Merge pull request #2457 from redcanaryco/gcp-atomic-additions

Add GCP Atomics

atomics/T1078.004/T1078.004.yaml

@@ -35,7 +35,6 @@ atomic_tests:
     name: sh
     elevation_required: false
     command: |
-      gcloud auth login --no-launch-browser
       gcloud config set project #{project-id}
       gcloud iam service-accounts create #{service-account-name}
       gcloud iam service-accounts keys create #{output-key-file} --iam-account=#{service-account-email}
@@ -49,6 +48,12 @@ atomic_tests:
       if [ -x "$(command -v gcloud)" ]; then exit 0; else exit 1; fi;
     get_prereq_command: |
       echo "Please Install Google Cloud SDK before running this atomic test : https://cloud.google.com/sdk/docs/install"
+  - description: | 
+      Check if user is logged in 
+    prereq_command: |
+      gcloud config get-value account
+    get_prereq_command: |
+      gcloud auth login --no-launch-browser
 - name: Azure Persistence Automation Runbook Created or Modified
   auto_generated_guid: 348f4d14-4bd3-4f6b-bd8a-61237f78b3ac
   description: |
@@ -117,3 +122,56 @@ atomic_tests:
       Remove-AzAutomationRunbook -AutomationAccountName #{automation_account_name} -Name #{runbook_name} -ResourceGroupName #{resource_group} -Force
       cd $PathToAtomicsFolder/T1078.004/src/T1078.004-2/
       terraform destroy -auto-approve
+- name: GCP - Create Custom IAM Role
+  description: |
+    This atomic will create a new IAM role. The default role permissions are: *IAM Service Account Get*. The idea for this Atomic came from a Rule published by the Elastic team.
+
+    Identifies an Identity and Access Management (IAM) custom role creation in Google Cloud Platform (GCP). 
+    Custom roles are user-defined, and allow for the bundling of one or more supported permissions to meet specific needs. 
+    Custom roles will not be updated automatically and could lead to privilege creep if not carefully scrutinized.
+    
+    This atomic will create a new IAM role. The default role permissions are: *IAM Service Account Get*
+    
+    Reference: https://github.com/elastic/detection-rules/blob/main/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml
+    
+  supported_platforms:
+  - iaas:gcp
+  input_arguments:
+    project-id:
+      description: ID of the GCP Project you to execute the command against.
+      type: string
+      default: atomic-test-1
+    role-name:
+      description: The name of the role to be created.
+      type: string
+      default: AtomicRedTeamRole
+    role-description:
+      description: The description of the role to be created.
+      type: string
+      default: Atomic Red Team Custom IAM Role
+    roles:
+      description: List of roles to be applied
+      type: string
+      default: iam.serviceAccounts.get
+  executor:
+    name: sh
+    elevation_required: false
+    command: |
+      gcloud config set project #{project-id}
+      gcloud iam roles create #{role-name} --description="#{role-description}" --permissions=#{roles} --project=#{project-id}
+    cleanup_command: |
+      gcloud iam roles delete #{role-name} --project=#{project-id}
+  dependency_executor_name: sh
+  dependencies:
+  - description: |
+      Requires gcloud
+    prereq_command: |
+      if [ -x "$(command -v gcloud)" ]; then exit 0; else exit 1; fi;
+    get_prereq_command: |
+      echo "Please Install Google Cloud SDK before running this atomic test : https://cloud.google.com/sdk/docs/install"
+  - description: | 
+      Check if user is logged in 
+    prereq_command: |
+      gcloud config get-value account
+    get_prereq_command: |
+      gcloud auth login --no-launch-browser

