Ohio lawmakers signaled acceptance for hemp-derived THC beverages in a bill passed this week.
Ohio lawmakers signal hemp beverage approval is a post from: MJBizDaily: Financial, Legal & Cannabusiness news for cannabis entrepreneurs
EXPERT INTERVIEW – The United Nations has reimposed sweeping economic and military sanctions on Iran, ten years after lifting them under the 2015 nuclear deal.
Britain, France, and Germany triggered the “snapback” mechanism, accusing Tehran of nuclear escalation and blocking inspections. Iran had already halted oversight after U.S. and Israeli strikes in June damaged several nuclear sites and military facilities.
President Masoud Pezeshkian insists Iran has no intention of building nuclear weapons, calling the sanctions “unfair and illegal.” But the move marks another blow to the Joint Comprehensive Plan of Action (JCPOA), the deal meant to cap Iran’s enrichment and research while allowing civilian nuclear energy.
Iran accelerated banned nuclear activity after Trump pulled the U.S. out of the deal in 2018, repeatedly dismissing the accord as flawed.
The latest sanctions cut Iran off from global banks, reimpose arms and missile restrictions, and revive asset freezes and travel bans on key officials. Analysts say the measures hit Iran at a fragile moment with its economy shrinking, inflation surging, and the rial collapsing to record lows. Oil sales, foreign investment, shipping, and manufacturing are all expected to take a hit.
The Cipher Brief spoke with longtime Middle East and Energy Analyst Norm Roule, who formerly served as National Intelligence Manager for Iran at ODNI. Roule continues to travel regularly to the region for meetings with high-level officials throughout the Middle East.
Norman Roule is a geopolitical and energy consultant who served for 34 years in the Central Intelligence Agency, managing numerous programs relating to Iran and the Middle East. He also served as the National Intelligence Manager for Iran (NIM-I)\n at ODNI, where he was responsible for all aspects of national intelligence policy related to Iran.
The Cipher Brief: Why are snapback sanctions different from other sanctions already imposed on Iran?
Roule: First, we should touch on what this means for the regime. The sanctions hit Iran at one of its most fragile moments since the late 1980s. The government remains unpopular to an unprecedented degree. Virtually every economic indicator in Iran is poor. Its national security architecture of militias, foreign proxies, Russia, China, and the Revolutionary Guard failed during the recent conflict with Israel and the U.S. The main driver of the regime is to maintain stability as it completes transitions to the post-revolutionary generation of leadership. Despite the absence of large-scale protests, destabilizing national unrest could occur at any time.
Over the past few months, Iran’s diplomats have used the prospect of a nuclear deal and the possibility of sanctions relief as a source of hope for the Iranian people. The return of UN sanctions strips Tehran of one of its few remaining political assets.
The primary difference between the latest sanctions and U.S. sanctions is that these measures are binding on all 193 member states of the United Nations. Iran will, of course, do everything it can to evade sanctions. Russia, China, North Korea, Venezuela, and other Iranian partners who already have a history of violating Iran sanctions are unlikely to enforce these sanctions with enthusiasm.
However, unlike U.S. sanctions, which they have argued could be ignored because they were imposed only by Washington, these sanctions are imposed by the United Nations. This will make it harder for these countries to involve other countries in their own violations. Likewise, it makes it much easier for the U.S. government to seek compliance worldwide due to the legal and reputational risks associated with countries and businesses that we might approach on this issue.
The Cipher Brief: Can you discuss the specific sanctions and your assessment of their likelihood of success?
Roule: First, and most damaging for Iran, these sanctions isolate Iranian banks from a large part of the global financial system and require that UN members prevent the use of their banking systems on sanctioned trade. Hence, Iran has lost the ability to manage its oil revenues through international banks. Instead, it will need to engage in oil bartering or use intermediaries, which is a slower and more expensive process. It will likely reduce its oil sales at a time when Saudi Arabia is trying to reclaim some of the market share lost to Iran in recent years.
Banks understand that Iran will seek to defy sanctions. They also know that there are expensive legal consequences if they fail to undertake due diligence operations to examine transactions and shipments, thereby demonstrating that they have fulfilled their sanctions obligations.
Next, there is the restoration of the conventional arms embargo: This bans traditional arms transfers to or from Iran. This should make it harder for Iran to acquire advanced weapons from Russia and China, but also to sell its weapons systems to Russia, Sudan, and other countries. I will admit that I am not sanguine on the last point.
Third, we have nuclear and missile restrictions: This includes a prohibition on uranium enrichment, reprocessing, heavy-water activities, and ballistic missile technology transfers or tests capable of delivering nuclear weapons (beyond 300 km range). Iran is likely to ignore most of these restrictions and will test the international community as it does so. But I think it will also try to do so in a way that avoids sparking a regime-destabilizing war with Israel or the U.S.
Snapback also restores restrictions on dual-use goods, materials, and technologies that could aid nuclear or missile programs. These sections require increased inspections of Iranian ships and aircraft to prevent the transfer of prohibited materials or goods. For governments and businesses, this requirement will be among the more intrusive and time-consuming, and thus expensive. At the same time, Tehran will game the system by introducing complicated, multi-country layers of shell companies to obtain critical materials. This is where international legal and intelligence partnerships will play an essential role in identifying and neutralizing these networks.
