{"id":13680685,"url":"https://github.com/cyberark/SkyArk","last_synced_at":"2025-04-30T00:30:39.262Z","repository":{"id":37664670,"uuid":"125351578","full_name":"cyberark/SkyArk","owner":"cyberark","description":"SkyArk helps to discover, assess and secure the most privileged entities in Azure and AWS","archived":false,"fork":false,"pushed_at":"2024-12-17T15:34:58.000Z","size":685,"stargazers_count":885,"open_issues_count":6,"forks_count":163,"subscribers_count":41,"default_branch":"master","last_synced_at":"2025-04-10T10:04:52.864Z","etag":null,"topics":["admins","attacker","aws","azure","cloud","cloud-security","powershell","privileges","security-tools","threat"],"latest_commit_sha":null,"homepage":"","language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cyberark.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-03-15T10:35:17.000Z","updated_at":"2025-03-24T15:42:42.000Z","dependencies_parsed_at":"2024-12-25T12:00:19.367Z","dependency_job_id":"c738db04-3cf6-4243-aa41-f62bbd55ecb2","html_url":"https://github.com/cyberark/SkyArk","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cyberark%2FSkyArk","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cyberark%2FSkyArk/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cyberark%2FSkyArk/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cyberark%2FSkyArk/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cyberark","download_url":"https://codeload.github.com/cyberark/SkyArk/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":251607310,"owners_count":21616738,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["admins","attacker","aws","azure","cloud","cloud-security","powershell","privileges","security-tools","threat"],"created_at":"2024-08-02T13:01:20.489Z","updated_at":"2025-04-30T00:30:39.250Z","avatar_url":"https://github.com/cyberark.png","language":"PowerShell","readme":"\n![alt text](https://github.com/Hechtov/Photos/blob/master/SkyArk/SkyArkLogo2.png \"SkyArk\")  \n\n### SkyArk is a cloud security project with two main scanning modules:  \n 1.  **AzureStealth**  - Scans Azure environments   \n 2.  **AWStealth**  - Scan AWS environments   \n  \n### These two scanning modules will discover the most privileged entities in the target AWS and Azure.  \n\n# The Main Goal - Discover The Most Privileged Cloud Users\nSkyArk currently focuses on mitigating the new threat of Cloud Shadow Admins, and helps organizations to discover, assess and protect cloud privileged entities.  \nStealthy and undercover cloud admins may reside in every public cloud platform and SkyArk helps mitigating the risk in AWS and Azure.  \n**In defensive/pentest/risk assessment procedures - make sure to address the threat and validate that those privileged entities are indeed well secured.**  \n  \n  \n# Background:\nSkyArk deals with the new uprising threat of Cloud Shadow Admins - how attackers can find and abuse non-trivial and so-called “limited” permissions to still make it through and escalate their privileges and become full cloud admins.  \nFurthermore, attackers can easily use those tricky specific permissions to hide stealthy admin entities that will wait for them as an undercover persistence technique.  \n  \nSkyArk was initially published as part of our research on the threat of **AWS Shadow Admins**, this research was presented at RSA USA 2018 conference.  \nThe AWS Shadow Admins blog post:  \nhttps://www.cyberark.com/threat-research-blog/cloud-shadow-admin-threat-10-permissions-protect/  \nThe recording of the RSA talk:  \nhttps://www.youtube.com/watch?v=mK62I1BNmXs   \n  \nAbout a year later, we added the AzureStealth scan to SkyArk for mitigating the **Shadow Admins threat in Azure!** \nOur research on Azure Shadow Admins threat was presented at RSA USA 2020 and Hackfest conferences.\nDIY: Hunting Azure Shadow Admins Like Never Before - blog post:  \nhttps://www.cyberark.com/resources/threat-research-blog/diy-hunting-azure-shadow-admins-like-never-before-2  \n  \n# Tool Description\nSkyArk currently contains two main scanning modules **AWStealth** and **AzureStealth**.  \nWith the scanning results - organizations can discover the entities (users, groups and roles) who have the most sensitive and risky permissions.  \nIn addition, we also encourage organizations to scan their environments from time to time and search for suspicious deviations in their privileged entities list.  \n**Potential attackers are hunting for those users and the defensive teams should make sure these privileged users are well secured - have strong, rotated and safety stored credentials, have MFA enabled, being monitored carefully, etc.**   \nRemember that we cannot protect the things we don’t aware of, and SkyArk helps in the complex mission of discovering the most privileged cloud entities - including the straight-forward admins and also the stealthy shadow admins that could easily escalate their privileges and become full admins as well.  \n  \n### 1. AzureStealth Scan\n**Discover the most privileged users in the scanned Azure environment - including the Azure Shadow Admins.**\n  \n**How To Run AzureStealth**  \nThe full details are in the AzureStealth's Readme file:  \n[https://github.com/cyberark/SkyArk/blob/master/AzureStealth/README.md](https://github.com/cyberark/SkyArk/blob/master/AzureStealth/README.md)  \nIn short:\n1.  Download/sync locally the SkyArk project\n2.  Open PowerShell in the SkyArk folder with the permission to run scripts:  \n    \"powershell -ExecutionPolicy Bypass -NoProfile\"\n3.  Run the following commands:\n```\n(1) Import-Module .\\SkyArk.ps1 -force\n(2) Start-AzureStealth\n```\n AzureStealth needs only Read-Only permissions over the scanned Azure Directory (Tenant) and Subscription.  \n *You can also run the scan easily from within the Azure Portal by using the built-in CloudShell:  \n ```\n    (1) IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/cyberark/SkyArk/master/AzureStealth/AzureStealth.ps1')  \n    (2) Scan-AzureAdmins  \n```  \n **AzureStealth DEMO:**  \n ![Demo](https://github.com/Hechtov/Photos/blob/master/SkyArk/AzureStealth%20-%20short%20demo1.gif?raw=true)  \n   \n  ### 2. AWStealth Scan\n**Discover the most privileged entities in the scanned AWS environment - including the AWS Shadow Admins.**\n  \n**How To Run AWStealth**  \nThe full details are in the AWStealth's Readme file:  \n[https://github.com/cyberark/SkyArk/tree/master/AWStealth](https://github.com/cyberark/SkyArk/tree/master/AWStealth)  \nIn short:  \n1.  Download/sync locally the SkyArk project\n2.  Open PowerShell in the SkyArk folder with the permission to run scripts:  \n    \"powershell -ExecutionPolicy Bypass -NoProfile\"\n3.  Run the following commands:\n```\n(1) Import-Module .\\SkyArk.ps1 -force\n(2) Start-AWStealth\n```\n AWStealth needs only Read-Only permissions over the IAM service of the scanned AWS environment.\n    \n**AWStealth DEMO:**  \n![Demo](https://github.com/Hechtov/Photos/blob/master/SkyArk/SkyArk-shortVideo.gif)  \n  \n  ### 3. SkyArk includes more small sub-modules for playing around in the cloud security field\nAn example for such a sub-module is **AWStrace** module.  \n**AWStrace - analyzes AWS CloudTrail Logs and can provide new valuable insights from CloudTrail logs.**  \nIt especially prioritizes risky sensitive IAM actions that potential attackers might use as part of their malicious actions as AWS Shadow Admins.  \nThe module analyzes the log files and produces informative csv result file with important details on each executed action in the tested environment.  \nSecurity teams can use the results files to investigate sensitive actions, discover the entities that took those actions and reveal additional valuable details on each executed and logged action.  \n  \n# Quick Start  \nTake a look at the Readme files of the scanning modules:  \nAzureStealth - [https://github.com/cyberark/SkyArk/blob/master/AzureStealth/README.md](https://github.com/cyberark/SkyArk/blob/master/AzureStealth/README.md)  \nAWStealth - [https://github.com/cyberark/SkyArk/blob/master/AWStealth/README.md](https://github.com/cyberark/SkyArk/blob/master/AWStealth/README.md)\n\n# Share Your Thoughts And Feedback  \nAsaf Hecht ([@Hechtov](https://twitter.com/Hechtov)) and CyberArk Labs \n  \n**More coverage on the uprising Cloud Shadow Admins threat:**  \n  \nOn the threat in AWS:  \nThreatPost: https://threatpost.com/cloud-credentials-new-attack-surface-for-old-problem/131304/  \nTechTarget\\SearchCloudSecurity: https://searchcloudsecurity.techtarget.com/news/252439753/CyberArk-warns-of-shadow-admins-in-cloud-environments  \nSecurityBoulevard: https://securityboulevard.com/2018/05/cyberark-shows-how-shadow-admins-can-be-created-in-cloud-environments/  \nLastWatchDog: https://www.lastwatchdog.com/cyberark-shows-how-shadow-admins-can-be-created-in-cloud-environments/  \nByron Acohido's Podcast: https://soundcloud.com/byron-acohido/cloud-privileged-accounts-flaws-exposed  \nOn the threat in Azure:  \nhttps://www.zdnet.com/article/new-tool-detects-shadow-admin-accounts-in-aws-and-azure-environments/\nhttps://securityinfive.com/episode-797-new-tool-helps-you-find-shadow-admin-account-in-aws-and-azure/\nhttps://awsinsider.net/articles/2020/07/29/aws-azure-shadow-admin.aspx\nhttps://siliconangle.com/2020/07/29/cyberark-launches-open-source-shadow-admin-identification-tool-azure-aws/\nhttps://itsecuritywire.com/quick-bytes/cyberark-introduces-shadow-admin-identification-tool-for-azure-and-aws/\n","funding_links":[],"categories":["Projects","SaaS","Tools","0x02 工具 :hammer_and_wrench:"],"sub_categories":["Automated Security Assessment","Lateral Movement","1 云服务工具"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcyberark%2FSkyArk","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcyberark%2FSkyArk","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcyberark%2FSkyArk/lists"}