atomics/T1098/T1098.yaml

@@ -945,3 +945,69 @@ atomic_tests:
       else {
           Write-Host -ForegroundColor Yellow "You must store the password of the current user by running the prerequisite commands first"
       }
+- name: GCP - Delete Service Account Key
+  description: |
+    This Atomic will: 
+      - Create a service account
+      - Create a service account key, 
+      - Store the result of retrieving a single key for that service account as a variable
+      - Pass that variable for deletion
+      - Delete the service account
+    
+    The idea for this Atomic came from a Rule published by the Elastic team.
+
+    Identifies the deletion of an Identity and Access Management (IAM) service account key in Google Cloud Platform (GCP).
+    Each service account is associated with two sets of public/private RSA key pairs that are used to authenticate. 
+    If a key is deleted, the application will no longer be able to access Google Cloud resources using that key. A security best practice is to rotate your service account keys regularly.
+
+    Reference: https://github.com/elastic/detection-rules/blob/main/rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml
+  supported_platforms:
+  - iaas:gcp
+  input_arguments:
+    project_id:
+      description: ID of the GCP Project you to execute the command against.
+      type: string
+      default: atomic-test-1
+    service_name:
+      description: The name of the service account.
+      type: string
+      default: atomic-service-account
+  executor:
+    name: sh
+    elevation_required: false
+    command: |
+      gcloud config set project #{project_id}
+      KEY=`gcloud iam service-accounts keys list --iam-account=#{service_name}@#{project_id}.iam.gserviceaccount.com --format="value(KEY_ID)" --limit=1`
+      gcloud iam service-accounts keys delete $KEY --iam-account=#{service_name}@#{project_id}.iam.gserviceaccount.com --quiet
+    cleanup_command: |
+      cd $PathToAtomicsFolder/T1098/src/T1098-17/
+      terraform state rm google_service_account_key.key
+      terraform destroy -auto-approve
+  dependency_executor_name: sh
+  dependencies:
+  - description: |
+      Requires gcloud
+    prereq_command: |
+      if [ -x "$(command -v gcloud)" ]; then exit 0; else exit 1; fi;
+    get_prereq_command: |
+      echo "Please Install Google Cloud SDK before running this atomic test : https://cloud.google.com/sdk/docs/install"
+  - description: | 
+      Check if user is logged in 
+    prereq_command: |
+      gcloud config get-value account
+    get_prereq_command: |
+      gcloud auth login --no-launch-browser
+  - description: |
+      Check if terraform is installed.
+    prereq_command: |
+      terraform version
+    get_prereq_command: |
+        echo Please install the terraform.
+  - description: |
+      Create dependency resources using terraform
+    prereq_command: |
+      stat $PathToAtomicsFolder/T1098/src/T1098-17/terraform.tfstate
+    get_prereq_command: |
+      cd $PathToAtomicsFolder/T1098/src/T1098-17/
+      terraform init
+      terraform apply -auto-approve

atomics/T1098/src/T1098-17/T1098-17.tf

@@ -0,0 +1,18 @@
+provider "google" {
+}
+
+variable "project_id" {
+}
+
+variable "service_name" {
+}
+
+resource "google_service_account" "service_account" {
+  account_id = var.service_name
+  project    = var.project_id
+}
+
+resource "google_service_account_key" "key" {
+  service_account_id = google_service_account.service_account.name
+  public_key_type    = "TYPE_X509_PEM_FILE"
+}

atomics/T1098/src/T1098-17/terraform.tfvars

@@ -0,0 +1,2 @@
+project_id   = ""
+service_name = ""

atomics/T1485/T1485.yaml

@@ -67,3 +67,60 @@ atomic_tests:
     command: |
       cipher.exe /w:C:
     name: command_prompt
+- name: GCP - Delete Bucket
+  description: |
+    This Atomic will create a Google Storage Bucket then delete it. The idea for this Atomic came from a Rule published by the Elastic team.
+
+    Identifies when a Google Cloud Platform (GCP) storage bucket is deleted. An adversary may delete a storage bucket in order to disrupt their target's business operations.
+    This atomic will create a bucket then delete the bucket.
+
+    Reference: https://github.com/elastic/detection-rules/blob/main/rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml
+  supported_platforms:
+  - iaas:gcp
+  input_arguments:
+    project_id:
+      description: ID of the GCP Project you to execute the command against.
+      type: string
+      default: atomic-test-1
+    bucket_name:
+      description: The name of the bucket to delete.
+      type: string
+      default: atomic-red-team-bucket
+  executor:
+    name: sh
+    elevation_required: false
+    command: |
+      gcloud config set project #{project_id}
+      gcloud storage buckets delete gs://#{bucket_name}
+    cleanup_command: |
+      cd $PathToAtomicsFolder/T1485/src/T1485-4/
+      terraform state rm google_storage_bucket.bucket
+      terraform destroy -auto-approve
+  dependency_executor_name: sh
+  dependencies:
+  - description: |
+      Requires gcloud
+    prereq_command: |
+      if [ -x "$(command -v gcloud)" ]; then exit 0; else exit 1; fi;
+    get_prereq_command: |
+      echo "Please Install Google Cloud SDK before running this atomic test : https://cloud.google.com/sdk/docs/install"
+  - description: | 
+      Check if user is logged in 
+    prereq_command: |
+      gcloud config get-value account
+    get_prereq_command: |
+      gcloud auth login --no-launch-browser
+  - description: |
+      Check if terraform is installed.
+    prereq_command: |
+      terraform version
+    get_prereq_command: |
+        echo Please install the terraform.
+  - description: |
+      Create dependency resources using terraform
+    prereq_command: |
+      stat $PathToAtomicsFolder/T1485/src/T1485-4/terraform.tfstate
+    get_prereq_command: |
+      cd $PathToAtomicsFolder/T1485/src/T1485-4/
+      terraform init
+      terraform apply -auto-approve

atomics/T1485/src/T1485-4/T1485-4.tf

@@ -0,0 +1,14 @@
+provider "google" {
+}
+
+variable "project_id" {
+}
+
+variable "bucket_name" {
+}
+
+resource "google_storage_bucket" "bucket" {
+  name     = var.bucket_name
+  location = "US"
+  project  = var.project_id
+}

atomics/T1485/src/T1485-4/terraform.tfvars

@@ -0,0 +1,2 @@
+project_id  = ""
+bucket_name = ""

atomics/T1562.008/T1562.008.yaml

@@ -439,3 +439,37 @@ atomic_tests:
       Disconnect-ExchangeOnline -Confirm:$false
     name: powershell
     elevation_required: false
+- name: GCP - Delete Activity Event Log
+  description: |
+    GCP provides 4 types of Cloud Audit Logs: Admin Activity, Data Access, System Events, and Policy Denied.
+    An adversary may attempt to delete logs in order to hide their activity. However, Admin Activity, System Events, and Policy Deny events logs cannot be deleted. 
+    
+    This Atomic attempts to delete the Activity Event log. An event is generated under the method name of `google.logging.v2.LoggingServiceV2.DeleteLog` with a Serverity of `ERROR`.
+  supported_platforms:
+  - iaas:gcp
+
+  input_arguments:
+    project-id:
+      description: ID of the GCP Project you to execute the command against.
+      type: string
+      default: atomic-project-1
+  executor:
+    name: sh
+    elevation_required: false
+    command: |
+      gcloud config set project #{project-id}
+      gcloud logging logs delete projects/#{project-id}/logs/cloudaudit.googleapis.com%2Factivity --quiet
+  dependency_executor_name: sh
+  dependencies:
+  - description: |
+      Requires gcloud
+    prereq_command: |
+      if [ -x "$(command -v gcloud)" ]; then exit 0; else exit 1; fi;
+    get_prereq_command: |
+      echo "Please Install Google Cloud SDK before running this atomic test : https://cloud.google.com/sdk/docs/install"
+  - description: | 
+      Check if user is logged in 
+    prereq_command: |
+      gcloud config get-value account
+    get_prereq_command: |
+      gcloud auth login --no-launch-browser