Snowflake red-team iter-4 — Chain J, detection pairs, SPCS matrix, Native App empirical, Guardrails tier-2

CLAUDE.md

@@ -107,13 +107,13 @@ The report at `reports/snowflake-platform-assessment/` is a set of linked static
 → [tools/lateral-movement/sccm-abuse/README.md](tools/lateral-movement/sccm-abuse/README.md) — SCCM ELEVATE1/2
 → [tools/lateral-movement/azure-arc/README.md](tools/lateral-movement/azure-arc/README.md) — Azure Arc MSI pivot
 → [tools/lateral-movement/exchange-hybrid/README.md](tools/lateral-movement/exchange-hybrid/README.md) — evoSTS token forge
-→ [tools/lateral-movement/snowflake-pivot/README.md](tools/lateral-movement/snowflake-pivot/README.md) — Snowflake Chain E storage-integration enum, Chain G share / replication exfil, bind-param evasion
+→ [tools/lateral-movement/snowflake-pivot/README.md](tools/lateral-movement/snowflake-pivot/README.md) — Snowflake Chain E storage-integration enum, Chain G share / replication exfil, Chain H SPCS egress depth × EAI rule matrix probe, bind-param evasion
 → [tools/kerberos/README.md](tools/kerberos/README.md) — S4U2self/proxy, RBCD, NTLM relay, EPA recon, NTLM reflection LPE, AES roasting
 
 ### AD CS & Identity
 → [tools/ad-cs/README.md](tools/ad-cs/README.md) — ESC1–ESC16, chain.py, Shadow Credentials 2026
 → [tools/cloud-identity/README.md](tools/cloud-identity/README.md) — WIF, OIDC, Golden SAML, Silver SAML, SyncJacking, EvilTokens, FOCI, PRT devtools, CloudTrail blinding
-→ [tools/cloud-identity/snowflake/README.md](tools/cloud-identity/snowflake/README.md) — Snowflake JWT key-pair (Chain F), PAT scope walk, SCIM token harvester
+→ [tools/cloud-identity/snowflake/README.md](tools/cloud-identity/snowflake/README.md) — Snowflake JWT key-pair (Chain F), PAT scope walk + PAT discovery, SCIM token harvester, partner-integration audit (Chain J)
 → [tools/entra-abuse/README.md](tools/entra-abuse/README.md) — device-code, PRT, token replay (historical)
 
 ### Lateral Movement
@@ -148,7 +148,7 @@ The report at `reports/snowflake-platform-assessment/` is a set of linked static
 → [tools/kernel-lpe/README.md](tools/kernel-lpe/README.md) — AFD.sys, CLFS, I/O Ring primitives (requires EXPLOIT_LAB_KERNEL=1)
 
 ### Supply Chain
-→ [tools/supply-chain/README.md](tools/supply-chain/README.md) — Shai-Hulud npm worm, LiteLLM PyPI .pth, GitHub Actions OIDC (UNC6426), tj-actions-class
+→ [tools/supply-chain/README.md](tools/supply-chain/README.md) — Shai-Hulud npm worm, LiteLLM PyPI .pth, GitHub Actions OIDC (UNC6426), tj-actions-class, Snowflake Native App version-bump (Chain C empirical)
 
 ### Phishing & Initial Access
 → [tools/phishing/README.md](tools/phishing/README.md) — AiTM kits (Tycoon2FA/Sneaky2FA/Rockstar2FA), ClickFix/FileFix/ConsentFix, passkey bench, vishing tabletop

detection/snowflake/README.md

@@ -10,17 +10,25 @@ useful when building a SIEM rule set rather than evaluating one tool.
 