Next, snapback returns asset freezes and travel bans on designated Iranian individuals. This is a rather long list and includes Islamic Revolutionary Guard Corps officials, nuclear scientists, and officials related to their programs, as well as their assets worldwide. Travel bans should be successful. Asset bans are less so, primarily due to the small number of such assets located abroad. These restrictions, however, serve as a powerful reminder to businesses of the reputational impact of doing business with Iran.
What does all of this mean? Join The Cipher Brief Threat Conference - happening October 19-22 in Sea Island, GA. to engage with the world’s leading national security experts to help answer those questions. Apply for your seat at the table today.
The Cipher Brief: Let’s go deeper. Can you break this down by sector? Is there any part of Iran’s economy that will be hurt more than another? Oil seems most likely.
Roule: We should keep in mind that, following the negative impact of the initial sanctions announcement, the effect of sanctions should be understood as corrosive. Further impact is shaped by how seriously and loudly we enforce sanctions, as well as how vigorously and successfully Tehran develops countermeasures.
To begin, Iran started the year in challenging economic conditions. The IMF’s projection for Iran’s GDP was dismal, 0.5%, so negative growth in the coming months would be far from surprising. Indeed, one wonders how it will be avoided.
The snapback announcement caused the Iranian rial to plummet to a new record low of 1.12 million to the dollar. Tehran will have little choice but to inject precious hard currency into the market to sustain its failing currency. I also expect more enthusiasm for the effort to cut some of the zeros from the Iranian currency. Iran’s leaders likely worry that the coming months will see a further weakening of the rial and a spike in inflation, which currently hovers around 43%.
Foreign investment, such as it is, will also take a hit. In 2024, Iran claimed – and probably overstated – that it attracted around $5.5 billion in foreign investment. That minuscule figure will shrink even further.
Let’s talk about sectoral impacts.
Shipping costs for Iran are likely to increase substantially. A significant portion of Iran’s seaborne trade will face new cargo inspections, bans on dual-use goods shipments, insurance difficulties, and possibly even port servicing complications.
Manufacturing and mining will be impacted in terms of both imports and exports as they face new pressures on supply chains and financing. This impact will affect trade with Europe, but it will also dampen Iran’s efforts to establish trade with Africa and complicate its trade relations with Iraq.
Although Iran’s defense industry may not be participating in trade shows, one suspects that its existing trade in drones and light arms will continue. Its current clients – Russia, Sudan, and other African countries, and reportedly Venezuela and Bolivia – may choose to ignore sanctions given their lack of alternative suppliers and animosity with the West.
The impact of sanctions on Iranian oil sales to China will be the most significant, if difficult to assess, in the coming months. Beijing and Tehran have deliberately obscured the payment relationship, and the former has imposed tough terms on Iran. China will view this new phase as an opportunity to offload more goods, machinery, and technology onto the Iranian market, and possibly to negotiate a larger price discount for the oil it acquires.
The use of intermediaries, smaller banks that are outside the scope of international monitoring, and shell firms will also increase costs for Tehran. Last, it isn’t unreasonable to think that Chinese oil sales could contract. Beijing – likely seeing the writing on the wall on this issue – has been building its reserves, and the Saudis and Emirates can fill the missing production, although they won’t discount their oil to match Iran’s prices.
The Cipher Brief: What are Iran’s likely next moves? Is diplomacy dead? What do you say to those who believe military action is expected?
Roule: Iran’s playbook is unlikely to be a surprise. Tehran’s leaders used Western media to issue their side of the story, projecting a blend of confidence, defiance, and dismissal of the impact of sanctions. Once home, Iran’s leaders will show that they won’t stop their nuclear work.
It is likely that even within Iran, the program's future remains under debate, with several options being considered. Tehran’s efforts to maintain close relations with Moscow and Beijing make it likely that it will seek to involve these capitals in its programs. One could imagine Iran dangling IAEA access at some point to gain international acceptance. Three possible programs could emerge in the coming months.
The most likely option is that Iran will seek to rebuild a modernized version of the enrichment and even the conversion facilities destroyed in the Twelve-Day War. This process would be expensive, and, depending on the number and location of facilities, could take years to complete. This option would be consistent with Iranian policy rhetoric but would risk a military attack and an extension of sanctions. The problem with lengthy construction is that this also delays benefits to Iran’s economy.
Tehran could reduce the likelihood of an attack by allowing the IAEA access to the sites or involving Russia or China in the operation and construction of the sites. Such an option, if involving advanced centrifuges, would allow Iran to retain the capability to produce highly enriched uranium, including weaponization levels, in the future should it wish to do so.
A far less likely option is to select a foreign fuel source for domestic reactors to provide power. Since this would mean abandoning a domestic enrichment program, this option is thus improbable in the foreseeable future.
Least likely for now would be weaponization. Such a decision would require Iran’s leadership to believe it could undertake and execute such an activity without discovery by Israeli or Western intelligence and, if discovered, would not face devastating military action similar to the June 2025 war.
