Google Workspace user disabled 2-step verification

gsuite

Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1556-modify-authentication-process

Set up the gsuite integration.

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Goal

Detect when a Google Workspace user disables 2-step verification (2SV).

Strategy

Monitor Google Workspace logs to detect when a user disables 2SV. An attacker who has already gained initial access may disable 2SV to degrade organizational security controls.

Triage and response

  1. Check for other signals and logs generated by the impacted user {{@usr.email}}, and look for deviations in the following properties:
    • Application
    • Device
    • Geolocation
    • IP address
  2. Reach out to the user {{@usr.email}} to confirm if they recognize the activity.
  3. If the activity is not legitimate, block the user from signing in and begin your Incident Response process.