 ## Per-chain mapping
 
-| Chain | What it does | Detection rules |
-|-------|--------------|-----------------|
-| A — Credential theft to bulk exfil | UNC5537 replay; bulk `COPY INTO @stage` from a non-MFA / no-network-policy user. | [`bulk_exfil_baseline.yml`](sigma/bulk_exfil_baseline.yml) (new) + bind-param coverage: [`snowflake_bind_param_audit_gap.yml`](../../tools/lateral-movement/snowflake-pivot/detection/sigma/snowflake_bind_param_audit_gap.yml) |
-| B — Cortex Code indirect injection | Pre-1.0.25 Cortex Code CLI executes shell-pipe-sh under indirect prompt injection. | [`cortex_code_pre_1_0_25.yml`](sigma/cortex_code_pre_1_0_25.yml) (new) |
-| C — Native App Marketplace supply-chain | Installed Native App auto-updates to a manifest with new external integrations. | [`native_app_unexpected_version_bump.yml`](sigma/native_app_unexpected_version_bump.yml) (new) |
-| D — Federated-IdP compromise | Forged SAML/OAuth assertion authenticates a high-privileged Snowflake user. | [`federated_login_anomaly.yml`](sigma/federated_login_anomaly.yml) (new) + [`snowflake_keypair_auth_abuse.yml`](../../tools/cloud-identity/snowflake/detection/sigma/snowflake_keypair_auth_abuse.yml) |
-| E — Storage Integration cross-cloud pivot | New external stage on an integration outside the bucket allowlist. | [`snowflake_storage_integration_misuse.yml`](../../tools/lateral-movement/snowflake-pivot/detection/sigma/snowflake_storage_integration_misuse.yml) |
-| F — Key-pair JWT auth abuse | Stolen RSA private key signs JWT for a service user (post-MFA reality). | [`snowflake_keypair_auth_abuse.yml`](../../tools/cloud-identity/snowflake/detection/sigma/snowflake_keypair_auth_abuse.yml) |
-| G — Direct Share / Replication exfil | `ALTER SHARE ADD ACCOUNTS` or replication group with a non-allowlisted target. | [`snowflake_share_creation_unknown_consumer.yml`](../../tools/lateral-movement/snowflake-pivot/detection/sigma/snowflake_share_creation_unknown_consumer.yml) + [`snowflake_replication_group_unknown_target.yml`](../../tools/lateral-movement/snowflake-pivot/detection/sigma/snowflake_replication_group_unknown_target.yml) |
-| H — SPCS over-broad EAI egress | Wildcard / OPEN_ANY network rule referenced by an `EXTERNAL ACCESS INTEGRATION`. | Covered by [`snowflake_storage_integration_misuse.yml`](../../tools/lateral-movement/snowflake-pivot/detection/sigma/snowflake_storage_integration_misuse.yml) (classifies EAI rules as critical-impact); pair with cloud-network egress observation per the chain notes. |
-| I — Cortex Agent MCP poisoning | Tool output triggers planner-initiated follow-up tool calls or SQL execution. | [`cortex_agent_directive_followup.yml`](../../tools/llm-attacks/cortex/detection/sigma/cortex_agent_directive_followup.yml) + [`cortex_agent_sql_from_tool_output.yml`](../../tools/llm-attacks/cortex/detection/sigma/cortex_agent_sql_from_tool_output.yml) + [`cortex_search_rank_anomaly.yml`](../../tools/llm-attacks/cortex/detection/sigma/cortex_search_rank_anomaly.yml) |
+Every chain has both an ACCOUNT_USAGE-shaped rule (for the audit-table
+projection a SOC ingests on a poll) and a Snowflake Trail-shaped rule
+(for the real-time event stream where Trail ingestion is enabled). The
+two surfaces share the same gaps documented in the analysis companion;
+the latency profile is the difference. Pick the rule that matches the
+ingestion surface available on the customer's side.
+
+| Chain | What it does | ACCOUNT_USAGE Sigma | Trail Sigma |
+|-------|--------------|---------------------|-------------|
+| A — Credential theft to bulk exfil | UNC5537 replay; bulk `COPY INTO @stage` from a non-MFA / no-network-policy user. | [`bulk_exfil_baseline.yml`](sigma/bulk_exfil_baseline.yml) + bind-param coverage: [`snowflake_bind_param_audit_gap.yml`](../../tools/lateral-movement/snowflake-pivot/detection/sigma/snowflake_bind_param_audit_gap.yml) | — (folded into bulk_exfil_baseline via the streaming-ingest pipeline) |