In any case, activity at the recently reported Mount Kolang Gaz La facility in Esfahan Province is sufficient to be observable to the West, and as we have recently seen, to draw the attention of Western media, thereby sending a message. I expect construction at the site won’t be very fast until Tehran sees how Israel and the U.S. respond to this announcement and until Iran comes to a conclusion as to what direction it wishes to go in its nuclear program.
Diplomacy on Iran’s nuclear program is far from over, with low-level conversations perhaps taking place in Vienna and European capitals. The international community will remain – and should remain- insistent that the International Atomic Energy Agency (IAEA) gain access to Iran’s nuclear enterprise as soon as possible. Such a return cannot be achieved without engagement and diplomacy. However, it will take time for the politics to cool and a new paradigm of proposals to emerge.
Washington, Europe, and the Gulf will entertain serious proposals from Iran that it will accept a nuclear program that allows the IAEA access it requires. More broadly, Washington is looking for a deal that means Iran won’t have the capacity to build nuclear weapons, or accept constraints on its missile program, and end the regional operations of the Quds Force.
Iran’s current leadership is unlikely to make such a decision until sanctions begin to erode the economy. The death of the Supreme Leader could pave the way for a new generation of leadership, which – while no less assertive and potentially even hostile – might be more willing to be more accommodating on these issues to ensure the survival of the Islamic Republic.
Extreme caution should be exercised when discussing the possibility of military hostilities. The U.S. certainly doesn’t seek to start a war in the region. Israel may conduct military operations in Iran over Quds Force actions. Still, it is hard to see why Israel would argue it needs to undertake a costly military operation simply because Tehran is denying the IAEA access to rubble at Natanz. However, the Twelve Day War has changed the rules. An Israeli or US military attack on Iran is no longer unthinkable. If Iran were to undertake weaponization activity or attempt to conceal weaponization-related equipment or material, some in Tehran probably won’t be surprised if another surgical attack takes place.
Moving to Tehran, it is hard to see what benefits military action brings to Tehran. Iran is operating under some harsh realities. The Twelve Day War made it clear that Israel’s intelligence capabilities within Iran are extraordinary, and there is no reason to believe the capabilities aren’t still in place. If so, any plan would likely be discovered and perhaps neutralized before it could take off. Further, Iran’s air defenses continue to be no match for Israel or U.S. air and missile systems.
Iran’s missiles and drones not only had no strategic impact on the course of the Israeli attack but were significantly reduced in number by Israeli attacks. Iran fought alone in June: neither Russia nor China showed the slightest interest or capability in helping Iran during the June war. A conflict that spread to the region risks costing Iran its détente with the GCC and potentially jeopardizing its support from China. Iran’s population remains disillusioned, and testing their willingness to endure a conflict would be quite the risk. Much depends on specific events and drivers, but current conditions don’t seem to lean towards a regional conflict.
Are you Subscribed to The Cipher Brief’s Digital Channel on YouTube? There is no better place to get clear perspectives from deeply experienced national security experts.
Read more expert-driven national security insights, perspective and analysis in The Cipher Brief because National Security is Everyone’s Business.
Russian crypto traders have been looking to obtain unrestricted accounts for global exchanges as their access to such platforms is limited. Over the past year, the offering of such accounts on the dark web has increased significantly, cybersecurity experts told the Russian press.
More and more ready-to-use accounts for cryptocurrency exchanges are being sold to Russian residents. While this is not a new phenomenon — such accounts are often employed by fraudsters and money launderers — the current growth in supply has been attributed to the restrictions imposed by the trading platforms on customers from Russia, as a result of compliance with sanctions over the war in Ukraine.
Russian residents have been buying these accounts despite the dangers, including the risk that whoever created them could maintain access after the sale, the Kommersant reported. But they are inexpensive and offers on darknet markets have doubled since early 2022, Nikolay Chursin from the Positive Technologies information security threat analysis group told the business daily.
According to Peter Mareichev, an analyst at Kaspersky Digital Footprint Intelligence, the number of new ads for ready-made and verified wallets on various exchanges reached 400 in December. Proposals to prepare fake documents for passing know-your-customer procedures also rose, the newspaper revealed in an earlier article last month.
Simple login data, username and password, is typically priced at around $50, Chursin added. And for a fully set up account, including the documents with which it was registered, a buyer would have to pay an average of $300. Dmitry Bogachev from digital threat analysis firm Jet Infosystems explained that the price depends on factors such as the country and date of registration as well as the activity history. Older accounts are more expensive.
Sergey Mendeleev, CEO of defi banking platform Indefibank, pointed out that there are two categories of buyers — Russians that have no other choice as they need an account for everyday work and those who use these accounts for criminal purposes. Igor Sergienko, director of development at cybersecurity services provider RTK-Solar, is convinced that demand is largely due to crypto exchanges blocking Russian accounts or withdrawals to Russian bank cards in recent months.
