Skip to content

feat(entries): Snowflake data-cloud platform — 3 companion-only pairs#20

Merged
Gerrrt merged 2 commits into
mainfrom
claude/dotfiles-round-7-github-b8nut0
Jul 2, 2026
Merged

feat(entries): Snowflake data-cloud platform — 3 companion-only pairs#20
Gerrrt merged 2 commits into
mainfrom
claude/dotfiles-round-7-github-b8nut0

Conversation

@Gerrrt

@Gerrrt Gerrrt commented Jul 2, 2026

Copy link
Copy Markdown
Collaborator

Snowflake data cloud

Mirrors the 2024 Snowflake credential-attack TTPs (no-MFA access → bulk data theft), detected via ACCOUNT_USAGE.QUERY_HISTORY (product: snowflake, query_type/query_text). Three companion-only red↔blue pairs, distinct tactics:

Attack (red) Detection (blue) ATT&CK
snowflake-exfil-stageCOPY INTO an external stage to unload whole tables snowflake-exfil-auditQUERY_TYPE=UNLOAD T1567.002 (Exfil to Cloud Storage)
snowflake-rogue-user — backdoor user + ACCOUNTADMIN grant snowflake-user-auditCREATE_USER / priv GRANT T1136.003 (Create Cloud Account)
snowflake-network-policy — open/drop the IP allowlist so stolen creds work anywhere snowflake-network-policy-auditNETWORK POLICY change T1562.007 (Disable/Modify Cloud Firewall)

Verification

  • ./gen-views.sh --check — clean (companion-only)
  • Pairing graph — all 56 pairs back-reference bidirectionally (only smb-enum-nxc unpaired)
  • README corpus intro/table + platform list updated (56 paired + 1 unpaired; added Exfiltration to the tactic span); CHANGELOG [Unreleased] updated

🤖 Generated with Claude Code


Generated by Claude Code

…irs)

Mirrors the 2024 Snowflake credential-attack TTPs, detected via
ACCOUNT_USAGE.QUERY_HISTORY (product: snowflake, query_type/query_text). Three
companion-only red↔blue pairs:

- snowflake-exfil-stage ↔ snowflake-exfil-audit: COPY INTO an external stage to
  unload whole tables; detect QUERY_TYPE=UNLOAD (T1567.002).
- snowflake-rogue-user ↔ snowflake-user-audit: create a backdoor user + grant
  ACCOUNTADMIN; detect CREATE_USER / privileged GRANT (T1136.003).
- snowflake-network-policy ↔ snowflake-network-policy-audit: open/drop the IP
  allowlist so stolen creds work from anywhere; detect NETWORK POLICY changes
  (T1562.007).

Red side is Snowflake SQL; blue side is QUERY_HISTORY Splunk SPL. Corpus is now 56
paired concepts + 1 unpaired recon entry.

Co-Authored-By: Claude <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_011spYcGfeP4a3RNQQVDrGtW

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a Snowflake “data cloud” platform slice to the htpx red↔blue paired corpus, modeling 3 credential-attack TTPs and corresponding detections using ACCOUNT_USAGE.QUERY_HISTORY.

Changes:

  • Introduces 3 new Snowflake attack (red) entries: external-stage unload exfil, rogue user + ACCOUNTADMIN, and network-policy allowlist tampering.
  • Introduces 3 new Snowflake detection (blue) entries using snowflake:query_history telemetry patterns (QUERY_TYPE / QUERY_TEXT).
  • Updates the corpus summary/table in README.md and notes the addition in [Unreleased] in CHANGELOG.md.

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
README.md Updates corpus counts/tactic span and adds the 3 Snowflake pairs to the main red↔blue table.
CHANGELOG.md Documents the new Snowflake platform and the updated corpus size under [Unreleased].
entries/red/snowflake-exfil-stage.md Adds the Snowflake exfiltration attack entry (external unload via COPY INTO).
entries/red/snowflake-rogue-user.md Adds the Snowflake persistence attack entry (backdoor user + ACCOUNTADMIN).
entries/red/snowflake-network-policy.md Adds the Snowflake defense-evasion attack entry (network policy tampering).
entries/blue/snowflake-exfil-audit.md Adds the companion-only detection entry for QUERY_TYPE=UNLOAD.
entries/blue/snowflake-user-audit.md Adds the companion-only detection entry for CREATE_USER and privileged grants in query history.
entries/blue/snowflake-network-policy-audit.md Adds the companion-only detection entry for network policy changes via query text matching.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread entries/blue/snowflake-user-audit.md Outdated
…view)

- network-policy: also match the underscore form `NETWORK_POLICY` so
  `ALTER ACCOUNT/USER SET NETWORK_POLICY = ...` is caught, not just the spaced
  `CREATE/ALTER/DROP NETWORK POLICY`.
- user-audit: the SPL matched only `ACCOUNTADMIN`; add `SECURITYADMIN` to match the
  stated invariant (both high-power roles).
- all three blue entries: use Splunk's normalized `_time` in the `| table` (the
  corpus convention) instead of Snowflake's source-specific `start_time`.

Co-Authored-By: Claude <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_011spYcGfeP4a3RNQQVDrGtW
@Gerrrt Gerrrt merged commit 3ab02cd into main Jul 2, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants