| title |
|---|
Exfiltrate Compute Disk by sharing a snapshot |
idempotent
Platform: GCP
- Exfiltration
Exfiltrates a Compute Disk by sharing a snapshot with a fictitious attacker account.
Warm-up:
- Create a Compute Disk and a Snapshot
Detonation:
- Set the IAM policy of the snapshot so that the attacker account has permissions to access it
!!! note
Since the target e-mail must exist for this attack simulation to work, Stratus Red Team grants the role to [email protected] by default.
This is a real Google account, owned by Stratus Red Team maintainers and that is not used for any other purpose than this attack simulation. However, you can override
this behavior by setting the environment variable <code>STRATUS_RED_TEAM_ATTACKER_EMAIL</code>, for instance:
```bash
export STRATUS_RED_TEAM_ATTACKER_EMAIL="[email protected]"
stratus detonate gcp.exfiltration.share-compute-snapshot
```
stratus detonate gcp.exfiltration.share-compute-snapshotYou can detect when someone changes the IAM policy of a Compute Snapshot, using the GCP Admin Activity audit logs event v1.compute.snapshots.setIamPolicy. Here's a sample event, shortened for clarity:
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "[email protected]",
"principalSubject": "user:[email protected]"
},
"requestMetadata": {
"callerIp": "34.33.32.31",
"callerSuppliedUserAgent": "google-cloud-sdk gcloud/..."
},
"resourceName": "projects/victim-project/global/snapshots/stratus-red-team-victim-snapshot",
"request": {
"policy": {
"version": "3",
"bindings": [
{
"role": "roles/owner",
"members": [
"user:[email protected]"
]
}
]
},
"@type": "type.googleapis.com/compute.snapshots.setIamPolicy"
}
}
}Based on these events, detection strategies may include:
- Alerting when the IAM policy of a Compute Snapshot is changed, especially if such a sharing mechanism is not part of your normal operations. Sample GCP Logs Explorer query:
protoPayload.methodName="v1.compute.snapshots.setIamPolicy"