Major crypto service providers, including leading digital asset exchanges, have complied with financial restrictions introduced by the West in response to Russia’s invasion of Ukraine. Last year, the world’s largest crypto trading platform, Binance, indicated that, while restricting sanctioned individuals and entities, it was not banning all Russians.
However, since the end of 2022, a number of Russian users of Binance have complained about having their accounts blocked without explanation, as reported by Forklog. Many experienced problems for weeks, including suspended withdrawals amid prolonged checks, affected customers said. The company told the crypto news outlet that the blocking of users from Eastern Europe and the Commonwealth of Independent States was related to the case with the seized crypto exchange Bitzlato.
Do you think the restrictions will push more Russians towards buying ready-made accounts for cryptocurrency exchanges? Share your thoughts on the subject in the comments section below.
Extensible Azure Security Tool (Later referred as E.A.S.T) is tool for assessing Azure and to some extent Azure AD security controls. Primary use case of EAST is Security data collection for evaluation in Azure Assessments. This information (JSON content) can then be used in various reporting tools, which we use to further correlate and investigate the data.
This tool is licensed under MIT license.
Preview branch introduced
Changes:
Installation now accounts for use of Azure Cloud Shell's updated version in regards to depedencies (Cloud Shell has now Node.JS v 16 version installed)
Checking of Databricks cluster types as per advisory
Content.json is has now key and content based sorting. This enables doing delta checks with git diff HEAD^1 ¹ as content.json has predetermined order of results
¹Word of caution, if want to check deltas of content.json, then content.json will need to be "unignored" from
.gitignoreexposing results to any upstream you might have configured.Use this feature with caution, and ensure you don't have public upstream set for the branch you are using this feature for
Change of programming patterns to avoid possible race conditions with larger datasets. This is mostly changes of using var to let in for await -style loops
Loginexec() - While I have not reviewed all paths, I believe that achieving shellcode execution is trivial. This tool does not assume hostile input, thus the recommendation is that you don't paste launch arguments into command line without reviewing them first.To reduce amount of code we use the following depedencies for operation and aesthetics are used (Kudos to the maintainers of these fantastic packages)
| package | aesthetics | operation | license |
|---|---|---|---|
| axios | ✅ | MIT | |
| yargs | ✅ | MIT | |
| jsonwebtoken | ✅ | MIT | |
| chalk | ✅ | MIT | |
| js-beautify | ✅ | MIT |
Other depedencies for running the tool: If you are planning to run this in Azure Cloud Shell you don't need to install Azure CLI:
Azure Cloud Shell (BASH) or applicable Linux Distro / WSL
| Requirement | description | Install |
|---|---|---|
✅ AZ CLI | AZCLI USE | curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash |
✅ Node.js runtime 14 | Node.js runtime for EAST | install with NVM |
EAST provides three categories of controls: Basic, Advanced, and Composite
The machine readable control looks like this, regardless of the type (Basic/advanced/composite):
{
"name": "fn-sql-2079",
"resource": "/subscriptions/6193053b-408b-44d0-b20f-4e29b9b67394/resourcegroups/rg-fn-2079/providers/microsoft.web/sites/fn-sql-2079",
"controlId": "managedIdentity",
"isHealthy": true,
"id": "/subscriptions/6193053b-408b-44d0-b20f-4e29b9b67394/resourcegroups/rg-fn-2079/providers/microsoft.web/sites/fn-sql-2079",
"Description": "\r\n Ensure The Service calls downstream resources with managed identity",
"metadata": {
"principalId": {
"type": "SystemAssigned",
"tenantId": "033794f5-7c9d-4e98-923d-7b49114b7ac3",
"principalId": "cb073f1e-03bc-440e-874d-5ed3ce6df7f8"
},
"roles": [{
"role": [{
"properties": {
"roleDefinitionId": "/subscriptions/6193053b-408b-44d0-b20f-4e29b9b67394/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
"principalId": "cb073f1e-03b c-440e-874d-5ed3ce6df7f8",
"scope": "/subscriptions/6193053b-408b-44d0-b20f-4e29b9b67394/resourceGroups/RG-FN-2079",
"createdOn": "2021-12-27T06:03:09.7052113Z",
"updatedOn": "2021-12-27T06:03:09.7052113Z",
"createdBy": "4257db31-3f22-4c0f-bd57-26cbbd4f5851",
"updatedBy": "4257db31-3f22-4c0f-bd57-26cbbd4f5851"
},
"id": "/subscriptions/6193053b-408b-44d0-b20f-4e29b9b67394/resourceGroups/RG-FN-2079/providers/Microsoft.Authorization/roleAssignments/ada69f21-790e-4386-9f47-c9b8a8c15674",
"type": "Microsoft.Authorization/roleAssignments",
"name": "ada69f21-790e-4386-9f47-c9b8a8c15674",
"RoleName": "Contributor"
}]
}]
},
"category": "Access"
},Basic controls include checks on the initial ARM object for simple "toggle on/off"- boolean settings of said service.
Example: Azure Container Registry adminUser
| Portal | EAST |
|---|---|
if (item.properties?.adminUserEnabled == false ){returnObject.isHealthy = true } |
Advanced controls include checks beyond the initial ARM object. Often invoking new requests to get further information about the resource in scope and it's relation to other services.