+| B — Cortex Code indirect injection | Pre-1.0.25 Cortex Code CLI executes shell-pipe-sh under indirect prompt injection. | [`cortex_code_pre_1_0_25.yml`](sigma/cortex_code_pre_1_0_25.yml) (version-string, endpoint-side) + behavioral pair: [`cortex_code_session_to_unknown_session.yml`](sigma/cortex_code_session_to_unknown_session.yml) | covered by the behavioral pair (does not depend on Trail event names) |
+| C — Native App Marketplace supply-chain | Installed Native App auto-updates to a manifest with new external integrations. | [`native_app_unexpected_version_bump.yml`](sigma/native_app_unexpected_version_bump.yml) | — (Native App lifecycle still surfaces through ACCOUNT_USAGE.APPLICATIONS) |
+| D — Federated-IdP compromise | Forged SAML/OAuth assertion authenticates a high-privileged Snowflake user. | [`federated_login_anomaly.yml`](sigma/federated_login_anomaly.yml) | — (use the Chain F Trail variant; same login_history shape) |
+| E — Storage Integration cross-cloud pivot | New external stage on an integration outside the bucket allowlist. | [`snowflake_storage_integration_misuse.yml`](../../tools/lateral-movement/snowflake-pivot/detection/sigma/snowflake_storage_integration_misuse.yml) | [`snowflake_storage_integration_misuse_trail.yml`](../../tools/lateral-movement/snowflake-pivot/detection/sigma/snowflake_storage_integration_misuse_trail.yml) |
+| F — Key-pair JWT auth abuse | Stolen RSA private key signs JWT for a service user (post-MFA reality). | [`snowflake_keypair_auth_abuse.yml`](../../tools/cloud-identity/snowflake/detection/sigma/snowflake_keypair_auth_abuse.yml) | [`snowflake_keypair_auth_abuse_trail.yml`](../../tools/cloud-identity/snowflake/detection/sigma/snowflake_keypair_auth_abuse_trail.yml) |
+| G — Direct Share / Replication exfil | `ALTER SHARE ADD ACCOUNTS` or replication group with a non-allowlisted target. | [`snowflake_share_creation_unknown_consumer.yml`](../../tools/lateral-movement/snowflake-pivot/detection/sigma/snowflake_share_creation_unknown_consumer.yml) + [`snowflake_replication_group_unknown_target.yml`](../../tools/lateral-movement/snowflake-pivot/detection/sigma/snowflake_replication_group_unknown_target.yml) | [`snowflake_share_creation_unknown_consumer_trail.yml`](../../tools/lateral-movement/snowflake-pivot/detection/sigma/snowflake_share_creation_unknown_consumer_trail.yml) + [`snowflake_replication_group_unknown_target_trail.yml`](../../tools/lateral-movement/snowflake-pivot/detection/sigma/snowflake_replication_group_unknown_target_trail.yml) |
+| H — SPCS over-broad EAI egress | Wildcard / OPEN_ANY network rule referenced by an `EXTERNAL ACCESS INTEGRATION`. | [`snowflake_spcs_eai_overbroad.yml`](../../tools/lateral-movement/snowflake-pivot/detection/sigma/snowflake_spcs_eai_overbroad.yml) | [`snowflake_spcs_eai_overbroad_trail.yml`](../../tools/lateral-movement/snowflake-pivot/detection/sigma/snowflake_spcs_eai_overbroad_trail.yml) |
+| I — Cortex Agent MCP poisoning | Tool output triggers planner-initiated follow-up tool calls or SQL execution. | [`cortex_agent_directive_followup.yml`](../../tools/llm-attacks/cortex/detection/sigma/cortex_agent_directive_followup.yml) + [`cortex_agent_sql_from_tool_output.yml`](../../tools/llm-attacks/cortex/detection/sigma/cortex_agent_sql_from_tool_output.yml) + [`cortex_search_rank_anomaly.yml`](../../tools/llm-attacks/cortex/detection/sigma/cortex_search_rank_anomaly.yml) | [`cortex_agent_directive_followup_trail.yml`](../../tools/llm-attacks/cortex/detection/sigma/cortex_agent_directive_followup_trail.yml) |
+| J — Partner-integration credential replay | Third-party SaaS holding Snowflake credentials is compromised; credential replayed from attacker infrastructure. | [`partner_integration_credential_replay.yml`](../../tools/cloud-identity/snowflake/detection/sigma/partner_integration_credential_replay.yml) | [`partner_integration_credential_replay_trail.yml`](../../tools/cloud-identity/snowflake/detection/sigma/partner_integration_credential_replay_trail.yml) |
 
