Update GCP attack techniques: Change technique IDs, refactor class na…

…mes, fix bugs, and update `requirements.txt` - Updated MITRE ATT&CK Technique IDs for GCP attack techniques: - GCPEnumerateCloudStorageObjects: Changed ID from T1223 to T1619 - GCPEnumerateCloudStorageBuckets: Changed ID from T1223 to T1619 - GCPEstablishAccessAsServiceAccount: Changed ID from T1222 to T1078.004 - GCPExfiltrateCloudStorageObjects: Changed ID from T1223 to T1530 All technique references are aligned with https://attack.mitre.org/matrices/enterprise/cloud/ - Fixed bugs and enhanced GCP attack techniques: - GCPEnumerateCloudStorageBuckets: Fixed issue where all buckets were listed when no `location` was specified - GCPExfiltrateCloudStorageObjects: - Improved filtering for requested object(s) - Fixed bug causing incorrect display of the `path` field - Refactored class name: Changed `GCPEnumerateCloudStorageABucket` to `GCPEnumerateCloudStorageObjects` - Updated `requirements.txt` to support GCP attack techniques
vectra-ai-research · Jan 20, 2025 · bd7e681 · bd7e681
1 parent e421a75
commit bd7e681
Show file tree

Hide file tree

Showing 6 changed files with 35 additions and 20 deletions.
diff --git a/attack_techniques/__init__.py b/attack_techniques/__init__.py
@@ -98,5 +98,5 @@
 # GCP Techniques
 from .gcp.gcp_establish_access_as_sa import GCPEstablishAccessAsServiceAccount
 from .gcp.gcp_enumerate_cloud_storage_buckets import GCPEnumerateCloudStorageBuckets
-from .gcp.gcp_enumerate_cloud_storage_a_buckets import GCPEnumerateCloudStorageABucket
+from .gcp.gcp_enumerate_cloud_storage_objects import GCPEnumerateCloudStorageObjects
 from .gcp.gcp_exfilterate_cloud_storage_objects import GCPExfiltrateCloudStorageObjects
diff --git a/attack_techniques/gcp/gcp_enumerate_cloud_storage_buckets.py b/attack_techniques/gcp/gcp_enumerate_cloud_storage_buckets.py
@@ -16,8 +16,8 @@ class GCPEnumerateCloudStorageBuckets(BaseTechnique):
     def __init__(self):
         mitre_techniques = [
             MitreTechnique(
-                technique_id="T1223",
-                technique_name="Data from Cloud Storage",
+                technique_id="T1619",
+                technique_name="Cloud Storage Object Discovery",
                 tactics=["Discovery"],
                 sub_technique_name=None
             )
@@ -49,7 +49,7 @@ def execute(self, **kwargs: Any) -> Tuple[ExecutionStatus, Dict[str, Any]]:
                     "zone" : bucket.location
                 }
 
-                if location != "" :
+                if location:
                     if bucket.location == location.upper() :
                         enumerated_buckets.append(bucket_detail)
                 else: 

diff --git a/.../gcp_enumerate_cloud_storage_a_buckets.py → ...cp/gcp_enumerate_cloud_storage_objects.py b/.../gcp_enumerate_cloud_storage_a_buckets.py → ...cp/gcp_enumerate_cloud_storage_objects.py
@@ -12,12 +12,12 @@
 
 
 @TechniqueRegistry.register
-class GCPEnumerateCloudStorageABucket(BaseTechnique):
+class GCPEnumerateCloudStorageObjects(BaseTechnique):
     def __init__(self):
         mitre_techniques = [
             MitreTechnique(
-                technique_id="T1223",
-                technique_name="Data from Cloud Storage",
+                technique_id="T1619",
+                technique_name="Cloud Storage Object Discovery",
                 tactics=["Discovery"],
                 sub_technique_name=None
             )

diff --git a/attack_techniques/gcp/gcp_establish_access_as_sa.py b/attack_techniques/gcp/gcp_establish_access_as_sa.py
@@ -13,7 +13,7 @@ class GCPEstablishAccessAsServiceAccount(BaseTechnique):
     def __init__(self):
         mitre_techniques = [
             MitreTechnique(
-                technique_id="T1222",
+                technique_id="T1078.004",
                 technique_name="Valid Accounts",
                 tactics=["Defense Evasion", "Persistence", "Privilege Escalation", "Initial Access"],
                 sub_technique_name="Cloud Accounts"

