Skip to content

New attack technique: Backdoor a GCS Bucket via Overly Permissive IAM Policy (gcp.exfiltration.backdoor-gcs-bucket)#800

Open
Minosity-VR wants to merge 12 commits into
simon.marechal/gcp-execution-os-config-run-commandfrom
simon.marechal/gcp-exfiltration-backdoor-gcs-bucket
Open

New attack technique: Backdoor a GCS Bucket via Overly Permissive IAM Policy (gcp.exfiltration.backdoor-gcs-bucket)#800
Minosity-VR wants to merge 12 commits into
simon.marechal/gcp-execution-os-config-run-commandfrom
simon.marechal/gcp-exfiltration-backdoor-gcs-bucket

Conversation

@Minosity-VR

@Minosity-VR Minosity-VR commented Mar 26, 2026

Copy link
Copy Markdown
Collaborator

What does this PR do?

New attack technique: gcp.exfiltration.backdoor-gcs-bucket

Motivation

GCP parity with existing AWS attack techniques.

Test results

  • stratus detonate gcp.exfiltration.backdoor-gcs-bucket
  • storage.setIamPermissions appears in GCP Data Access audit logs

Checklist

  • The attack technique emulates a single attack step, not a full attack chain
  • We have factual evidence & references that the attack technique was used by real malware, pentesters, or attackers
  • The attack technique makes no assumption about the state of the environment prior to warming it up

@Minosity-VR Minosity-VR mentioned this pull request Mar 26, 2026
Open
@Minosity-VR Minosity-VR force-pushed the simon.marechal/gcp-execution-os-config-run-command branch from 9824956 to 746d4d7 Compare March 30, 2026 14:54
@Minosity-VR Minosity-VR force-pushed the simon.marechal/gcp-exfiltration-backdoor-gcs-bucket branch from 6a55fd5 to 42beba8 Compare March 30, 2026 14:54
@Minosity-VR Minosity-VR marked this pull request as ready for review April 1, 2026 07:25
@Minosity-VR Minosity-VR requested review from a team as code owners April 1, 2026 07:25
@Minosity-VR Minosity-VR force-pushed the simon.marechal/gcp-execution-os-config-run-command branch from 746d4d7 to 14615f6 Compare April 1, 2026 08:28
@Minosity-VR Minosity-VR force-pushed the simon.marechal/gcp-exfiltration-backdoor-gcs-bucket branch from 42beba8 to a7652cf Compare April 1, 2026 08:28
@Minosity-VR Minosity-VR force-pushed the simon.marechal/gcp-execution-os-config-run-command branch from 14615f6 to cfe3832 Compare April 1, 2026 08:53
@Minosity-VR Minosity-VR force-pushed the simon.marechal/gcp-exfiltration-backdoor-gcs-bucket branch from a7652cf to d3cbdc3 Compare April 1, 2026 08:53
@Minosity-VR Minosity-VR force-pushed the simon.marechal/gcp-execution-os-config-run-command branch from cfe3832 to 713bbd1 Compare April 1, 2026 09:04
@Minosity-VR Minosity-VR force-pushed the simon.marechal/gcp-exfiltration-backdoor-gcs-bucket branch from d3cbdc3 to f241998 Compare April 1, 2026 09:04
Minosity-VR and others added 12 commits April 9, 2026 09:37
@Minosity-VR @claude
New attack technique: Modify a GCE Instance Startup Script (gcp.execu…
bcdc4cf 
…tion.modify-gce-startup-script)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@Minosity-VR @claude
Add external references for technique documentation
085b7e0 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@Minosity-VR @claude
Address PR feedback: remove HackTricks refs, regenerate docs
aa1fc8b 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@Minosity-VR @claude
New attack technique: Inject a Malicious Startup Script into a Vertex…
faa093f 
… AI Workbench Instance (gcp.execution.modify-vertex-notebook-startup)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@Minosity-VR @claude
Add external references for technique documentation
5c6f5bf 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@Minosity-VR @claude
Address PR feedback: remove HackTricks refs, regenerate docs
2889bcd 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@Minosity-VR @claude
New attack technique: Execute Commands on GCE Instances via OS Config…
fa6dad6 
… Agent (gcp.execution.os-config-run-command)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@Minosity-VR @claude
Add external references for technique documentation
37c5699 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@Minosity-VR @claude
Address PR feedback: remove HackTricks refs, regenerate docs
586918f 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@Minosity-VR @claude
New attack technique: Backdoor a GCS Bucket via Overly Permissive IAM…
6a7054b 
… Policy (gcp.exfiltration.backdoor-gcs-bucket)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@Minosity-VR @claude
Add external references for technique documentation
cb0bb78 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@Minosity-VR @claude
Address PR feedback: remove HackTricks refs, regenerate docs
fbc15a4 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@Minosity-VR Minosity-VR force-pushed the simon.marechal/gcp-exfiltration-backdoor-gcs-bucket branch from f241998 to fbc15a4 Compare April 9, 2026 08:28
@christophetd christophetd force-pushed the simon.marechal/gcp-execution-os-config-run-command branch 2 times, most recently from 0a07d72 to 2e65f9f Compare April 30, 2026 13:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Minosity-VR