Exfiltrate Compute Disk by sharing a snapshot
idempotent
Platform: GCP
MITRE ATT&CK Tactics
- Exfiltration
Description
Exfiltrates a Compute Disk by sharing a snapshot with a fictitious attacker account.
Warm-up:
- Create a Compute Disk and a Snapshot
Detonation:
- Set the IAM policy of the snapshot so that the attacker account has permissions to access it
Note
Since the target e-mail must exist for this attack simulation to work, Stratus Red Team grants the role to stratusredteam@gmail.com by default.
This is a real Google account, owned by Stratus Red Team maintainers and that is not used for any other purpose than this attack simulation. However, you can override
this behavior by setting the environment variable STRATUS_RED_TEAM_ATTACKER_EMAIL, for instance:
Instructions
Detection
You can detect when someone changes the IAM policy of a Compute Snapshot, using the GCP Admin Activity audit logs event v1.compute.snapshots.setIamPolicy. Here's a sample event, shortened for clarity:
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "user-sharing-the-snapshot@domain.tld",
"principalSubject": "user:user-sharing-the-snapshot@domain.tld"
},
"requestMetadata": {
"callerIp": "34.33.32.31",
"callerSuppliedUserAgent": "google-cloud-sdk gcloud/..."
},
"resourceName": "projects/victim-project/global/snapshots/stratus-red-team-victim-snapshot",
"request": {
"policy": {
"version": "3",
"bindings": [
{
"role": "roles/owner",
"members": [
"user:attacker@gmail.com"
]
}
]
},
"@type": "type.googleapis.com/compute.snapshots.setIamPolicy"
}
}
}
Based on these events, detection strategies may include:
- Alerting when the IAM policy of a Compute Snapshot is changed, especially if such a sharing mechanism is not part of your normal operations. Sample GCP Logs Explorer query: