New technique: GCP Credential Access via Secret Manager via AccessSecretVersion (#625)

* feat: add gcp secret manager credential access technique

* fix: terraform fmt and cleanup

* chore: code fixes and hygiene

* chore: more code cleanup

* Reflect new Go version requirements in the README

* Add output to warm-up phase

* Use _ as an unused parameter name

* User errors.Is to compare error types

* Remove unnecessary variable assignment

* Enhance and autogenerate docs

* staticcheck: Fix usage of deprecated GCP SDK types

---------

Co-authored-by: Dakota Riley <[email protected]>
Co-authored-by: Christophe Tafani-Dereeper <[email protected]>

Author: 3 people

README.md

@@ -33,7 +33,7 @@ See the documentation at **[stratus-red-team.cloud](https://stratus-red-team.clo
 
 ### Direct install
 
-Requires Go 1.21+
+Requires Go 1.22+
 
 ```
 go install -v github.com/datadog/stratus-red-team/v2/cmd/stratus@latest

docs/attack-techniques/GCP/gcp.credential-access.secretmanager-retrieve-secrets.md

@@ -0,0 +1,93 @@
+---
+title: Retrieve a High Number of Secret Manager secrets
+---
+
+# Retrieve a High Number of Secret Manager secrets
+
+
+ <span class="smallcaps w3-badge w3-blue w3-round w3-text-white" title="This attack technique can be detonated multiple times">idempotent</span> 
+
+Platform: GCP
+
+## MITRE ATT&CK Tactics
+
+
+- Credential Access
+
+## Description
+
+
+Retrieves a high number of Secret Manager secrets in a short timeframe, through the AccessSecretVersion API.
+
+<span style="font-variant: small-caps;">Warm-up</span>: 
+
+- Create multiple secrets in Secret Manager.
+
+<span style="font-variant: small-caps;">Detonation</span>: 
+
+- Enumerate the secrets through the ListSecrets API
+- Retrieve each secret value, one by one through the AccessSecretVersion API
+
+
+## Instructions
+
+```bash title="Detonate with Stratus Red Team"
+stratus detonate gcp.credential-access.secretmanager-retrieve-secrets
+```
+## Detection
+
+Cloud Audit Logs event corresponding to accessing a secret's value is <code>AccessSecretVersion</code>. 
+It is considered [data access event](https://cloud.google.com/secret-manager/docs/audit-logging), and needs to be explicitly enabled for the Secret Manager API. 
+
+Sample event:
+
+```json hl_lines="18 20 25"
+{
+  "protoPayload": {
+    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
+    "requestMetadata": {
+      "callerIp": "7.7.7.7",
+      "callerSuppliedUserAgent": "stratus-red-team_4fbc5d44-9c4f-469f-a15b-0c85e6ad3241 grpc-go/1.70.0,gzip(gfe)",
+      "requestAttributes": {
+        "time": "2025-02-02T22:56:34.343726445Z",
+        "auth": {}
+      },
+      "destinationAttributes": {}
+    },
+    "serviceName": "secretmanager.googleapis.com",
+    "methodName": "google.cloud.secretmanager.v1.SecretManagerService.AccessSecretVersion",
+    "authorizationInfo": [
+      {
+        "permission": "secretmanager.versions.access",
+        "granted": true,
+        "resourceAttributes": {
+          "service": "secretmanager.googleapis.com",
+          "name": "projects/victim-project/secrets/stratus-red-team-retrieve-secret-8/versions/latest",
+          "type": "secretmanager.googleapis.com/SecretVersion"
+        },
+        "permissionType": "DATA_READ"
+      }
+    ],
+    "resourceName": "projects/victim-project/secrets/stratus-red-team-retrieve-secret-8/versions/latest",
+    "request": {
+      "name": "projects/victim-project/secrets/stratus-red-team-retrieve-secret-8/versions/latest",
+      "@type": "type.googleapis.com/google.cloud.secretmanager.v1.AccessSecretVersionRequest"
