security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add GCP Atomics

Browse Source 
Created 4 GCP-based atomics
This commit is contained in:
Paul
2023-06-09 09:43:12 -07:00
parent 05fbaf32c9
commit 3c8f4a40f0
4 changed files with 165 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1078.004/T1078.004.yaml
+49
View File
@@ -117,3 +117,52 @@ atomic_tests:
Remove-AzAutomationRunbook -AutomationAccountName #{automation_account_name} -Name #{runbook_name} -ResourceGroupName #{resource_group} -Force
cd $PathToAtomicsFolder/T1078.004/src/T1078.004-2/
terraform destroy -auto-approve
- name: GCP - Create Custom IAM Role
description: |
This atomic will create a new IAM role. The default role permissions are: *IAM Service Account Get*. The idea for this Atomic came from a Rule published by the Elastic team.
Identifies an Identity and Access Management (IAM) custom role creation in Google Cloud Platform (GCP).
Custom roles are user-defined, and allow for the bundling of one or more supported permissions to meet specific needs.
Custom roles will not be updated automatically and could lead to privilege creep if not carefully scrutinized.
This atomic will create a new IAM role. The default role permissions are: *IAM Service Account Get*
Reference: https://github.com/elastic/detection-rules/blob/main/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml
supported_platforms:
- iaas:gcp
input_arguments:
project-id:
description: ID of the GCP Project you to execute the command against.
type: string
default: atomic-test-1
role-name:
description: The name of the role to be created.
type: string
default: AtomicRedTeamRole
role-description:
description: The description of the role to be created.
type: string
default: Atomic Red Team Custom IAM Role
roles:
description: List of roles to be applied
type: string
default: iam.serviceAccounts.get
executor:
name: sh
elevation_required: false
command: |
gcloud auth login --no-launch-browser
gcloud config set project #{project-id}
gcloud iam roles create #{role-name} --description="#{role-description}" --permissions=#{roles} --project=#{project-id}
cleanup_command: |
gcloud iam roles delete #{role-name} --project=#{project-id}
dependency_executor_name: sh
dependencies:
- description: |
Requires gcloud
prereq_command: |
if [ -x "$(command -v gcloud)" ]; then exit 0; else exit 1; fi;
get_prereq_command: |
echo "Please Install Google Cloud SDK before running this atomic test : https://cloud.google.com/sdk/docs/install"
atomics/T1098/T1098.yaml
+52
View File
@@ -945,3 +945,55 @@ atomic_tests:
else {
Write-Host -ForegroundColor Yellow "You must store the password of the current user by running the prerequisite commands first"
}
- name: GCP - Delete Service Account Key
description: |
This Atomic will:
- Create a service account
- Create a service account key,
- Store the result of retrieving a single key for that service account as a variable
- Pass that variable for deletion
- Delete the service account
The idea for this Atomic came from a Rule published by the Elastic team.
Identifies the deletion of an Identity and Access Management (IAM) service account key in Google Cloud Platform (GCP).
Each service account is associated with two sets of public/private RSA key pairs that are used to authenticate.
If a key is deleted, the application will no longer be able to access Google Cloud resources using that key. A security best practice is to rotate your service account keys regularly.
Reference: https://github.com/elastic/detection-rules/blob/main/rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml
supported_platforms:
- iaas:gcp
input_arguments:
project-id:
description: ID of the GCP Project you to execute the command against.
type: string
default: atomic-test-1
service-name:
description: The name of the service account.
type: string
default: atomic-service-account
key-path:
description: Path to the key to be created from create keys command.
type: string
default: /tmp/key.json
executor:
name: sh
elevation_required: false
command: |
gcloud auth login --no-launch-browser
gcloud config set project #{project-id}
gcloud iam service-accounts create #{service-name}
gcloud iam service-accounts keys create #{key-path} --iam-account=#{service-name}@#{project-id}.iam.gserviceaccount.com
KEY = gcloud iam service-accounts keys list --iam-account=#{service-name}@#{project-id}.iam.gserviceaccount.com --format="value(KEY_ID)" --limit=1
gcloud iam service-accounts keys delete $KEY --iam-account=#{service-name}@#{project-id}.iam.gserviceaccount.com --quiet
gcloud iam service-accounts delete #{service-name}@#{project-id}.iam.gserviceaccount.com --quiet
cleanup_command: |
rm #{key-path}
dependency_executor_name: sh
dependencies:
- description: |
Requires gcloud
prereq_command: |
if [ -x "$(command -v gcloud)" ]; then exit 0; else exit 1; fi;
get_prereq_command: |
echo "Please Install Google Cloud SDK before running this atomic test : https://cloud.google.com/sdk/docs/install"
atomics/T1485/T1485.yaml
+35
View File
@@ -66,3 +66,38 @@ atomic_tests:
command: |
cipher.exe /w:C:
name: command_prompt
- name: GCP - Delete Bucket
description: |
This Atomic will create a Google Storage Bucket then delete it. The idea for this Atomic came from a Rule published by the Elastic team.
Identifies when a Google Cloud Platform (GCP) storage bucket is deleted. An adversary may delete a storage bucket in order to disrupt their target's business operations.
This atomic will create a bucket then delete the bucket.
Reference: https://github.com/elastic/detection-rules/blob/main/rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml
supported_platforms:
- iaas:gcp
input_arguments:
project-id:
description: ID of the GCP Project you to execute the command against.
type: string
default: atomic-test-1
bucket-name:
description: The name of the bucket to delete.
type: string
default: atomic-red-team-bucket
executor:
name: sh
elevation_required: false
command: |
gcloud auth login --no-launch-browser
gcloud config set project #{project-id}
gcloud storage buckets create gs://#{bucket-name}
gcloud storage buckets delete gs://#{bucket-name}
dependency_executor_name: sh
dependencies:
- description: |
Requires gcloud
prereq_command: |
if [ -x "$(command -v gcloud)" ]; then exit 0; else exit 1; fi;
get_prereq_command: |
echo "Please Install Google Cloud SDK before running this atomic test : https://cloud.google.com/sdk/docs/install"
atomics/T1562.008/T1562.008.yaml
+29
View File
@@ -439,3 +439,32 @@ atomic_tests:
Disconnect-ExchangeOnline -Confirm:$false
name: powershell
elevation_required: false
- name: GCP - Delete Activity Event Log
description: |
GCP provides 4 types of Cloud Audit Logs: Admin Activity, Data Access, System Events, and Policy Denied.
An adversary may attempt to delete logs in order to hide their activity. However, Admin Activity, System Events, and Policy Deny events logs cannot be deleted.
This Atomic attempts to delete the Activity Event log. An event is generated under the method name of `google.logging.v2.LoggingServiceV2.DeleteLog` with a Serverity of `ERROR`.
supported_platforms:
- iaas:gcp
input_arguments:
project-id:
description: ID of the GCP Project you to execute the command against.
type: string
default: atomic-project-1
executor:
name: sh
elevation_required: false
command: |
gcloud auth login --no-launch-browser
gcloud config set project #{project-id}
gcloud logging logs delete projects/#{project-id}/logs/cloudaudit.googleapis.com%2Factivity --quiet
dependency_executor_name: sh
dependencies:
- description: |
Requires gcloud
prereq_command: |
if [ -x "$(command -v gcloud)" ]; then exit 0; else exit 1; fi;
get_prereq_command: |
echo "Please Install Google Cloud SDK before running this atomic test : https://cloud.google.com/sdk/docs/install"