-
Notifications
You must be signed in to change notification settings - Fork 204
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
GITBOOK-572: change request with no subject merged in GitBook
- Loading branch information
1 parent
deb1378
commit 5675ac9
Showing
3 changed files
with
212 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
92 changes: 92 additions & 0 deletions
92
...ting-cloud/gcp-security/gcp-post-exploitation/gcp-security-post-exploitation.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,92 @@ | ||
| # GCP - Security Post Exploitation | ||
|
|
||
| <details> | ||
|
|
||
| <summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary> | ||
|
|
||
| Other ways to support HackTricks: | ||
|
|
||
| * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! | ||
| * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) | ||
| * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) | ||
| * **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** | ||
| * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. | ||
|
|
||
| </details> | ||
|
|
||
| ## Security | ||
|
|
||
| For more information check: | ||
|
|
||
| {% content-ref url="../gcp-services/gcp-security.md" %} | ||
| [gcp-security.md](../gcp-services/gcp-security.md) | ||
| {% endcontent-ref %} | ||
|
|
||
| ### `securitycenter.muteconfigs.create` | ||
|
|
||
| Prevent generation of findings that could detect an attacker by creating a `muteconfig`: | ||
|
|
||
| {% code overflow="wrap" %} | ||
| ```bash | ||
| # Create Muteconfig | ||
| gcloud scc muteconfigs create my-mute-config --organization=123 --description="This is a test mute config" --filter="category=\"XSS_SCRIPTING\"" | ||
| ``` | ||
| {% endcode %} | ||
|
|
||
| ### `securitycenter.muteconfigs.update` | ||
|
|
||
| Prevent generation of findings that could detect an attacker by updating a `muteconfig`: | ||
|
|
||
| {% code overflow="wrap" %} | ||
| ```bash | ||
| # Update Muteconfig | ||
| gcloud scc muteconfigs update my-test-mute-config --organization=123 --description="This is a test mute config" --filter="category=\"XSS_SCRIPTING\"" | ||
| ``` | ||
| {% endcode %} | ||
|
|
||
| ### `securitycenter.findings.bulkMuteUpdate` | ||
|
|
||
| Mute findings based on a filer: | ||
|
|
||
| {% code overflow="wrap" %} | ||
| ```bash | ||
| # Mute based on a filter | ||
| gcloud scc findings bulk-mute --organization=929851756715 --filter="category=\"XSS_SCRIPTING\"" | ||
| ``` | ||
| {% endcode %} | ||
|
|
||
| A muted finding won't appear in the SCC dashboard and reports. | ||
|
|
||
| ### `securitycenter.findings.setMute` | ||
|
|
||
| Mute findings based on source, findings... | ||
|
|
||
| {% code overflow="wrap" %} | ||
| ```bash | ||
| gcloud scc findings set-mute 789 --organization=organizations/123 --source=456 --mute=MUTED | ||
| ``` | ||
| {% endcode %} | ||
|
|
||
| ### `securitycenter.findings.update` | ||
|
|
||
| Update a finding to indicate erroneous information: | ||
|
|
||
| {% code overflow="wrap" %} | ||
| ```bash | ||
| gcloud scc findings update `myFinding` --organization=123456 --source=5678 --state=INACTIVE | ||
| ``` | ||
| {% endcode %} | ||
|
|
||
| <details> | ||
|
|
||
| <summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary> | ||
|
|
||
| Other ways to support HackTricks: | ||
|
|
||
| * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! | ||
| * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) | ||
| * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) | ||
| * **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** | ||
| * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. | ||
|
|
||
| </details> |
118 changes: 118 additions & 0 deletions
118
pentesting-cloud/gcp-security/gcp-services/gcp-security.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,118 @@ | ||
| # GCP - Security | ||
|
|
||
| <details> | ||
|
|
||
| <summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary> | ||
|
|
||
| Other ways to support HackTricks: | ||
|
|
||
| * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! | ||
| * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) | ||
| * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) | ||
| * **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** | ||
| * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. | ||
|
|
||
| </details> | ||
|
|
||
| ## Basic Information | ||
|
|
||
| Google Cloud Platform (GCP) Security encompasses a **comprehensive suite of tools** and practices designed to ensure the **security** of resources and data within the Google Cloud environment, divided into four main sections: **Security Command Center, Detections and Controls, Data Protection and Zero Turst.** | ||