Example: Role Assignments
Besides checking the role assignments of subscription, additional check is performed via Azure AD Conditional Access Reporting for MFA, and that privileged accounts are not only protected by passwords (SPN's with client secrets)
Example: Azure Data Factory
Azure Data Factory pipeline mapping combines pipelines -> activities -> and data targets together and then checks for secrets leaked on the logs via run history of the said activities.
Composite controls combines two or more control results from pipeline, in order to form one, or more new controls. Using composites solves two use cases for EAST
Example: composite_resolve_alerts
EAST is not focused to provide automated report generation, as it provides mostly JSON files with control and evaluation status. The idea is to use separate tooling to create reports, which are fairly trivial to automate via markdown creation scripts and tools such as Pandoc
While this tool does not distribute pandoc, it can be used when creation of the reports, thus the following citation is added: https://github.com/jgm/pandoc/blob/master/CITATION.cff
cff-version: 1.2.0
title: Pandoc
message: "If you use this software, please cite it as below."
type: software
url: "https://github.com/jgm/pandoc"
authors:
- given-names: John
family-names: MacFarlane
email: jgm@berkeley.edu
orcid: 'https://orcid.org/0000-0003-2557-9090'
- given-names: Albert
family-names: Krewinkel
email: tarleb+github@moltkeplatz.de
orcid: '0000-0002-9455-0796'
- given-names: Jesse
family-names: Rosenthal
email: jrosenthal@jhu.edu
This part has guide how to run this either on BASH@linux, or BASH on Azure Cloud Shell (obviously Cloud Shell is Linux too, but does not require that you have your own linux box to use this)
Fire and forget prerequisites on cloud shell
curl -o- https://raw.githubusercontent.com/jsa2/EAST/preview/sh/initForuse.sh | bash;
Prerequisites
git clone https://github.com/jsa2/EAST --branch preview
cd EAST;
npm install
Pandoc installation on cloud shell
# Get pandoc for reporting (first time only)
wget "https://github.com/jgm/pandoc/releases/download/2.17.1.1/pandoc-2.17.1.1-linux-amd64.tar.gz";
tar xvzf "pandoc-2.17.1.1-linux-amd64.tar.gz" --strip-components 1 -C ~
Installing pandoc on distros that support APT
# Get pandoc for reporting (first time only)
sudo apt install pandoc# Relogin is required to ensure token cache is placed on session on cloud shell
az account clear
az login
#
cd EAST
# replace the subid below with your subscription ID!
subId=6193053b-408b-44d0-b20f-4e29b9b67394
#
node ./plugins/main.js --batch=10 --nativescope=true --roleAssignments=true --helperTexts=true --checkAad=true --scanAuditLogs --composites --subInclude=$subId
Generate report
cd EAST; node templatehelpers/eastReports.js --doc
cd EAST; node templatehelpers/eastReports.js --doc --asb
Export report from cloud shell
pandoc -s fullReport2.md -f markdown -t docx --reference-doc=pandoc-template.docx -o fullReport2.docx
Azure Devops (Experimental) There is Azure Devops control for dumping pipeline logs. You can specify the control run by following example:
node ./plugins/main.js --batch=10 --nativescope=true --roleAssignments=true --helperTexts=true --checkAad=true --scanAuditLogs --composites --subInclude=$subId --azdevops "organizationName"
Community use
Company use
Non IPR components
If you use this tool as part of your commercial effort we only require, that you follow the very relaxed terms of MIT license
Existing tooling enhanced with Node.js runtime
Use rich and maintained context of Microsoft Azure CLI login & commands with Node.js control flow which supplies enhanced rest-requests and maps results to schema.
