Read GCE Instance Metadata via the Compute API

idempotent

Platform: GCP

Mappings

• MITRE ATT&CK
  • Discovery

Description

Reads the metadata of a GCE instance via the Compute Engine API, simulating an attacker who has obtained a service account token and uses it to enumerate running instances and harvest secrets embedded in instance metadata fields such as startup-script.

Bootstrap scripts that install software, configure databases, or pull secrets from environment variables are a common source of plaintext credentials in GCP environments. Unlike the instance metadata server (169.254.169.254) which is only reachable from within the VM, the Compute API can be queried remotely by any identity with the compute.instances.get permission.

Warm-up:

• Create a GCE instance with a simulated startup-script metadata value containing embedded credentials

Detonation:

• Enumerate instances in the zone via the Compute API
• Fetch the full instance resource including all metadata fields
• Log the startup-script value if present

References:

• https://cloud.google.com/compute/docs/metadata/overview
• https://cloud.google.com/compute/docs/reference/rest/v1/instances/get
• https://github.com/six2dez/pentest-book/blob/fef2fe741876d7bd6552f93ca10998fbfa7070c7/enumeration/cloud/gcp.md#attacks

Instructions

Detonate with Stratus Red Team

stratus detonate gcp.discovery.download-instance-metadata

Detection

Identify unexpected reads of instance metadata via the Compute API by monitoring for compute.instances.get and compute.instances.list events in GCP Data Access audit logs originating from identities that do not normally perform Compute Engine management operations.