Exploring RedCloud OS — Adversary Simulation Framework for Red Teaming & Cloud Security

Taher Amine, mMBA, CISSP-SME, CCISO, ISOxx SLA/SLI

10 min readJun 22, 2024

In the rapidly evolving world of cybersecurity, staying ahead of potential threats is paramount. RedCloud OS emerges as a groundbreaking framework designed for Red Teams to simulate adversary tactics in cloud environments.

This operating system is tailored to assess the security posture of leading Cloud Service Providers (CSPs) such as AWS, Azure, and Google Cloud. In this article, we will delve deep into RedCloud OS, its features, installation process, the tools it comes packed with, and the benefits it brings to the table.

What is RedCloud OS?

RedCloud OS is a specialized adversary simulation operating system that equips Red Teams with the tools and capabilities to test and evaluate the security measures of cloud infrastructures.

https://sysdig.com/blog/what-is-mitre-attck-for-cloud-iaas/

By mimicking the tactics, techniques, and procedures (TTPs) of real-world attackers, RedCloud OS allows security professionals to identify vulnerabilities and fortify their defenses against sophisticated cyber threats in cloud environments.

For your reference you can check out the MITRE ATT&CK Cloud Matrix:

https://attack.mitre.org/matrices/enterprise/cloud/

Key Features of RedCloud OS:

Comprehensive Toolset: RedCloud OS comes pre-installed with a wide range of tools for penetration testing, vulnerability assessment, and adversary emulation specific to cloud environments. (List of available tools is available at the end of this article for your reference).
Multi-Cloud Compatibility: It supports major CSPs, providing tailored assessment tools for AWS, Azure, and Google Cloud. Supports as well Multi-Cloud environmnets and architectures!
User-Friendly Interface: A streamlined interface that simplifies the execution of complex tasks, making it accessible for both novice and experienced security professionals.

Installation Guide

Before installing RedCloud OS, ensure that your system (host) meets the following requirements:

Minimum RAM: 4GB (8GB recommended)
Storage: 20GB free space
Processor: 64-bit CPU
Virtualization Support: Enabled in BIOS/UEFI

Step-by-Step Installation:

Download the VM file: https://drive.google.com/drive/folders/1Bp1VpW4OoAEwko8vDa6tjbixqjYAukTB
Unzip the archive: You will end up with a folder of 3 files.
Open your virtualisation platform: (VMWare or VirtualBox) and import the OVF or VMDK files.

Downloading the RedCloud OS (7.43 GB Archive Size)

8.60 GB — Size of files after extraction

Select the OVF file to import the OS VM into VMWare Workstation

After finishing importing the VM, I noticed some strange settings (I don’t know why, if it is by mistake or intentional). Either way, I added a Network Adapter in the VM settings so I can connect it to the internet. I also used the recommended settings (8GB of RAM & 4 Processors).

Now our “RedCloud OS” virtual machine appear to be ready for LAUNCH!

Using RedCloud OS

Initial View:

Based on Parrot OS 5.3 (It should be the Architect Edition of ParrotSecOS)

It is official, the OS is built based on “Parrot Security OS” (An ethical hacking and penetration testing operating system based on “Debian” another famous linux distribution).

It came packed with an interesting PDF file to get started in “Multi-Cloud Red Teaming” — Surely it promotes CWL certifications and cloud labs.

What I enjoyed even more, is the way they designed the OS menu! It is really cool and helpful to have the tools categorized based on CSPs, and another list dedicated to Multi-Cloud. While having sub-categories as well for three main aspects: Enumeration, Exploitation, Post-Exploitation. You can imagine having a Kali Linux or a Parrot SecOS dedicated to Cloud :D

Tool Overview:

Cloud-Specific Tools — AWS:

AWS-CLI: Universal Command Line Interface for Amazon Web Services.
AWS-Consoler: A utility to convert your AWS CLI credentials into AWS console access.
AWS-Escalate
CloudCopy: This tool implements a cloud version of the Shadow Copy attack against domain controllers running in AWS using only the EC2:CreateSnapshot permission.
CloudJack: CloudJack assesses AWS accounts for subdomain hijacking vulnerabilities as a result of decoupled Route53 and CloudFront configurations.
CloudMapper: CloudMapper helps you analyze your Amazon Web Services (AWS) environments. The original purpose was to generate network diagrams and display them in your browser (functionality no longer maintained). It now contains much more functionality, including auditing for security issues.
CredKing: Easily launch a password spray using AWS Lambda across multiple regions, rotating IP addresses with each request.
EndGame: An AWS Pentesting tool that lets you use one-liner commands to backdoor an AWS account’s resources with a rogue AWS account — or share the resources with the entire internet 😈.
Pacu: An open-source AWS exploitation framework, designed for offensive security testing against cloud environments. Created and maintained by Rhino Security Labs, Pacu allows penetration testers to exploit configuration flaws within an AWS account, using modules to easily expand its functionality. Current modules enable a range of attacks, including user privilege escalation, backdooring of IAM users, attacking vulnerable Lambda functions, and much more.
RedBoto: Collection of scripts that use the Amazon SDK for Python boto3 to perform red team operations against the AWS API.
WeirdAAL: AWS Attack Library.

Cloud-Specific Tools — AZURE:

Azure-CLI: Azure Command-Line Interface.
AzureHound: The BloodHound data collector for Microsoft Azure.
BloodHound: Six Degrees of Domain Admin, pretty famous to describe.
AADCookieSpoof: Azure AD Identity Protection Cookie Spoofing.
AADInternals: AADInternals PowerShell module for administering Azure AD and Office 365.
AzureAD: Cmdlets reference help docs for Powershell Azure AD.
DCToolBox: A PowerShell toolbox for Microsoft 365 security fans.
MFASweep: PowerShell script that attempts to log in to various Microsoft services using a provided set of credentials and will attempt to identify if MFA is enabled. Depending on how conditional access policies and other multi-factor authentication settings are configured some protocols may end up being left single factor. It also has an additional check for ADFS configurations.
MicroBrust: PowerShell Toolkit for Attacking Azure: MicroBurst includes functions and scripts that support Azure Services discovery, weak configuration auditing, and post exploitation actions such as credential dumping. It is intended to be used during penetration tests where Azure is in use.
Microsoft365_DevicePhish: This is a simple proof-of-concept script that allows an attacker to conduct a phishing attack against Microsoft 365 OAuth Authorization Flow. Using this, one can connect to Microsoft’s OAuth API endpoints to create user_code and device_code and obtain victim user's access_token upon successfult phishing attack. Then, the token can be used to access various Office365 products via Microsoft Graph API on behalf of the victim user.
MSGraph: The Microsoft Graph PowerShell SDK is made up of a set of modules that enable you to interact with the Microsoft Graph API using PowerShell commands. The modules consist of commands that act as wrappers for the API, allowing you to access all the features and functionality of the API through PowerShell.
PowerUpSQL: A PowerShell Toolkit for Attacking SQL Server: It includes functions that support SQL Server discovery, weak configuration auditing, privilege escalation on scale, and post exploitation actions such as OS command execution. It is intended to be used during internal penetration tests and red team engagements.
ROAD_Tools: (Rogue Office 365 and Azure (active) Directory tools): a framework to interact with Azure AD. It consists of a library (roadlib) with common components, the ROADrecon Azure AD exploration tool and the ROADtools Token eXchange (roadtx) tool.
TeamFiltration: A cross-platform framework for enumerating, spraying, exfiltrating, and backdooring O365 AAD accounts.
TokenTactics: Azure JWT Token Manipulation Toolset.

Cloud-Specific Tools — GCP:

gCloud-CLI: The Google Cloud CLI is a set of tools to create and manage Google Cloud resources. You can use these tools to perform many common platform tasks from the command line or through scripts and other automation.
GCP_BucketBrute: A script to enumerate Google Storage buckets, determine what access you have to them, and determine if they can be privilege escalated.
GCP_Misc: Miscellaneous tools related to attack operations in Google Cloud Platform. These are scripts that may not be quite robust or portable enough for their own projects, yet others may still find useful.
GCP_Enum: A simple bash script to enumerate Google Cloud Platform environments. The script utilizes gcloud, gsutil, and curl commands to collect information from various GCP APIs. The commands will use the current "Application Default Credentials". An attacker could use a script like this to understand the level of access they have from something like a compromised compute instance. Defenders can use this script to simulate enumeration and build detection capabilities.
GCP_FirewallEnum: This tool analyzes the output of several gcloud commands to determine which compute instances have network ports exposed to the public Internet. Parse gcloud output to enumerate compute instances with network ports exposed to the Internet. Generates targeted nmap and masscan scripts based on the results.
GCP_IAM_Collector: Python script for collecting and visualising Google Cloud Platform IAM permissions
GCP_IAM_PrivEsc: A collection of GCP IAM privilege escalation methods documented by the Rhino Security Labs team.
GCP_TokenReuse: GCPTokenReuse helps pentester / red teamer to configure access token usign gcloud CLI.
GoogleWorkspaceDirectoryDump: Script written in Python3 which dumps the user/group from the Google Workspace. This tool can be used to map the group member relationship which can aid further cyber operations.
Hayat: It is a script for report and analyze Google Cloud Platform resources.

