diff --git a/atomics/T1078.004/T1078.004.yaml b/atomics/T1078.004/T1078.004.yaml index be754fd2..76520c15 100644 --- a/atomics/T1078.004/T1078.004.yaml +++ b/atomics/T1078.004/T1078.004.yaml @@ -35,7 +35,6 @@ atomic_tests: name: sh elevation_required: false command: | - gcloud auth login --no-launch-browser gcloud config set project #{project-id} gcloud iam service-accounts create #{service-account-name} gcloud iam service-accounts keys create #{output-key-file} --iam-account=#{service-account-email} @@ -49,6 +48,12 @@ atomic_tests: if [ -x "$(command -v gcloud)" ]; then exit 0; else exit 1; fi; get_prereq_command: | echo "Please Install Google Cloud SDK before running this atomic test : https://cloud.google.com/sdk/docs/install" + - description: | + Check if user is logged in + prereq_command: | + gcloud config get-value account + get_prereq_command: | + gcloud auth login --no-launch-browser - name: Azure Persistence Automation Runbook Created or Modified auto_generated_guid: 348f4d14-4bd3-4f6b-bd8a-61237f78b3ac description: | @@ -117,3 +122,56 @@ atomic_tests: Remove-AzAutomationRunbook -AutomationAccountName #{automation_account_name} -Name #{runbook_name} -ResourceGroupName #{resource_group} -Force cd $PathToAtomicsFolder/T1078.004/src/T1078.004-2/ terraform destroy -auto-approve +- name: GCP - Create Custom IAM Role + description: | + This atomic will create a new IAM role. The default role permissions are: *IAM Service Account Get*. The idea for this Atomic came from a Rule published by the Elastic team. + + Identifies an Identity and Access Management (IAM) custom role creation in Google Cloud Platform (GCP). + Custom roles are user-defined, and allow for the bundling of one or more supported permissions to meet specific needs. + Custom roles will not be updated automatically and could lead to privilege creep if not carefully scrutinized. + + This atomic will create a new IAM role. The default role permissions are: *IAM Service Account Get* + + Reference: https://github.com/elastic/detection-rules/blob/main/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml + + supported_platforms: + - iaas:gcp + input_arguments: + project-id: + description: ID of the GCP Project you to execute the command against. + type: string + default: atomic-test-1 + role-name: + description: The name of the role to be created. + type: string + default: AtomicRedTeamRole + role-description: + description: The description of the role to be created. + type: string + default: Atomic Red Team Custom IAM Role + roles: + description: List of roles to be applied + type: string + default: iam.serviceAccounts.get + executor: + name: sh + elevation_required: false + command: | + gcloud config set project #{project-id} + gcloud iam roles create #{role-name} --description="#{role-description}" --permissions=#{roles} --project=#{project-id} + cleanup_command: | + gcloud iam roles delete #{role-name} --project=#{project-id} + dependency_executor_name: sh + dependencies: + - description: | + Requires gcloud + prereq_command: | + if [ -x "$(command -v gcloud)" ]; then exit 0; else exit 1; fi; + get_prereq_command: | + echo "Please Install Google Cloud SDK before running this atomic test : https://cloud.google.com/sdk/docs/install" + - description: | + Check if user is logged in + prereq_command: | + gcloud config get-value account + get_prereq_command: | + gcloud auth login --no-launch-browser diff --git a/atomics/T1098/T1098.yaml b/atomics/T1098/T1098.yaml index 82039b5c..e4a09540 100644 --- a/atomics/T1098/T1098.yaml +++ b/atomics/T1098/T1098.yaml @@ -945,3 +945,69 @@ atomic_tests: else { Write-Host -ForegroundColor Yellow "You must store the password of the current user by running the prerequisite commands first" } +- name: GCP - Delete Service Account Key + description: | + This Atomic will: + - Create a service account + - Create a service account key, + - Store the result of retrieving a single key for that service account as a variable + - Pass that variable for deletion + - Delete the service account + + The idea for this Atomic came from a Rule published by the Elastic team. + + Identifies the deletion of an Identity and Access Management (IAM) service account key in Google Cloud Platform (GCP). + Each service account is associated with two sets of public/private RSA key pairs that are used to authenticate. + If a key is deleted, the application will no longer be able to access Google Cloud resources using that key. A security best practice is to rotate your service account keys regularly. + + Reference: https://github.com/elastic/detection-rules/blob/main/rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml + supported_platforms: + - iaas:gcp + input_arguments: + project_id: + description: ID of the GCP Project you to execute the command against. + type: string + default: atomic-test-1 + service_name: + description: The name of the service account. + type: string + default: atomic-service-account + executor: + name: sh + elevation_required: false + command: | + gcloud config set project #{project_id} + KEY=`gcloud iam service-accounts keys list --iam-account=#{service_name}@#{project_id}.iam.gserviceaccount.com --format="value(KEY_ID)" --limit=1` + gcloud iam service-accounts keys delete $KEY --iam-account=#{service_name}@#{project_id}.iam.gserviceaccount.com --quiet + cleanup_command: | + cd $PathToAtomicsFolder/T1098/src/T1098-17/ + terraform state rm google_service_account_key.key + terraform destroy -auto-approve + dependency_executor_name: sh + dependencies: + - description: | + Requires gcloud + prereq_command: | + if [ -x "$(command -v gcloud)" ]; then exit 0; else exit 1; fi; + get_prereq_command: | + echo "Please Install Google Cloud SDK before running this atomic test : https://cloud.google.com/sdk/docs/install" + - description: | + Check if user is logged in + prereq_command: | + gcloud config get-value account + get_prereq_command: | + gcloud auth login --no-launch-browser + - description: | + Check if terraform is installed. + prereq_command: | + terraform version + get_prereq_command: | + echo Please install the terraform. + - description: | + Create dependency resources using terraform + prereq_command: | + stat $PathToAtomicsFolder/T1098/src/T1098-17/terraform.tfstate + get_prereq_command: | + cd $PathToAtomicsFolder/T1098/src/T1098-17/ + terraform init + terraform apply -auto-approve \ No newline at end of file diff --git a/atomics/T1098/src/T1098-17/T1098-17.tf b/atomics/T1098/src/T1098-17/T1098-17.tf new file mode 100644 index 00000000..d617b39a --- /dev/null +++ b/atomics/T1098/src/T1098-17/T1098-17.tf @@ -0,0 +1,18 @@ +provider "google" { +} + +variable "project_id" { +} + +variable "service_name" { +} + +resource "google_service_account" "service_account" { + account_id = var.service_name + project = var.project_id +} + +resource "google_service_account_key" "key" { + service_account_id = google_service_account.service_account.name + public_key_type = "TYPE_X509_PEM_FILE" +} diff --git a/atomics/T1098/src/T1098-17/terraform.tfvars b/atomics/T1098/src/T1098-17/terraform.tfvars new file mode 100644 index 00000000..97a3bad6 --- /dev/null +++ b/atomics/T1098/src/T1098-17/terraform.tfvars @@ -0,0 +1,2 @@ +project_id = "" +service_name = "" \ No newline at end of file diff --git a/atomics/T1485/T1485.yaml b/atomics/T1485/T1485.yaml index 7696c5e1..a02c3a16 100644 --- a/atomics/T1485/T1485.yaml +++ b/atomics/T1485/T1485.yaml @@ -67,3 +67,60 @@ atomic_tests: command: | cipher.exe /w:C: name: command_prompt +- name: GCP - Delete Bucket + description: | + This Atomic will create a Google Storage Bucket then delete it. The idea for this Atomic came from a Rule published by the Elastic team. + + Identifies when a Google Cloud Platform (GCP) storage bucket is deleted. An adversary may delete a storage bucket in order to disrupt their target's business operations. + This atomic will create a bucket then delete the bucket. + + Reference: https://github.com/elastic/detection-rules/blob/main/rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml + supported_platforms: + - iaas:gcp + input_arguments: + project_id: + description: ID of the GCP Project you to execute the command against. + type: string + default: atomic-test-1 + bucket_name: + description: The name of the bucket to delete. + type: string + default: atomic-red-team-bucket + executor: + name: sh + elevation_required: false + command: | + gcloud config set project #{project_id} + gcloud storage buckets delete gs://#{bucket_name} + cleanup_command: | + cd $PathToAtomicsFolder/T1485/src/T1485-4/ + terraform state rm google_storage_bucket.bucket + terraform destroy -auto-approve + dependency_executor_name: sh + dependencies: + - description: | + Requires gcloud + prereq_command: | + if [ -x "$(command -v gcloud)" ]; then exit 0; else exit 1; fi; + get_prereq_command: | + echo "Please Install Google Cloud SDK before running this atomic test : https://cloud.google.com/sdk/docs/install" + - description: | + Check if user is logged in + prereq_command: | + gcloud config get-value account + get_prereq_command: | + gcloud auth login --no-launch-browser + - description: | + Check if terraform is installed. + prereq_command: | + terraform version + get_prereq_command: | + echo Please install the terraform. + - description: | + Create dependency resources using terraform + prereq_command: | + stat $PathToAtomicsFolder/T1485/src/T1485-4/terraform.tfstate + get_prereq_command: | + cd $PathToAtomicsFolder/T1485/src/T1485-4/ + terraform init + terraform apply -auto-approve \ No newline at end of file diff --git a/atomics/T1485/src/T1485-4/T1485-4.tf b/atomics/T1485/src/T1485-4/T1485-4.tf new file mode 100644 index 00000000..8ce389c2 --- /dev/null +++ b/atomics/T1485/src/T1485-4/T1485-4.tf @@ -0,0 +1,14 @@ +provider "google" { +} + +variable "project_id" { +} + +variable "bucket_name" { +} + +resource "google_storage_bucket" "bucket" { + name = var.bucket_name + location = "US" + project = var.project_id +} diff --git a/atomics/T1485/src/T1485-4/terraform.tfvars b/atomics/T1485/src/T1485-4/terraform.tfvars new file mode 100644 index 00000000..d2dd0d80 --- /dev/null +++ b/atomics/T1485/src/T1485-4/terraform.tfvars @@ -0,0 +1,2 @@ +project_id = "" +bucket_name = "" \ No newline at end of file diff --git a/atomics/T1562.008/T1562.008.yaml b/atomics/T1562.008/T1562.008.yaml index 56eecc89..5aa18468 100644 --- a/atomics/T1562.008/T1562.008.yaml +++ b/atomics/T1562.008/T1562.008.yaml @@ -439,3 +439,37 @@ atomic_tests: Disconnect-ExchangeOnline -Confirm:$false name: powershell elevation_required: false +- name: GCP - Delete Activity Event Log + description: | + GCP provides 4 types of Cloud Audit Logs: Admin Activity, Data Access, System Events, and Policy Denied. + An adversary may attempt to delete logs in order to hide their activity. However, Admin Activity, System Events, and Policy Deny events logs cannot be deleted. + + This Atomic attempts to delete the Activity Event log. An event is generated under the method name of `google.logging.v2.LoggingServiceV2.DeleteLog` with a Serverity of `ERROR`. + supported_platforms: + - iaas:gcp + + input_arguments: + project-id: + description: ID of the GCP Project you to execute the command against. + type: string + default: atomic-project-1 + executor: + name: sh + elevation_required: false + command: | + gcloud config set project #{project-id} + gcloud logging logs delete projects/#{project-id}/logs/cloudaudit.googleapis.com%2Factivity --quiet + dependency_executor_name: sh + dependencies: + - description: | + Requires gcloud + prereq_command: | + if [ -x "$(command -v gcloud)" ]; then exit 0; else exit 1; fi; + get_prereq_command: | + echo "Please Install Google Cloud SDK before running this atomic test : https://cloud.google.com/sdk/docs/install" + - description: | + Check if user is logged in + prereq_command: | + gcloud config get-value account + get_prereq_command: | + gcloud auth login --no-launch-browser \ No newline at end of file