+    }
+  },
+  "resource": {
+    "type": "audited_resource",
+    "labels": {
+      "method": "google.cloud.secretmanager.v1.SecretManagerService.AccessSecretVersion",
+      "project_id": "victim-project",
+      "service": "secretmanager.googleapis.com"
+    }
+  }
+}
+```
+
+References:
+
+- https://cloud.hacktricks.wiki/en/pentesting-cloud/gcp-security/gcp-services/gcp-secrets-manager-enum.html
+
+
+

docs/attack-techniques/GCP/index.md

@@ -4,6 +4,11 @@ This page contains the Stratus attack techniques for GCP, grouped by MITRE ATT&C
 Note that some Stratus attack techniques may correspond to more than a single ATT&CK Tactic.
 
 
+## Credential Access
+
+- [Retrieve a High Number of Secret Manager secrets](./gcp.credential-access.secretmanager-retrieve-secrets.md)
+
+
 ## Exfiltration
 
 - [Exfiltrate Compute Disk by sharing it](./gcp.exfiltration.share-compute-disk.md)

docs/attack-techniques/list.md

@@ -63,6 +63,7 @@ This page contains the list of all Stratus Attack Techniques.
 | [Create Hidden Scoped Role Assignment Through HiddenMembership AU](./entra-id/entra-id.persistence.hidden-au.md) | [Entra ID](./entra-id/index.md) | Persistence |
 | [Create Application](./entra-id/entra-id.persistence.new-application.md) | [Entra ID](./entra-id/index.md) | Persistence, Privilege Escalation |
 | [Create Sticky Backdoor User Through Restricted Management AU](./entra-id/entra-id.persistence.restricted-au.md) | [Entra ID](./entra-id/index.md) | Persistence |
+| [Retrieve a High Number of Secret Manager secrets](./GCP/gcp.credential-access.secretmanager-retrieve-secrets.md) | [GCP](./GCP/index.md) | Credential Access |
 | [Exfiltrate Compute Disk by sharing it](./GCP/gcp.exfiltration.share-compute-disk.md) | [GCP](./GCP/index.md) | Exfiltration |
 | [Exfiltrate Compute Image by sharing it](./GCP/gcp.exfiltration.share-compute-image.md) | [GCP](./GCP/index.md) | Exfiltration |
 | [Exfiltrate Compute Disk by sharing a snapshot](./GCP/gcp.exfiltration.share-compute-snapshot.md) | [GCP](./GCP/index.md) | Exfiltration |

docs/index.yaml

@@ -385,6 +385,14 @@ EKS:
           platform: EKS
           isIdempotent: false
 GCP:
+    Credential Access:
+        - id: gcp.credential-access.secretmanager-retrieve-secrets
+          name: Retrieve a High Number of Secret Manager secrets
+          isSlow: false
+          mitreAttackTactics:
+            - Credential Access
+          platform: GCP
+          isIdempotent: true
     Exfiltration:
         - id: gcp.exfiltration.share-compute-disk
           name: Exfiltrate Compute Disk by sharing it

v2/go.mod

@@ -1,11 +1,12 @@
 module github.com/datadog/stratus-red-team/v2
 
-go 1.21
+go 1.22.7
 
-toolchain go1.23.1
+toolchain go1.23.5
 
 require (
-	cloud.google.com/go/compute v1.10.0
+	cloud.google.com/go/compute v1.31.1
+	cloud.google.com/go/secretmanager v1.14.4
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.14.0
 	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.7.0
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute v1.0.0
@@ -41,15 +42,19 @@ require (
 	github.com/microsoftgraph/msgraph-beta-sdk-go v0.108.0
 	github.com/microsoftgraph/msgraph-sdk-go-core v1.2.1
 	github.com/spf13/cobra v1.6.0
-	github.com/stretchr/testify v1.9.0
-	google.golang.org/genproto v0.0.0-20221010155953-15ba04fc1c0e
+	github.com/stretchr/testify v1.10.0
+	google.golang.org/genproto v0.0.0-20250122153221-138b5a5a4fd4
 	gopkg.in/yaml.v3 v3.0.1
 	k8s.io/api v0.25.3
 	k8s.io/apimachinery v0.25.3
 	k8s.io/client-go v0.25.3
 )
 
 require (
+	cloud.google.com/go/auth v0.14.0 // indirect
