{"id":32475987,"url":"https://github.com/reverseclabs/strifebot","last_synced_at":"2025-10-26T21:28:01.848Z","repository":{"id":319759252,"uuid":"1057852154","full_name":"ReversecLabs/strifebot","owner":"ReversecLabs","description":null,"archived":false,"fork":false,"pushed_at":"2025-09-17T08:41:17.000Z","size":1597,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-10-20T05:44:03.422Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ReversecLabs.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-09-16T09:41:12.000Z","updated_at":"2025-10-13T15:54:54.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/ReversecLabs/strifebot","commit_stats":null,"previous_names":["reverseclabs/strifebot"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/ReversecLabs/strifebot","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ReversecLabs%2Fstrifebot","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ReversecLabs%2Fstrifebot/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ReversecLabs%2Fstrifebot/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ReversecLabs%2Fstrifebot/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ReversecLabs","download_url":"https://codeload.github.com/ReversecLabs/strifebot/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ReversecLabs%2Fstrifebot/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":281178716,"owners_count":26456676,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-26T02:00:06.575Z","response_time":61,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-10-26T21:28:00.279Z","updated_at":"2025-10-26T21:28:01.842Z","avatar_url":"https://github.com/ReversecLabs.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"```\n  ██████ ▄▄▄█████▓ ██▀███   ██▓  █████▒▓█████  ▄▄▄▄    ▒█████  ▄▄▄█████▓  \n▒██    ▒ ▓  ██▒ ▓▒▓██ ▒ ██▒▓██▒▓██   ▒ ▓█   ▀ ▓█████▄ ▒██▒  ██▒▓  ██▒ ▓▒  \n░ ▓██▄   ▒ ▓██░ ▒░▓██ ░▄█ ▒▒██▒▒████ ░ ▒███   ▒██▒ ▄██▒██░  ██▒▒ ▓██░ ▒░  \n  ▒   ██▒░ ▓██▓ ░ ▒██▀▀█▄  ░██░░▓█▒  ░ ▒▓█  ▄ ▒██░█▀  ▒██   ██░░ ▓██▓ ░   \n▒██████▒▒  ▒██▒ ░ ░██▓ ▒██▒░██░░▒█░    ░▒████▒░▓█  ▀█▓░ ████▓▒░  ▒██▒ ░   \n▒ ▒▓▒ ▒ ░  ▒ ░░   ░ ▒▓ ░▒▓░░▓   ▒ ░    ░░ ▒░ ░░▒▓███▀▒░ ▒░▒░▒░   ▒ ░░     \n░ ░▒  ░ ░    ░      ░▒ ░ ▒░ ▒ ░ ░       ░ ░  ░▒░▒   ░   ░ ▒ ▒░     ░      \n░  ░  ░    ░        ░░   ░  ▒ ░ ░ ░       ░    ░    ░ ░ ░ ░ ▒    ░        \n      ░              ░      ░             ░  ░ ░          ░ ░             \n                                                    ░                     \n```\n\n# StrifeBot\n\nThis repo contains a selection of guides, scripts, and tools for running purple team exercises against Snowflake, mainly focusing on automating the \"red\" side of the purple team.\n\nPartially threat intel based, specifically based on previous snowflake compromises:\n - https://cloud.google.com/blog/topics/threat-intelligence/unc5537-snowflake-data-theft-extortion  \n - https://services.google.com/fh/files/misc/snowflake-threat-hunting-guide.pdf  \n\nOther techniques are theoretical attacks that are possible within the platform but not observed in real life.\n\nLayout:\n - scripts: \tSQL scripts for automating malicious snowflake actions\n - cloud_inf: \ttf scripts for deploying AWS resources to exfil to\n - tools: \t\tOther tools, e.g password brute forcing\n\n### Playbooks\n\nPlaybooks contains the guides for attacking / defending Snowflake. Structured by MITRE phases, there are guides on the core attacks, applicable security controls, monitoring strategies, and the test case commands themselves. Following these should allow you to conduct the actual purple team \n\n```\nplaybooks\n├── README.md\n├── blue\n└── red\n    ├── README.md\n    ├── 00_general.md\n    ├── 01_initial_access.md\n    ├── 02_discovery.md\n    ├── 03_persistence.md\n    ├── 04_privesc.md\n    ├── 05_defense_evasion.md\n    ├── 06_credential_access.md\n    ├── 07_collection.md\n    ├── 07_exfiltration.md\n    └── 09_impact.md\n```\n\n### Cloud infrastructure\n\nThe cloud inf folder contains terraform templates for several AWS resources we can deploy, to facilitate exfiltration. These have been written to be quick and convienient, not to be long term secure deployments, so bear in mind the fact that these involve role assumption relationships + public S3 buckets, so ensure you know what you're deploying and use with caution.\n\nModules:\n - lambda_api: deploys a public API gateway, that when invoked logs the caller to a cloudwatch resource. This can be used to exfiltrate data via snowflake external functions\n - S3:          various models of S3 access, including public buckets, role assumption, IAM user key based access\n\n```\ncloud_inf\n├── lambda_api\n├── s3_iam_user\n├── s3_public\n├── s3_role_assumption\n└── vars.tfvars\n```\n\nAll cloud templates use tags based on shared variables, use as follows:\n```sh\n\nCOST_CENTRE=\"Cost_centre_here\"\nEMAIL=\"firstname.lastname@reversec.com\"\n\ncat \u003e vars.tfvars \u003c\u003c EOF\naws_region = \"eu-west-1\"\ncost_center = \"$COST_CENTRE\"\ncontact = \"$EMAIL\"\ndeployment_name = \"ew1-purple-snowflake\" # The root name for the resources, use this however you want to track things. S3 buckets will be given pseudo random animal names, to ensure uniqueness.\nEOF\n```\n\n\n### Scripts\n\nThe best guide to test cases is the playbook code snippets, however some key commands are also present as individual script files for ease of repetition. A variety of scripts are stored in the **scripts** folder:  \n\n - backdoor_user_key.sql\n - create_external_access_WIP.sql\n - create_external_function_exfil.sql\n - create_security_integration.sql\n - create_stored_procedure.sql\n - create_user.sql\n - delete_history.sql\n - disable_external_function.sql\n - enum_api_integrations.sql\n - enum_functions_external.sql\n - enum_functions_secrets.sql\n - enum_network_policies.sql\n - enum_roles.sql\n - enum_secrets.sql\n - enum_security_integrations.sql\n - enum_sessions.sql\n - enum_tables.sql\n - exfil_copy_s3_private.sql\n - exfil_copy_s3_public.sql\n - exfil_get.sql\n - grant_db_ownership.sql\n - grant_role_accountadmin.sql\n - grant_role_ownership.sql\n - invoke_external_function_exfil.sql\n - read_history.sql\n - reset_password.sql\n\nCurrently these should be examined and executed manually, as some require variables to be set, and this has not been automated. However these serve as a basis for malicious actions that can be performed within Snowflake\n\n### References\n\nThe following resources were invaluable in understanding the attacks against Snowflake that occurred, and constructing blue team strategies:\n - https://cloud.google.com/blog/topics/threat-intelligence/unc5537-snowflake-data-theft-extortion  \n - https://services.google.com/fh/files/misc/snowflake-threat-hunting-guide.pdf  \n - https://snowflake-labs.github.io/Sentry/\n - https://specterops.io/blog/2024/06/13/mapping-snowflakes-access-landscape/","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Freverseclabs%2Fstrifebot","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Freverseclabs%2Fstrifebot","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Freverseclabs%2Fstrifebot/lists"}