Skip to content

New attack technique: Open Ingress Port 22 on a Firewall Rule (gcp.exfiltration.open-port-22-ingress)#801

Open
Minosity-VR wants to merge 3 commits into
simon.marechal/gcp-exfiltration-backdoor-gcs-bucketfrom
simon.marechal/gcp-exfiltration-open-port-22-ingress
Open

New attack technique: Open Ingress Port 22 on a Firewall Rule (gcp.exfiltration.open-port-22-ingress)#801
Minosity-VR wants to merge 3 commits into
simon.marechal/gcp-exfiltration-backdoor-gcs-bucketfrom
simon.marechal/gcp-exfiltration-open-port-22-ingress

Conversation

@Minosity-VR

@Minosity-VR Minosity-VR commented Mar 26, 2026

Copy link
Copy Markdown
Collaborator

What does this PR do?

New attack technique: gcp.exfiltration.open-port-22-ingress

Motivation

GCP parity with existing AWS attack techniques.

Test results

  • stratus detonate gcp.exfiltration.open-port-22-ingress
  • v1.compute.firewalls.insert appears in GCP Admin Activity audit logs

Checklist

  • The attack technique emulates a single attack step, not a full attack chain
  • We have factual evidence & references that the attack technique was used by real malware, pentesters, or attackers
  • The attack technique makes no assumption about the state of the environment prior to warming it up

@Minosity-VR Minosity-VR force-pushed the simon.marechal/gcp-exfiltration-backdoor-gcs-bucket branch from 6a55fd5 to 42beba8 Compare March 30, 2026 14:54
@Minosity-VR Minosity-VR force-pushed the simon.marechal/gcp-exfiltration-open-port-22-ingress branch from 87af8e2 to a359814 Compare March 30, 2026 14:54
@Minosity-VR Minosity-VR marked this pull request as ready for review April 1, 2026 07:25
@Minosity-VR Minosity-VR requested review from a team as code owners April 1, 2026 07:25
@Minosity-VR Minosity-VR force-pushed the simon.marechal/gcp-exfiltration-backdoor-gcs-bucket branch from 42beba8 to a7652cf Compare April 1, 2026 08:28
@Minosity-VR Minosity-VR force-pushed the simon.marechal/gcp-exfiltration-open-port-22-ingress branch from a359814 to eb69293 Compare April 1, 2026 08:28
@Minosity-VR Minosity-VR force-pushed the simon.marechal/gcp-exfiltration-backdoor-gcs-bucket branch from a7652cf to d3cbdc3 Compare April 1, 2026 08:53
@Minosity-VR Minosity-VR force-pushed the simon.marechal/gcp-exfiltration-open-port-22-ingress branch from eb69293 to 4ee8e9a Compare April 1, 2026 08:53
@Minosity-VR Minosity-VR force-pushed the simon.marechal/gcp-exfiltration-backdoor-gcs-bucket branch from d3cbdc3 to f241998 Compare April 1, 2026 09:04
@Minosity-VR Minosity-VR force-pushed the simon.marechal/gcp-exfiltration-open-port-22-ingress branch from 4ee8e9a to f502baa Compare April 1, 2026 09:04
Minosity-VR and others added 3 commits April 9, 2026 10:05
@Minosity-VR @claude
New attack technique: Open Ingress Port 22 on a Firewall Rule (gcp.ex…
59d8365 
…filtration.open-port-22-ingress)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@Minosity-VR @claude
Add external references for technique documentation
5a7da15 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@Minosity-VR @claude
Address PR feedback: remove HackTricks refs, regenerate docs
5c6d935 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@Minosity-VR Minosity-VR force-pushed the simon.marechal/gcp-exfiltration-backdoor-gcs-bucket branch from f241998 to fbc15a4 Compare April 9, 2026 08:28
@Minosity-VR Minosity-VR force-pushed the simon.marechal/gcp-exfiltration-open-port-22-ingress branch from 09a47f1 to 5c6d935 Compare April 9, 2026 08:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Minosity-VR