+	cloud.google.com/go/auth/oauth2adapt v0.2.7 // indirect
+	cloud.google.com/go/compute/metadata v0.6.0 // indirect
+	cloud.google.com/go/iam v1.3.1 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 // indirect
 	github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2 // indirect
 	github.com/ProtonMail/go-crypto v1.1.0-alpha.2 // indirect
@@ -72,19 +77,20 @@ require (
 	github.com/cloudflare/circl v1.3.7 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/emicklei/go-restful/v3 v3.8.0 // indirect
-	github.com/go-logr/logr v1.4.1 // indirect
+	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-openapi/jsonpointer v0.19.5 // indirect
 	github.com/go-openapi/jsonreference v0.19.5 // indirect
 	github.com/go-openapi/swag v0.19.14 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang-jwt/jwt/v5 v5.2.1 // indirect
-	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
-	github.com/golang/protobuf v1.5.2 // indirect
+	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/google/gnostic v0.5.7-v3refs // indirect
 	github.com/google/gofuzz v1.1.0 // indirect
-	github.com/googleapis/enterprise-certificate-proxy v0.2.0 // indirect
-	github.com/googleapis/gax-go/v2 v2.5.1 // indirect
+	github.com/google/s2a-go v0.1.9 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.3.4 // indirect
+	github.com/googleapis/gax-go/v2 v2.14.1 // indirect
 	github.com/imdario/mergo v0.3.15 // indirect
 	github.com/inconshreveable/mousetrap v1.0.1 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
@@ -111,17 +117,21 @@ require (
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/std-uritemplate/std-uritemplate/go v0.0.57 // indirect
 	github.com/stretchr/objx v0.5.2 // indirect
-	go.opencensus.io v0.23.0 // indirect
-	go.opentelemetry.io/otel v1.24.0 // indirect
-	go.opentelemetry.io/otel/metric v1.24.0 // indirect
-	go.opentelemetry.io/otel/trace v1.24.0 // indirect
+	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.58.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0 // indirect
+	go.opentelemetry.io/otel v1.34.0 // indirect
+	go.opentelemetry.io/otel/metric v1.34.0 // indirect
+	go.opentelemetry.io/otel/trace v1.34.0 // indirect
 	golang.org/x/mod v0.17.0 // indirect
-	golang.org/x/net v0.27.0 // indirect
-	golang.org/x/oauth2 v0.0.0-20221006150949-b44042a4b9c1 // indirect
-	golang.org/x/term v0.22.0 // indirect
-	golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 // indirect
-	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/protobuf v1.33.0 // indirect
+	golang.org/x/net v0.34.0 // indirect
+	golang.org/x/oauth2 v0.25.0 // indirect
+	golang.org/x/sync v0.10.0 // indirect
+	golang.org/x/term v0.28.0 // indirect
+	golang.org/x/time v0.9.0 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20250124145028-65684f501c47 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250115164207-1a7da9e5054f // indirect
+	google.golang.org/protobuf v1.36.4 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	k8s.io/klog/v2 v2.70.1 // indirect
@@ -139,9 +149,9 @@ require (
 	github.com/hashicorp/terraform-json v0.22.1 // indirect
 	github.com/microsoftgraph/msgraph-sdk-go v1.47.0
 	github.com/zclconf/go-cty v1.14.4 // indirect
-	golang.org/x/crypto v0.25.0 // indirect
-	golang.org/x/sys v0.22.0 // indirect
-	golang.org/x/text v0.16.0 // indirect
-	google.golang.org/api v0.99.0
-	google.golang.org/grpc v1.50.0 // indirect
+	golang.org/x/crypto v0.32.0 // indirect
+	golang.org/x/sys v0.29.0 // indirect
+	golang.org/x/text v0.21.0 // indirect
+	google.golang.org/api v0.218.0
+	google.golang.org/grpc v1.70.0 // indirect
 )