diff --git a/attack_techniques/gcp/gcp_exfilterate_cloud_storage_objects.py b/attack_techniques/gcp/gcp_exfilterate_cloud_storage_objects.py
@@ -19,7 +19,7 @@ class GCPExfiltrateCloudStorageObjects(BaseTechnique):
     def __init__(self):
         mitre_techniques = [
             MitreTechnique(
-                technique_id="T1223",
+                technique_id="T1530",
                 technique_name="Data from Cloud Storage",
                 tactics=["Collection"],
                 sub_technique_name=None
@@ -43,19 +43,19 @@ def execute(self, **kwargs: Any) -> Tuple[ExecutionStatus, Dict[str, Any]]:
             credential.refresh(request=request)
 
             client = storage.Client(credentials=credential)
-
             bucket = client.bucket(bucket_name=name)
-
 
-            objects_path = []
+            objects_path: list[str] = []
+            requsted_blob: list[str] = []
 
-            if path == "":
-                all_blobs = [blob.name for blob in bucket.list_blobs()]
-                for blob in all_blobs:
-                    objects_path.append(blob)
-            else :
-                objects_path.append(path)
+            if path.startswith("/"):
+                path = path.lstrip("/")
 
+            requsted_blob = [blob.name for blob in bucket.list_blobs(prefix=path)]
+
+            for blob in requsted_blob:
+                objects_path.append(blob)
+
             current_time = str(time.time())
 
             hash_object = hashlib.sha256(current_time.encode())
@@ -88,5 +88,5 @@ def execute(self, **kwargs: Any) -> Tuple[ExecutionStatus, Dict[str, Any]]:
     def get_parameters(self) -> Dict[str, Dict[str, Any]]:
         return {
             "name": {"type": "str", "required": True, "default": None, "name": "Name", "input_field_type" : "text"},
-            "path": {"type": "str", "required": False, "default": None, "name": "Path", "input_field_type" : "textarea"}
+            "path": {"type": "str", "required": False, "default": None, "name": "Path", "input_field_type" : "text"}
         }
diff --git a/requirements.txt b/requirements.txt
@@ -79,6 +79,7 @@ azure-storage-blob==12.20.0
 blinker==1.6.3
 boto3==1.34.30
 botocore==1.34.30
+cachetools==5.5.0
 certifi==2023.7.22
 cffi==1.16.0
 charset-normalizer==3.3.1
@@ -97,6 +98,16 @@ Deprecated==1.2.14
 exceptiongroup==1.2.0
 Flask==3.0.0
 frozenlist==1.4.1
+google-api-core==2.24.0
+google-auth==2.37.0
+google-cloud-compute==1.23.0
+google-cloud-core==2.4.1
+google-cloud-storage==2.19.0
+google-crc32c==1.6.0
+google-resumable-media==2.7.2
+googleapis-common-protos==1.66.0
+grpcio==1.69.0
+grpcio-status==1.69.0
 h11==0.14.0
 h2==4.1.0
 hpack==4.0.0
@@ -137,6 +148,10 @@ pip-install==1.3.5
 plotly==5.18.0
 plotly-express==0.4.1
 portalocker==2.8.2
+proto-plus==1.25.0
+protobuf==5.29.3
+pyasn1==0.6.1
+pyasn1_modules==0.4.1
 pycparser==2.21
 PyJWT==2.8.0
 python-dateutil==2.8.2
@@ -145,6 +160,7 @@ PyYAML==6.0.1
 requests==2.31.0
 requests-oauthlib==2.0.0
 retrying==1.3.4
+rsa==4.9
 s3transfer==0.10.0
 scipy==1.12.0
 setuptools==72.1.0
@@ -161,4 +177,3 @@ Werkzeug==3.0.1
 wrapt==1.16.0
 yarl==1.9.4
 zipp==3.17.0
-google-auth==2.37.0