View more details
Example:
node ./plugins/main.js --batch=10 --nativescope --roleAssignments --helperTexts=true --checkAad --scanAuditLogs --composites --shuffle --clearTokens
| Param | Description | Default if undefined |
|---|---|---|
--nativescope | Currently mandatory parameter | no values |
--shuffle | Can help with throttling. Shuffles the resource list to reduce the possibility of resource provider throttling threshold being met | no values |
--roleAssignments | Checks controls as per microsoft.authorization | no values |
--includeRG | Checks controls with ResourceGroups as per microsoft.authorization | no values |
--checkAad | Checks controls as per microsoft.azureactivedirectory | no values |
--subInclude | Defines subscription scope | no default, requires subscriptionID/s, if not defined will enumerate all subscriptions the user have access to |
--namespace | text filter which matches full, or part of the resource ID example /microsoft.storage/storageaccounts all storage accounts in the scope | optional parameter |
--notIncludes | text filter which matches full, or part of the resource ID example /microsoft.storage/storageaccounts all storage accounts in the scope are excluded | optional parameter |
--batch | size of batch interval between throttles | 5 |
--wait | size of batch interval between throttles | 1500 |
--scanAuditLogs | optional parameter. When defined in hours will toggle Azure Activity Log scanning for weak authentication events defined in: scanAuditLogs | 24h |
--composites | read composite | no values |
--clearTokens | clears tokens in session folder, use this if you get authorization errors, or have just changed to other az login account use az account clear if you want to clear AZ CLI cache too | no values |
--tag | Filter all results in the end based on single tag--tag=svc=aksdev | no values |
--ignorePreCheck | use this option when used with browser delegated tokens | no values |
--helperTexts | Will append text descriptions from general to manual controls | no values |
--reprocess | Will update results to existing content.json. Useful for incremental runs | no values |
Parameters reference for example report:
node templatehelpers/eastReports.js --asb
| Param | Description | Default if undefined |
|---|---|---|
--asb | gets all ASB results available to users | no values |
--policy | gets all Policy results available to users | no values |
--doc | prints pandoc string for export to console | no values |
Read here Running in restricted environments
Developer guide including control flow description is here dev-guide.md
.appRoleAssignmentRequired
Maps to App Registration Best Practices
✅State healthy - User result example
{
"subscriptionName": "EAST -msdn",
"friendlyName": "joosua@thx138.onmicrosoft.com",
"mfaResults": {
"oid": "138ac68f-d8a7-4000-8d41-c10ff26a9097",
"appliedPol": [{
"GrantConditions": "challengeWithMfa",
"policy": "baseline",
"oid": "138ac68f-d8a7-4000-8d41-c10ff26a9097"
}],
"checkType": "mfa"
},
"basicAuthResults": {
"oid": "138ac68f-d8a7-4000-8d41-c10aa26a9097",
"appliedPol": [{
"GrantConditions": "challengeWithMfa",
"policy": "baseline",
"oid": "138ac68f-d8a7-4000-8d41-c10aa26a9097"
}],
"checkType": "basicAuth"
},
}⚠️State unHealthy - Application principal example
{
"subscriptionName": "EAST - HoneyPot",
"friendlyName": "thx138-kvref-6193053b-408b-44d0-b20f-4e29b9b67394",
"creds": {
"@odata.context": "https://graph.microsoft.com/beta/$metadata#servicePrincipals(id,displayName,appId,keyCredentials,passwordCredentials,servicePrincipalType)/$entity",
"id": "babec804-037d-4caf-946e-7a2b6de3a45f",
"displayName": "thx138-kvref-6193053b-408b-44d0-b20f-4e29b9b67394",
"appId": "5af1760e-89ff-46e4-a968-0ac36a7b7b69",
"servicePrincipalType": "Application",
"keyCredentials": [],
"passwordCredentials": [],
"OnlySingleFactor": [{
"customKeyIdentifier": null,
"endDateTime": "2023-10-20T06:54:59.2014093Z",
"keyId": "7df44f81-a52c-4fd6-b704-4b046771f85a",
"startDateTime": "2021-10-20T06:54:59.2014093Z",
"secretText": null,
"hint": nu ll,
"displayName": null
}],
"StrongSingleFactor": []
}
}
Following methods work for contributing for the time being:
Extensible Azure Security Tool (Later referred as E.A.S.T) is tool for assessing Azure and to some extent Azure AD security controls. Primary use case of EAST is Security data collection for evaluation in Azure Assessments. This information (JSON content) can then be used in various reporting tools, which we use to further correlate and investigate the data.
This tool is licensed under MIT license.
Preview branch introduced
Changes:
Installation now accounts for use of Azure Cloud Shell's updated version in regards to depedencies (Cloud Shell has now Node.JS v 16 version installed)
Checking of Databricks cluster types as per advisory
Content.json is has now key and content based sorting. This enables doing delta checks with git diff HEAD^1 ¹ as content.json has predetermined order of results
¹Word of caution, if want to check deltas of content.json, then content.json will need to be "unignored" from
.gitignoreexposing results to any upstream you might have configured.Use this feature with caution, and ensure you don't have public upstream set for the branch you are using this feature for
Change of programming patterns to avoid possible race conditions with larger datasets. This is mostly changes of using var to let in for await -style loops
