Google Workspace user edited account recovery information

gsuite

Classification:

attack

Tactic:

TA0003-persistence

Set up the gsuite integration.

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect when a Google Workspace user edits account recovery information.

Strategy

Monitor Google Workspace logs to detect when a user edits account recovery information. An attacker who has already gained initial access may update the user’s recovery information to maintain access to the account.

Notes:

  • This rule triggers with a Low severity when this activity originates from an anonymizing proxy.
  • This rule triggers with a High severity when this activity originates from a Tor client.

Triage and response

  1. Check for other signals and logs generated by the impacted user {{@usr.email}}, and look for deviations in the following properties:
    • Application
    • Device
    • Geolocation
    • IP address
  2. Reach out to the user {{@usr.email}} to confirm if they recognize the activity.
  3. If the activity is not legitimate, block the user from signing in and begin your Incident Response process.

Changelog

  • 17 August 2023 - Updated query to replace attribute @threat_intel.results.subcategory:tor with @threat_intel.results.category:tor.