Google Cloud Service Account Impersonation activity using access token generation

gcp

Classification:

attack

Tactic:

TA0004-privilege-escalation

Technique:

T1078-valid-accounts

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect Google Cloud service account impersonation activity through the use of access tokens.

Strategy

Monitor Google Cloud Admin Activity audit logs for event @evt.name:GenerateAccessToken:

  • Successful Attempts: @data.protoPayload.authorizationInfo.granted:true
  • Failed Attempts: @evt.outcome:PERMISSION_DENIED

Triage & Response

  1. Investigate if the user {{@usr.id}} from IP address:{{@network.client.ip}} intended to perform this activity.
  2. If unauthorized:
    • Revoke access of compromised user and service account.
    • Investigate other activities performed by the user {{@usr.id}} using the Cloud SIEM - User Investigation dashboard.
    • Investigate other activities performed by the IP {{@network.client.ip}} using the Cloud SIEM - IP Investigation dashboard.