GCP - KMS Post Exploitation
Last updated
Last updated
Learn & practice AWS Hacking: Learn & practice GCP Hacking:
Find basic information about KMS in:
cloudkms.cryptoKeyVersions.destroy
An attacker with this permission could destroy a KMS version. In order to do this you first need to disable the key and then destroy it:
In AWS it's possible to completely steal a KMS key by modifying the KMS resource policy and only allowing the attackers account to use the key. As these resource policies doesn't exist in GCP this is not possible.
However, there is another way to perform a global KMS Ransomware, which would involve the following steps:
Create a new version of the key with a key material imported by the attacker
Set it as default version (for future data being encrypted)
Re-encrypt older data encrypted with the previous version with the new one.
Delete the KMS key
Now only the attacker, who has the original key material could be able to decrypt the encrypted data
cloudkms.cryptoKeyVersions.useToEncrypt
| cloudkms.cryptoKeyVersions.useToEncryptViaDelegation
cloudkms.cryptoKeyVersions.useToSign
cloudkms.cryptoKeyVersions.useToVerify
Learn & practice AWS Hacking: Learn & practice GCP Hacking:
Check the !
Join the 💬 or the or follow us on Twitter 🐦 .
Share hacking tricks by submitting PRs to the and github repos.