exec() - While I have not reviewed all paths, I believe that achieving shellcode execution is trivial. This tool does not assume hostile input, thus the recommendation is that you don't paste launch arguments into command line without reviewing them first.To reduce amount of code we use the following depedencies for operation and aesthetics are used (Kudos to the maintainers of these fantastic packages)
| package | aesthetics | operation | license |
|---|---|---|---|
| axios | ✅ | MIT | |
| yargs | ✅ | MIT | |
| jsonwebtoken | ✅ | MIT | |
| chalk | ✅ | MIT | |
| js-beautify | ✅ | MIT |
Other depedencies for running the tool: If you are planning to run this in Azure Cloud Shell you don't need to install Azure CLI:
Azure Cloud Shell (BASH) or applicable Linux Distro / WSL
| Requirement | description | Install |
|---|---|---|
✅ AZ CLI | AZCLI USE | curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash |
✅ Node.js runtime 14 | Node.js runtime for EAST | install with NVM |
EAST provides three categories of controls: Basic, Advanced, and Composite
The machine readable control looks like this, regardless of the type (Basic/advanced/composite):
{
"name": "fn-sql-2079",
"resource": "/subscriptions/6193053b-408b-44d0-b20f-4e29b9b67394/resourcegroups/rg-fn-2079/providers/microsoft.web/sites/fn-sql-2079",
"controlId": "managedIdentity",
"isHealthy": true,
"id": "/subscriptions/6193053b-408b-44d0-b20f-4e29b9b67394/resourcegroups/rg-fn-2079/providers/microsoft.web/sites/fn-sql-2079",
"Description": "\r\n Ensure The Service calls downstream resources with managed identity",
"metadata": {
"principalId": {
"type": "SystemAssigned",
"tenantId": "033794f5-7c9d-4e98-923d-7b49114b7ac3",
"principalId": "cb073f1e-03bc-440e-874d-5ed3ce6df7f8"
},
"roles": [{
"role": [{
"properties": {
"roleDefinitionId": "/subscriptions/6193053b-408b-44d0-b20f-4e29b9b67394/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
"principalId": "cb073f1e-03b c-440e-874d-5ed3ce6df7f8",
"scope": "/subscriptions/6193053b-408b-44d0-b20f-4e29b9b67394/resourceGroups/RG-FN-2079",
"createdOn": "2021-12-27T06:03:09.7052113Z",
"updatedOn": "2021-12-27T06:03:09.7052113Z",
"createdBy": "4257db31-3f22-4c0f-bd57-26cbbd4f5851",
"updatedBy": "4257db31-3f22-4c0f-bd57-26cbbd4f5851"
},
"id": "/subscriptions/6193053b-408b-44d0-b20f-4e29b9b67394/resourceGroups/RG-FN-2079/providers/Microsoft.Authorization/roleAssignments/ada69f21-790e-4386-9f47-c9b8a8c15674",
"type": "Microsoft.Authorization/roleAssignments",
"name": "ada69f21-790e-4386-9f47-c9b8a8c15674",
"RoleName": "Contributor"
}]
}]
},
"category": "Access"
},Basic controls include checks on the initial ARM object for simple "toggle on/off"- boolean settings of said service.
Example: Azure Container Registry adminUser
| Portal | EAST |
|---|---|
if (item.properties?.adminUserEnabled == false ){returnObject.isHealthy = true } |
Advanced controls include checks beyond the initial ARM object. Often invoking new requests to get further information about the resource in scope and it's relation to other services.
Example: Role Assignments
Besides checking the role assignments of subscription, additional check is performed via Azure AD Conditional Access Reporting for MFA, and that privileged accounts are not only protected by passwords (SPN's with client secrets)
Example: Azure Data Factory
Azure Data Factory pipeline mapping combines pipelines -> activities -> and data targets together and then checks for secrets leaked on the logs via run history of the said activities.
Composite controls combines two or more control results from pipeline, in order to form one, or more new controls. Using composites solves two use cases for EAST
Example: composite_resolve_alerts
EAST is not focused to provide automated report generation, as it provides mostly JSON files with control and evaluation status. The idea is to use separate tooling to create reports, which are fairly trivial to automate via markdown creation scripts and tools such as Pandoc
While this tool does not distribute pandoc, it can be used when creation of the reports, thus the following citation is added: https://github.com/jgm/pandoc/blob/master/CITATION.cff
cff-version: 1.2.0
title: Pandoc
message: "If you use this software, please cite it as below."
type: software
url: "https://github.com/jgm/pandoc"
authors:
- given-names: John
family-names: MacFarlane
email: jgm@berkeley.edu
orcid: 'https://orcid.org/0000-0003-2557-9090'
- given-names: Albert
family-names: Krewinkel
email: tarleb+github@moltkeplatz.de
orcid: '0000-0002-9455-0796'
- given-names: Jesse
family-names: Rosenthal
email: jrosenthal@jhu.edu
This part has guide how to run this either on BASH@linux, or BASH on Azure Cloud Shell (obviously Cloud Shell is Linux too, but does not require that you have your own linux box to use this)
Fire and forget prerequisites on cloud shell
curl -o- https://raw.githubusercontent.com/jsa2/EAST/preview/sh/initForuse.sh | bash;
Prerequisites
git clone https://github.com/jsa2/EAST --branch preview
cd EAST;
npm install
Pandoc installation on cloud shell
# Get pandoc for reporting (first time only)
wget "https://github.com/jgm/pandoc/releases/download/2.17.1.1/pandoc-2.17.1.1-linux-amd64.tar.gz";
tar xvzf "pandoc-2.17.1.1-linux-amd64.tar.gz" --strip-components 1 -C ~
Installing pandoc on distros that support APT
# Get pandoc for reporting (first time only)
sudo apt install pandoc# Relogin is required to ensure token cache is placed on session on cloud shell
