Google Cloud Service Account accessing anomalous number of Google Cloud APIs

gcp

Classification:

attack

Tactic:

TA0007-discovery

Technique:

T1580-cloud-infrastructure-discovery

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect when a Google Cloud service account is compromised.

Strategy

Inspect the Google Cloud admin activity logs (@data.logName:*%2Factivity) and filter for only Google Cloud service accounts (@usr.id:*.iam.gserviceaccount.com). Count the unique number of Google Cloud API calls (@evt.name) which are being made for each service account (@usr.id). The anomaly detection baselines each service account and then generates a security signal when a service account deviates from their baseline.

To read more about Google Cloud audit logs, read the blog post.

Triage and response

Investigate the logs and determine whether or not the Google Cloud service account is compromised.

Changelog

  • 17 October 2022 - Updated tags.