 ## PAT, SCIM, and Connector secret-leak detections
 

detection/snowflake/sigma/cortex_code_session_to_unknown_session.yml

@@ -0,0 +1,58 @@
+title: Snowflake — Cortex Code Session Followed By Snowflake Login From New Source
+id: 4e6f8091-2a3b-4c5d-9e7f-1a2b3c4d5e6f
+status: experimental
+description: |
+  Behavioral pair to `cortex_code_pre_1_0_25.yml`. Fires when a Cortex
+  Code session on a developer endpoint is followed within a short
+  correlation window by a Snowflake login for the same user from an IP
+  that does not match the developer host's known egress range.
+
+  Catches the post-fix variant of Chain B: even with Cortex Code 1.0.25+,
+  if any future agentic surface mishandles indirect prompt injection in
+  the same shape, the operational signal is the same — cached
+  Snowflake tokens flow off the developer host, and a new Snowflake
+  session appears from a non-historic IP shortly after.
+
+  Unlike `cortex_code_pre_1_0_25.yml`, this rule does not decay with the
+  version string. It costs more correlation state — pair an endpoint
+  Cortex Code session window with the Snowflake LOGIN_HISTORY join.
+references:
+  - https://nvd.nist.gov/vuln/detail/CVE-2026-6442
+  - https://www.promptarmor.com/resources/snowflake-ai-escapes-sandbox-and-executes-malware
+  - https://docs.snowflake.com/en/sql-reference/account-usage/login_history
+author: security-research
+date: 2026-05-15
+tags:
+  - attack.credential_access
+  - attack.t1528
+  - attack.lateral_movement
+  - attack.t1550
+logsource:
+  product: snowflake
+  service: login_history
+detection:
+  recent_cortex_code_session:
+    has_cortex_code_session_within_window: true
+    cortex_code_session_host_id|exists: true
+  snowflake_login_for_same_user:
+    is_success: true
+  source_ip_not_matching_host_egress:
+    is_login_source_in_host_egress_range: false
+  condition: recent_cortex_code_session and snowflake_login_for_same_user
+             and source_ip_not_matching_host_egress
+fields:
+  - event_timestamp
+  - user_name
+  - client_ip
+  - cortex_code_session_host_id
+  - cortex_code_session_started_at
+  - cortex_code_cli_version
+  - authentication_method
+falsepositives:
+  - Developer authenticates from a personal device that is not on the
+    corporate egress range. Maintain a per-user device-egress allowlist
+    so the rule is not noisy for legitimate WFH patterns.
+  - VPN failover that swaps the host's egress IP. Tie the host-egress
+    enrichment to the corporate VPN policy rather than the host's
+    cached IP.
+level: high

docs/analysis/databricks-vs-snowflake-platform-comparison.md

@@ -67,7 +67,7 @@ Both platforms expose, under different names:
 
 ## Chain-By-Chain Mapping
 
-Where the Snowflake report uses Chain A through Chain I to organize
+Where the Snowflake report uses Chain A through Chain J to organize
 findings, the rough Databricks analogues are:
 
 | Snowflake chain | Databricks analogue | Shared root cause |
@@ -79,8 +79,9 @@ findings, the rough Databricks analogues are:
 | **E — Storage Integration cross-cloud pivot** | UC external location reused for a non-intended bucket; Databricks Connect IAM role reuse | The platform-side allowlist is permissive; one role serves many integrations. |
 | **F — Key-pair JWT auth abuse (post-MFA reality)** | Stolen PAT or SP OAuth credential on a CI host | Snowflake's RSA-key path is the post-2025 analogue of Databricks' always-existed PAT surface. The control-gap question is identical: is there a network policy on this machine identity? |
 | **G — Direct Share / Replication exfil** | Delta Sharing recipient pull from a third-party tenant | The provider's source-side `QUERY_HISTORY` shows no `SELECT`/`COPY` for the consumer's reads on either platform — the data motion lives in the consumer's logs, where the provider has no visibility. |
-| **H — SPCS over-broad EXTERNAL ACCESS INTEGRATION** | Databricks App with permissive outbound + Volumes egress | In-tenant code runtime with attacker-pickable egress destinations; the network-inspection depth (DNS-only vs. SNI vs. L7) is the open empirical question on both platforms. |
+| **H — SPCS over-broad EXTERNAL ACCESS INTEGRATION** | Databricks App with permissive outbound + Volumes egress | In-tenant code runtime with attacker-pickable egress destinations. The Snowflake assessment now ships a modeled inspection-depth × EAI-rule-shape matrix (DNS-only / SNI / L7 × wildcard / scoped / deny-by-default); the same matrix shape applies to Databricks Apps egress with the workspace's network-inspection control as the analogous knob. |
 | **I — MCP tool poisoning against Cortex Agents** | Genie tool result poisoning; Model Serving tool-call chain | Planner-initiated follow-up tool calls triggered by attacker-controlled tool output; the trust boundary between tool output and planner state is the same on both. |
+| **J — Partner-integration credential replay (third-party-holds-our-token)** | Partner Connect integration credential held by a partner SaaS; replayed from attacker infrastructure after the partner is compromised | Long-lived machine credential held *outside* the customer's perimeter. The control gap is the customer-side network policy on the partner-integration identity — partner egress range allowlist on Snowflake; workspace IP access list on Databricks. The 2024 UNC5537 and 2026 analytics-SaaS incidents are two instances of the same primitive at different scales (developer endpoint → SaaS vendor). |
 
 ---