az account clear
az login
#
cd EAST
# replace the subid below with your subscription ID!
subId=6193053b-408b-44d0-b20f-4e29b9b67394
#
node ./plugins/main.js --batch=10 --nativescope=true --roleAssignments=true --helperTexts=true --checkAad=true --scanAuditLogs --composites --subInclude=$subId
Generate report
cd EAST; node templatehelpers/eastReports.js --doc
cd EAST; node templatehelpers/eastReports.js --doc --asb
Export report from cloud shell
pandoc -s fullReport2.md -f markdown -t docx --reference-doc=pandoc-template.docx -o fullReport2.docx
Azure Devops (Experimental) There is Azure Devops control for dumping pipeline logs. You can specify the control run by following example:
node ./plugins/main.js --batch=10 --nativescope=true --roleAssignments=true --helperTexts=true --checkAad=true --scanAuditLogs --composites --subInclude=$subId --azdevops "organizationName"
Community use
Company use
Non IPR components
If you use this tool as part of your commercial effort we only require, that you follow the very relaxed terms of MIT license
Existing tooling enhanced with Node.js runtime
Use rich and maintained context of Microsoft Azure CLI login & commands with Node.js control flow which supplies enhanced rest-requests and maps results to schema.
View more details
Example:
node ./plugins/main.js --batch=10 --nativescope --roleAssignments --helperTexts=true --checkAad --scanAuditLogs --composites --shuffle --clearTokens
| Param | Description | Default if undefined |
|---|---|---|
--nativescope | Currently mandatory parameter | no values |
--shuffle | Can help with throttling. Shuffles the resource list to reduce the possibility of resource provider throttling threshold being met | no values |
--roleAssignments | Checks controls as per microsoft.authorization | no values |
--includeRG | Checks controls with ResourceGroups as per microsoft.authorization | no values |
--checkAad | Checks controls as per microsoft.azureactivedirectory | no values |
--subInclude | Defines subscription scope | no default, requires subscriptionID/s, if not defined will enumerate all subscriptions the user have access to |
--namespace | text filter which matches full, or part of the resource ID example /microsoft.storage/storageaccounts all storage accounts in the scope | optional parameter |
--notIncludes | text filter which matches full, or part of the resource ID example /microsoft.storage/storageaccounts all storage accounts in the scope are excluded | optional parameter |
--batch | size of batch interval between throttles | 5 |
--wait | size of batch interval between throttles | 1500 |
--scanAuditLogs | optional parameter. When defined in hours will toggle Azure Activity Log scanning for weak authentication events defined in: scanAuditLogs | 24h |
--composites | read composite | no values |
--clearTokens | clears tokens in session folder, use this if you get authorization errors, or have just changed to other az login account use az account clear if you want to clear AZ CLI cache too | no values |
--tag | Filter all results in the end based on single tag--tag=svc=aksdev | no values |
--ignorePreCheck | use this option when used with browser delegated tokens | no values |
--helperTexts | Will append text descriptions from general to manual controls | no values |
--reprocess | Will update results to existing content.json. Useful for incremental runs | no values |
Parameters reference for example report:
node templatehelpers/eastReports.js --asb
| Param | Description | Default if undefined |
|---|---|---|
--asb | gets all ASB results available to users | no values |
--policy | gets all Policy results available to users | no values |
--doc | prints pandoc string for export to console | no values |
Read here Running in restricted environments
Developer guide including control flow description is here dev-guide.md
.appRoleAssignmentRequiredMaps to App Registration Best Practices
✅State healthy - User result example
{
"subscriptionName": "EAST -msdn",
"friendlyName": "joosua@thx138.onmicrosoft.com",
"mfaResults": {
"oid": "138ac68f-d8a7-4000-8d41-c10ff26a9097",
"appliedPol": [{
"GrantConditions": "challengeWithMfa",
"policy": "baseline",
"oid": "138ac68f-d8a7-4000-8d41-c10ff26a9097"
}],
"checkType": "mfa"
},
"basicAuthResults": {
"oid": "138ac68f-d8a7-4000-8d41-c10aa26a9097",
"appliedPol": [{
"GrantConditions": "challengeWithMfa",
"policy": "baseline",
"oid": "138ac68f-d8a7-4000-8d41-c10aa26a9097"
}],
"checkType": "basicAuth"
},
}⚠️State unHealthy - Application principal example
{
"subscriptionName": "EAST - HoneyPot",
"friendlyName": "thx138-kvref-6193053b-408b-44d0-b20f-4e29b9b67394",
"creds": {
"@odata.context": "https://graph.microsoft.com/beta/$metadata#servicePrincipals(id,displayName,appId,keyCredentials,passwordCredentials,servicePrincipalType)/$entity",
"id": "babec804-037d-4caf-946e-7a2b6de3a45f",
"displayName": "thx138-kvref-6193053b-408b-44d0-b20f-4e29b9b67394",
"appId": "5af1760e-89ff-46e4-a968-0ac36a7b7b69",
"servicePrincipalType": "Application",
"keyCredentials": [],
"passwordCredentials": [],
"OnlySingleFactor": [{
"customKeyIdentifier": null,
"endDateTime": "2023-10-20T06:54:59.2014093Z",
"keyId": "7df44f81-a52c-4fd6-b704-4b046771f85a",
"startDateTime": "2021-10-20T06:54:59.2014093Z",
"secretText": null,
"hint": nu ll,
"displayName": null
}],
"StrongSingleFactor": []
}
}
Following methods work for contributing for the time being:
