Initial GCP support (#160)

Co-authored-by: Christophe Tafani-Dereeper <christophe.tafanidereeper@datadoghq.com>
Co-authored-by: rileydakota <DAKOTARILEY2@GMAIL.COM>

docs/attack-techniques/GCP/gcp.persistence.create-admin-service-account.md

@@ -0,0 +1,48 @@
+---
+title: Create an Admin GCP Service Account
+---
+
+# Create an Admin GCP Service Account
+
+
+
+
+Platform: GCP
+
+## MITRE ATT&CK Tactics
+
+
+- Persistence
+- Privilege Escalation
+
+## Description
+
+
+Establishes persistence by creating a new service account and assigning it 
+<code>owner</code> permissions inside the current GCP project.
+
+<span style="font-variant: small-caps;">Warm-up</span>: None
+
+<span style="font-variant: small-caps;">Detonation</span>:
+
+- Create a service account
+- Update the current GCP project's IAM policy to bind the service account to the <code>owner</code> role'
+
+References:
+- https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/
+
+
+## Instructions
+
+```bash title="Detonate with Stratus Red Team"
+stratus detonate gcp.persistence.create-admin-service-account
+```
+## Detection
+
+
+Using the following GCP Admin Activity audit logs events:
+
+- <code>google.iam.admin.v1.CreateServiceAccount</code>
+- <code>SetIamPolicy</code> with <code>resource.type=project</code>
+
+

docs/attack-techniques/GCP/gcp.persistence.create-service-account-key.md

@@ -0,0 +1,47 @@
+---
+title: Create a GCP Service Account Key
+---
+
+# Create a GCP Service Account Key
+
+
+
+
+Platform: GCP
+
+## MITRE ATT&CK Tactics
+
+
+- Persistence
+- Privilege Escalation
+
+## Description
+
+
+Establishes persistence by creating a service account key on an existing service account.
+
+<span style="font-variant: small-caps;">Warm-up</span>:
+
+- Create a service account
+
+<span style="font-variant: small-caps;">Detonation</span>:
+
+- Create a new key for the service account
+
+References:
+
+- https://expel.com/blog/incident-report-spotting-an-attacker-in-gcp/
+- https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/
+
+
+## Instructions
+
+```bash title="Detonate with Stratus Red Team"
+stratus detonate gcp.persistence.create-service-account-key
+```
+## Detection
+
+
+Using GCP Admin Activity audit logs event <code>google.iam.admin.v1.CreateServiceAccountKey</code>.
+
+

docs/attack-techniques/GCP/gcp.privilege-escalation.impersonate-service-accounts.md

@@ -0,0 +1,155 @@
+---
+title: Impersonate GCP Service Accounts
+---
+
+# Impersonate GCP Service Accounts
+
+
+ <span class="smallcaps w3-badge w3-blue w3-round w3-text-white" title="This attack technique can be detonated multiple times">idempotent</span> 
+
+Platform: GCP
+
+## MITRE ATT&CK Tactics
+
+
+- Privilege Escalation
+
+## Description
+
+
+Attempts to impersonate several GCP service accounts. Service account impersonation in GCP allows to retrieve
+temporary credentials allowing to act as a service account.
+
+<span style="font-variant: small-caps;">Warm-up</span>:
+
+- Create 10 GCP service accounts
+- Grant the current user <code>roles/iam.serviceAccountTokenCreator</code> on one of these service accounts
+
+<span style="font-variant: small-caps;">Detonation</span>:
+
+- Attempt to impersonate each of the service accounts
+- One impersonation request will succeed, simulating a successful privilege escalation
+
+
+!!! info
+
+    GCP takes a few seconds to propagate the new <code>roles/iam.serviceAccountTokenCreator</code> role binding to the current user.
+
+    It is recommended to first warm up this attack technique (<code>stratus warmup ...</code>), wait for 30 seconds, then detonate it.
+
+References:
+
+- https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/
+- https://cloud.google.com/iam/docs/impersonating-service-accounts
+
+
+## Instructions
+
+```bash title="Detonate with Stratus Red Team"
+stratus detonate gcp.privilege-escalation.impersonate-service-accounts
+```
+## Detection
+
+
+Using GCP Admin Activity audit logs event <code>GenerateAccessToken</code>.
+
+Sample successful event (shortened for clarity):
+
+```json hl_lines="12 21"
+{
+  "protoPayload": {
+    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
+    "authenticationInfo": {
+      "principalEmail": "user@domain.tld",
+      "principalSubject": "user:user@domain.tld"
+    },
+    "requestMetadata": {
+      "callerIp": "(calling IP)",
+    },
+    "serviceName": "iamcredentials.googleapis.com",
+    "methodName": "GenerateAccessToken",
+    "authorizationInfo": [
+      {
+        "permission": "iam.serviceAccounts.getAccessToken",
+        "granted": true,
+        "resourceAttributes": {}
+      }
+    ],
+    "request": {
+      "name": "projects/-/serviceAccounts/impersonated-service-account@project-id.iam.gserviceaccount.com",
+      "@type": "type.googleapis.com/google.iam.credentials.v1.GenerateAccessTokenRequest"
+    }
+  },
+  "resource": {
+    "type": "service_account",
+    "labels": {
+      "unique_id": "105711361070066902665",
+      "email_id": "impersonated-service-account@project-id.iam.gserviceaccount.com",
+      "project_id": "project-id"
+    }
+  },
+  "severity": "INFO",
+  "logName": "projects/project-id/logs/cloudaudit.googleapis.com%2Fdata_access"
+}
+```
+
+
+When impersonation fails, the generated event **does not contain** the identity of the caller, as explained in the
+[GCP documentation](https://cloud.google.com/logging/docs/audit#user-id):
+
+> For privacy reasons, the caller's principal email address is redacted from an audit log if the operation is 
+> read-only and fails with a "permission denied" error. The only exception is when the caller is a service 
+> account in the Google Cloud organization associated with the resource; in this case, the email address isn't redacted.
+
+Sample **unsuccessful** event (shortened for clarity):
+
+```json hl_lines="5 6 13 38"
+{
+  "protoPayload": {
+    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
+    "status": {
+      "code": 7,
+      "message": "PERMISSION_DENIED"
+    },
+    "authenticationInfo": {},
+    "requestMetadata": {
+      "callerIp": "(calling IP)"
+    },
+    "serviceName": "iamcredentials.googleapis.com",
+    "methodName": "GenerateAccessToken",
+    "authorizationInfo": [
+      {
+        "permission": "iam.serviceAccounts.getAccessToken",
+        "resourceAttributes": {}
+      }
+    ],
+    "resourceName": "projects/-/serviceAccounts/103566171230474107362",
+    "request": {
+      "@type": "type.googleapis.com/google.iam.credentials.v1.GenerateAccessTokenRequest",
+      "name": "projects/-/serviceAccounts/target-service-account@project-id.iam.gserviceaccount.com"
+    },
+    "metadata": {
+      "identityDelegationChain": [
+        "projects/-/serviceAccounts/target-service-account@project-id.iam.gserviceaccount.com"
+      ]
+    }
+  },
+  "resource": {
+    "type": "service_account",
+    "labels": {
+      "email_id": "target-service-account@project-id.iam.gserviceaccount.com",
+      "project_id": "project-id"
+    }
+  },
+  "severity": "ERROR",
+  "logName": "projects/project-id/logs/cloudaudit.googleapis.com%2Fdata_access"
+}
+```
+
+Some detection strategies may include:
+
+* Alerting on unsuccessful impersonation attempts
+* Alerting when the same IP address / user-agent attempts to impersonate several service accounts in a 
+short amount of time (successfully or not)
+
+

docs/attack-techniques/GCP/index.md

@@ -0,0 +1,21 @@
+# GCP
+
+This page contains the Stratus attack techniques for GCP, grouped by MITRE ATT&CK Tactic.
+Note that some Stratus attack techniques may correspond to more than a single ATT&CK Tactic.
+
+
+## Persistence
+
+- [Create an Admin GCP Service Account](./gcp.persistence.create-admin-service-account.md)
+
+- [Create a GCP Service Account Key](./gcp.persistence.create-service-account-key.md)
+
+
+## Privilege Escalation
+
+- [Create an Admin GCP Service Account](./gcp.persistence.create-admin-service-account.md)
+
+- [Create a GCP Service Account Key](./gcp.persistence.create-service-account-key.md)
+
+- [Impersonate GCP Service Accounts](./gcp.privilege-escalation.impersonate-service-accounts.md)
+

docs/attack-techniques/list.md

@@ -39,6 +39,9 @@ This page contains the list of all Stratus Attack Techniques.
 | [Execute Command on Virtual Machine using Custom Script Extension](./azure/azure.execution.vm-custom-script-extension.md) | [Azure](./azure/index.md) | Execution |
 | [Execute Commands on Virtual Machine using Run Command](./azure/azure.execution.vm-run-command.md) | [Azure](./azure/index.md) | Execution |
 | [Export Disk Through SAS URL](./azure/azure.exfiltration.disk-export.md) | [Azure](./azure/index.md) | Exfiltration |
+| [Create an Admin GCP Service Account](./GCP/gcp.persistence.create-admin-service-account.md) | [GCP](./GCP/index.md) | Persistence, Privilege Escalation |
+| [Create a GCP Service Account Key](./GCP/gcp.persistence.create-service-account-key.md) | [GCP](./GCP/index.md) | Persistence, Privilege Escalation |
+| [Impersonate GCP Service Accounts](./GCP/gcp.privilege-escalation.impersonate-service-accounts.md) | [GCP](./GCP/index.md) | Privilege Escalation |
 | [Dump All Secrets](./kubernetes/k8s.credential-access.dump-secrets.md) | [Kubernetes](./kubernetes/index.md) | Credential Access |
 | [Steal Pod Service Account Token](./kubernetes/k8s.credential-access.steal-serviceaccount-token.md) | [Kubernetes](./kubernetes/index.md) | Credential Access |
 | [Create Admin ClusterRole](./kubernetes/k8s.persistence.create-admin-clusterrole.md) | [Kubernetes](./kubernetes/index.md) | Persistence, Privilege Escalation |

docs/attack-techniques/supported-platforms.md

@@ -1,9 +1,4 @@
 # Supported Platforms
 
-Stratus Red Team currently supports AWS, Azure, and Kubernetes. 
-See [Connecting to your cloud account](https://stratus-red-team.cloud/user-guide/getting-started/#connecting-to-your-cloud-account) for setup instructions.
-
-## Future Support for Additional Platforms
-
-We plan to add support for [GCP](https://github.com/DataDog/stratus-red-team/issues/53) in the future.
-If you're interested, go upvote the corresponding issue!
+Stratus Red Team currently supports AWS, Azure, GCP and Kubernetes. 
+See [Connecting to your cloud account](https://stratus-red-team.cloud/user-guide/getting-started/#connecting-to-your-cloud-account) for setup instructions.

docs/user-guide/getting-started.md

@@ -138,13 +138,26 @@ $ az account list
 export AZURE_SUBSCRIPTION_ID=45e0ad3f-ff94-499a-a2f0-bbb884e9c4a3
 ```
 
-
 !!! Note
 
     When using Stratus Red Team with Azure, the location in which resources are created cannot be configured and is
     fixed to `West US` (California). See why [here](https://github.com/DataDog/stratus-red-team/discussions/125).
 
 
+### GCP
+
+- Use the [gcloud CLI](https://cloud.google.com/sdk/gcloud) to authenticate against GCP:
+
+```bash
+gcloud auth application-default login
+```
+
+- Then, set your project ID:
+
+```bash
+export GOOGLE_PROJECT=your-project-id
+```
+
 ### Kubernetes
 
 Stratus Red Team does not create a Kubernetes cluster for you. 

v2/go.mod

@@ -35,6 +35,7 @@ require (
 )
 
 require (
+	cloud.google.com/go v0.99.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/internal v1.0.0 // indirect
 	github.com/AzureAD/microsoft-authentication-library-for-go v0.4.0 // indirect
 	github.com/Microsoft/go-winio v0.5.0 // indirect
@@ -50,9 +51,11 @@ require (
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/go-logr/logr v1.2.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.2 // indirect
 	github.com/google/go-cmp v0.5.8 // indirect
 	github.com/google/gofuzz v1.1.0 // indirect
+	github.com/googleapis/gax-go/v2 v2.1.1 // indirect
 	github.com/googleapis/gnostic v0.5.5 // indirect
 	github.com/imdario/mergo v0.3.12 // indirect
 	github.com/inconshreveable/mousetrap v1.0.0 // indirect
@@ -68,11 +71,13 @@ require (
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/stretchr/objx v0.2.0 // indirect
+	go.opencensus.io v0.23.0 // indirect
 	golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4 // indirect
 	golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8 // indirect
 	golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 // indirect
 	golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac // indirect
 	google.golang.org/appengine v1.6.7 // indirect
+	google.golang.org/genproto v0.0.0-20211208223120-3a66f561d7aa // indirect
 	google.golang.org/protobuf v1.27.1 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
@@ -99,6 +104,6 @@ require (
 	golang.org/x/crypto v0.0.0-20220511200225-c6db032c6c88 // indirect
 	golang.org/x/sys v0.0.0-20220517195934-5e4e11fc645e // indirect
 	golang.org/x/text v0.3.7 // indirect
-	google.golang.org/api v0.63.0 // indirect
+	google.golang.org/api v0.63.0
 	google.golang.org/grpc v1.43.0 // indirect
 )