|
|
||
| ## **Security Command Center** | ||
|
|
||
| The Google Cloud Platform (GCP) Security Command Center (SCC) is a **security and risk management tool for GCP** resources that enables organizations to gain visibility into and control over their cloud assets. It helps **detect and respond to threats** by offering comprehensive security analytics, **identifying misconfigurations**, ensuring **compliance** with security standards, and **integrating** with other security tools for automated threat detection and response. | ||
|
|
||
| * **Overview**: Panel to **visualize an overview** of all the result of the Security Command Center. | ||
| * Threats: \[Premium Required] Panel to visualize all the **detected threats. Check more about Threats below** | ||
| * **Vulnerabilities**: Panel to **visualize found misconfigurations in the GCP account**. | ||
| * **Compliance**: \[Premium required] This section allows to **test your GCP environment against several compliance checks** (such as PCI-DSS, NIST 800-53, CIS benchmarks...) over the organization. | ||
| * **Assets**: This section **shows all the assets being used**, very useful for sysadmins (and maybe attacker) to see what is running in a single page. | ||
| * **Findings**: This **aggregates** in a **table findings** of different sections of GCP Security (not only Command Center) to be able to visualize easily findings that matters. | ||
| * **Sources**: Shows a **summary of findings** of all the different sections of GCP security **by sectio**n. | ||
| * **Posture**: \[Premium Required] Security Posture allows to **define, assess, and monitor the security of the GCP environment**. It works by creating policy that defines constraints or restrictions that controls/monitor the resources in GCP. There are several pre-defined posture templates that can be found in [https://cloud.google.com/security-command-center/docs/security-posture-overview?authuser=2#predefined-policy](https://cloud.google.com/security-command-center/docs/security-posture-overview?authuser=2#predefined-policy) | ||
|
|
||
| ### **Threats** | ||
|
|
||
| From the perspective of an attacker, this is probably the **most interesting feature as it could detect the attacker**. However, note that this feature requires **Premium** (which means that the company will need to pay more), so it **might not be even enabled**.  | ||
|
|
||
| There are 3 types of threat detection mechanisms: | ||
|
|
||
| * **Event Threats**: Findings produced by matching events from **Cloud Logging** based on **rules created** internally by Google. It can also scan **Google Workspace logs**. | ||
| * It's possible to find the description of all the [**detection rules in the docs**](https://cloud.google.com/security-command-center/docs/concepts-event-threat-detection-overview?authuser=2#how\_works) | ||
| * **Container Threats**: Findings produced after analyzing low-level behavior of the kernel of containers. | ||
| * **Custom Threats**: Rules created by the company. | ||
|
|
||
| It's possible to find recommended responses to detected threats of both types in [https://cloud.google.com/security-command-center/docs/how-to-investigate-threats?authuser=2#event\_response](https://cloud.google.com/security-command-center/docs/how-to-investigate-threats?authuser=2#event\_response) | ||
|
|
||
| ### Enumeration | ||
|
|
||
| {% code overflow="wrap" %} | ||
| ```bash | ||
| # Get a source | ||
| gcloud scc sources describe <org-number> --source=5678 | ||
| ## If the response is that the service is disabled or that the source is not found, then, it isn't enabled | ||
|
|
||
| # Get notifications | ||
| gcloud scc notifications list <org-number> | ||
|
|
||
| # Get findings (if not premium these are just vulnerabilities) | ||
| gcloud scc findings list <org-number> | ||
| ``` | ||
| {% endcode %} | ||
|
|
||
| ### Post Exploitation | ||
|
|
||
| {% content-ref url="../gcp-post-exploitation/gcp-security-post-exploitation.md" %} | ||
| [gcp-security-post-exploitation.md](../gcp-post-exploitation/gcp-security-post-exploitation.md) | ||
| {% endcontent-ref %} | ||
|
|
||
| ## Detections and Controls | ||
|
|
||
| * **Chronicle SecOps**: An advanced security operations suite designed to help teams increase their speed and impact of security operations, including threat detection, investigation, and response. | ||
| * **reCAPTCHA Enterprise**: A service that protects websites from fraudulent activities like scraping, credential stuffing, and automated attacks by distinguishing between human users and bots. | ||
