Snowflake red-team iter 2 - tooling, mocks, detection pack, analysis depth

[AndrewAltimit]

Summary

Builds on the docs-only iter-1 (#44) with full-PoC tooling across the three target areas plus the empirical work the prior appendix flagged as deferred. All offensive modules gated on ContainmentGuard, paired with detection/ subdirs, and exercised end-to-end against new loopback mocks.

New tooling

• tools/cloud-identity/snowflake/ - JWT key-pair signer (Chain F), PAT scope walk, SCIM token harvester w/ role-race primitive
• tools/lateral-movement/snowflake-pivot/ - storage-integration enum (Chain E), Direct Share + replication-group exfil (Chain G, audit-bypass demo), bind-param evasion against QUERY_HISTORY
• tools/llm-attacks/cortex/ - Cortex Search poisoning bench, Cortex Agent MCP poisoning bench (Chain I), Cortex Guardrails FP/FN test harness

Mocks (loopback-only)

• infra/lab/mock-snowflake/ on 127.0.0.1:9600 - JWT/PAT/SCIM auth, SQL exec with QUERY_HISTORY replay, shares/replication, Cortex Search + Cortex Agent runtime with a deterministic planner stub
• infra/lab/mock-snowflake-mcp/ on 127.0.0.1:9620 - pluggable MCP server for the Cortex agent bench

Detection pack

• 13 Sigma rules + KQL/SPL hunts + per-tool false-positive notes
• detection/snowflake/ cross-chain index covering A-I, a streaming QUERY_HISTORY ingest pattern (KQL), and a connector-debug-log secret-cohort regex (SPL) - addresses the appendix question on real-time alerting vs ACCOUNT_USAGE's ~45m latency

Analysis / report content

• docs/analysis/snowflake-platform-attack-surface-2026.md extended with chains F-I (closes the gap with the HTML report's chain set), the Snowflake Trail vs ACCOUNT_USAGE field-by-field mapping, and the JDBC 4.0.0-4.2.0 transitive-CVE rollup
• reports/.../cve-inventory.html adds the 9 transitive CVEs shipped in 2026 H1 JDBC releases
• reports/.../index.html clarifies how technical, business, and leadership readers should each navigate the report
• site/index.html landing card refreshed for chains A-I + new tooling

Containment + CI

• tools/lib/containment.py - assert_snowflake_is_mock, assert_snowflake_lab_account (multi-account aware for source+target chains)
• ci/check_snowflake_tools_syntax.py wired into main-ci.yml; all 11 CI gates pass locally

Empirical findings landing in this iteration

• Chain G server-side data motion confirmed as a source-side audit gap (mock side; lab-validation .sql ships for tenant-side confirmation)
• Bind-parameter coverage gap reproduced end-to-end
• Cortex Agent planner does propagate second-order tool calls and does execute SQL embedded in tool output (both directive and sql_embed MCP modes)
• First-gen regex Guardrails baseline catches ~54.5% of the public IPI seed corpus

Test plan

• All 11 CI gates pass locally (check_detection_pairing confirms each new tool dir is paired with a detection/ subdir)
• Snowflake report integrity gate green (nav parity + internal link resolution across all 7 HTML pages)
• Snowflake tooling syntax gate green (14 modules compile)
• End-to-end smoke test of every new PoC against the loopback mocks (JWT auth, PAT enum, SCIM enum + role-race, storage int enum, share creation, replication group, bind-param evasion, Cortex Search poisoning, Cortex Agent directive + sql_embed, Guardrails harness)
• lab-validation/*.sql scripts confirmed against a sandbox Snowflake tenant - deferred to next iteration

Generated with Claude Code