Christophe Tafani-Dereeper
Christophe Tafani-Dereeper
Sources: - https://cloud.google.com/compute/docs/connect/add-ssh-keys#add_ssh_keys_to_project_metadata - https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/ - https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/ By default, allows access to all VMs in a project (unless the VMs [disable project-wide SSH keys](https://cloud.google.com/compute/docs/connect/restrict-ssh-keys#block-keys), which is not the default)
Source: https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/ Gives detailed information about ACLs of all storage buckets in the project. Generates a bunch of `storage.buckets.list` events (for a single run)
Sources: - https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/ - https://book.hacktricks.xyz/cloud-security/gcp-security#enumeration ``` gcloud projects get-iam-policy sandbox gcloud organizations get-iam-policy xxxx ``` Sample log: ```json { "resource": { "labels": { "project_id": "sandbox-project" }, "type": "project" }, "severity":...
Background: To backdoor a project, an attacker could grant an external e-mail address permissions on the project, i.e. ``` gcloud projects add-iam-policy-binding [PROJECT] \ --member user:[email protected] --role roles/editor ``` In...
Source: https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/ ```gcloud compute instances add-metadata [INSTANCE] --metadata-from-file ssh-keys=meta.txt``` Allows to SSH on a box with a new key
... to avoid a situation where several people are using it in the same account and having clashes. Sample problematic resource name: `my-cloudtrail-trail` in `aws.defense-evasion.cloudtrail-stop`
Attack techniques marked as "slow" can be surprising for first-time users as they can take a long time to detonate. Sample output: ``` $ stratus detonate aws.exfiltration.rds-share-snapshot 2022/07/14 09:26:06 Checking...
``` $ stratus detonate aws.exfiltration.rds-share-snapshot 2022/07/14 09:24:25 Checking your authentication against AWS 2022/07/14 09:24:26 Warming up aws.exfiltration.rds-share-snapshot 2022/07/14 09:24:26 Initializing Terraform to spin up technique prerequisites 2022/07/14 09:24:54 Applying Terraform...