| * **Web Security Scanner**: Automated security scanning tool that detects vulnerabilities and common security issues in web applications hosted on Google Cloud or another web service. | ||
| * **Risk Manager**: A governance, risk, and compliance (GRC) tool that helps organizations assess, document, and understand their Google Cloud risk posture. | ||
| * **Binary Authorization**: A security control for containers that ensures only trusted container images are deployed on Kubernetes Engine clusters according to policies set by the enterprise. | ||
| * **Advisory Notifications**: A service that provides alerts and advisories about potential security issues, vulnerabilities, and recommended actions to keep resources secure. | ||
| * **Access Approval**: A feature that allows organizations to require explicit approval before Google employees can access their data or configurations, providing an additional layer of control and auditability. | ||
| * **Managed Microsoft AD**: A service offering managed Microsoft Active Directory (AD) that allows users to use their existing Microsoft AD-dependent apps and workloads on Google Cloud. | ||
|
|
||
| ## Data Protection | ||
|
|
||
| * **Sensitive Data Protection**: Tools and practices aimed at safeguarding sensitive data, such as personal information or intellectual property, against unauthorized access or exposure. | ||
| * **Data Loss Prevention (DLP)**: A set of tools and processes used to identify, monitor, and protect data in use, in motion, and at rest through deep content inspection and by applying a comprehensive set of data protection rules. | ||
| * **Certificate Authority Service**: A scalable and secure service that simplifies and automates the management, deployment, and renewal of SSL/TLS certificates for internal and external services. | ||
| * **Key Management**: A cloud-based service that allows you to manage cryptographic keys for your applications, including the creation, import, rotation, use, and destruction of encryption keys. More info in: | ||
|
|
||
| {% content-ref url="gcp-kms-enum.md" %} | ||
| [gcp-kms-enum.md](gcp-kms-enum.md) | ||
| {% endcontent-ref %} | ||
|
|
||
| * **Certificate Manager**: A service that manages and deploys SSL/TLS certificates, ensuring secure and encrypted connections to your web services and applications. | ||
| * **Secret Manager**: A secure and convenient storage system for API keys, passwords, certificates, and other sensitive data, which allows for the easy and secure access and management of these secrets in applications. More info in: | ||
|
|
||
| {% content-ref url="../../gcp-pentesting/gcp-services/gcp-secrets-manager-enum.md" %} | ||
| [gcp-secrets-manager-enum.md](../../gcp-pentesting/gcp-services/gcp-secrets-manager-enum.md) | ||
| {% endcontent-ref %} | ||
|
|
||
| ## Zero Trust | ||
|
|
||
| * **BeyondCorp Enterprise**: A zero-trust security platform that enables secure access to internal applications without the need for a traditional VPN, by relying on verification of user and device trust before granting access. | ||
| * **Policy Troubleshooter**: A tool designed to help administrators understand and resolve access issues in their organization by identifying why a user has access to certain resources or why access was denied, thereby aiding in the enforcement of zero-trust policies. | ||
| * **Identity-Aware Proxy (IAP)**: A service that controls access to cloud applications and VMs running on Google Cloud, on-premises, or other clouds, based on the identity and the context of the request rather than by the network from which the request originates. | ||
| * **VPC Service Controls**: Security perimeters that provide additional layers of protection to resources and services hosted in Google Cloud's Virtual Private Cloud (VPC), preventing data exfiltration and providing granular access control. | ||
| * **Access Context Manager**: Part of Google Cloud's BeyondCorp Enterprise, this tool helps define and enforce fine-grained access control policies based on a user's identity and the context of their request, such as device security status, IP address, and more. | ||
|
|
||
| <details> | ||
|
|
||
| <summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary> | ||
|
|
||
| Other ways to support HackTricks: | ||
|
|
||
| * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! | ||
| * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) | ||
| * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) | ||
| * **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** | ||
| * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. | ||
|
|
||
| </details> |