Multi-Cloud Tools:

Cartography: It is a Python tool that consolidates infrastructure assets and the relationships between them in an intuitive graph view powered by a Neo4j database.
Cloud Container Attack Tool: CCAT is a tool for testing security of container environments.
CloudBrute: A tool to find a company (target) infrastructure, files, and apps on the top cloud providers (Amazon, Google, Microsoft, DigitalOcean, Alibaba, Vultr, Linode). The outcome is useful for bug bounty hunters, red teamers, and penetration testers alike.
CloudEnum: Multi-cloud OSINT tool. Enumerate public resources in AWS, Azure, and Google Cloud.
CloudServiceEnum
EvilGinx2: Standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication
GitLeaks: SAST tool for detecting and preventing hardcoded secrets like passwords, API keys, and tokens in GIT repos. Gitleaks is an easy-to-use, all-in-one solution for detecting secrets, past or present, in your code.
Impacket: Collection of Python classes for working with network protocols. Impacket is focused on providing low-level programmatic access to the packets and for some protocols (e.g. SMB1–3 and MSRPC) the protocol implementation itself. Packets can be constructed from scratch, as well as parsed from raw data, and the object-oriented API makes it simple to work with deep hierarchies of protocols.
Leonidas: Automated Attack Simulation in the Cloud, complete with detection use cases.
Modlishka: Powerful and flexible HTTP reverse proxy. It implements an entirely new and interesting approach of handling browser-based HTTP traffic flow, which allows it to transparently proxy multi-domain destination traffic, both TLS and non-TLS, over a single domain, without a requirement of installing any additional certificate on the client.
Mose: Post-exploitation tool that enables security professionals with little or no experience with configuration management (CM) technologies to leverage them to compromise environments. CM tools, such as Puppet, Chef, Salt, and Ansible are used to provision systems in a uniform manner based on their function in a network. Upon successfully compromising a CM server, an attacker can use these tools to run commands on any and all systems that are in the CM server’s inventory.
PurplePanda: This tool fetches resources from different cloud/saas applications focusing on permissions in order to identify privilege escalation paths and dangerous permissions in the Cloud/SaaS configurations. Note that PurplePanda searches both privileges escalation paths within a platform and across platforms.
Responder: LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.
ScoutSuite: Open-source multi-cloud security-auditing tool, which enables security posture assessment of cloud environments. Using the APIs exposed by cloud providers, it gathers configuration data for manual inspection and highlights risk areas. Rather than going through dozens of pages on the web consoles, Scout Suite presents a clear view of the attack surface automatically.
SkyArk: It helps to discover, assess and secure the most privileged entities in Azure and AWS.
ZPhisher: An automated phishing tool with 30+ templates.

Benefits of Using RedCloud OS:

Enhanced Security Posture: Regular assessments and simulations help in identifying and mitigating vulnerabilities, thereby enhancing the overall security posture.
Realistic Attack Simulations: RedCloud OS provides a realistic environment for simulating advanced persistent threats (APTs), ensuring preparedness against real-world attacks.
Cost-Effective Security Testing: It offers a cost-effective solution for continuous security testing without the need for expensive third-party services.
Skill Development: Using RedCloud OS helps security professionals develop and hone their skills in cloud security assessment and adversary simulation.

Conclusion:

RedCloud OS is an invaluable tool for any organization looking to bolster its cloud security defenses. By providing a comprehensive platform for adversary simulation, it enables Red Teams to proactively identify and address potential threats. Whether you are a seasoned security professional or a newcomer to cloud security, RedCloud OS offers the tools and capabilities to enhance your security assessments and improve your organization’s resilience against cyber threats.