
7. IM user spoofing: Attackers impersonate users on instant messaging platforms to conduct attacks.
8. Automation workflow sharing: Attackers share malicious workflows to automate attacks.
9. SAMLjacking: Attackers hijack SAML assertions to gain unauthorized access.
10. Inbound federation: Attackers exploit federated identity systems for access.
11. Session cookie theft: Attackers steal cookies to hijack sessions.
10. Exfiltration
1. Takeout services: Attackers use export functions to exfiltrate data.
2. Webhooks: Attackers misuse webhooks to extract data or execute actions.
3. Shadow workflows: Attackers create hidden workflows for ongoing malicious activity.

Sources:

GitHub - pushsecurity/saas-attacks: Offensive security drives defensive security. We're sharing a collection of SaaS attack techniques to help defenders understand the threats they face. #nolockdown

Offensive security drives defensive security. We're sharing a collection of SaaS attack techniques to help defenders understand the threats they face. #nolockdown - pushsecurity/saas-attacks

github.com

Models:

MITRE ATT&CK Framework