Classification:

attack

Tactic:

TA0004-privilege-escalation

Technique:

T1078-valid-accounts

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detect when a Google Compute Engine default service account is used outside of Google Cloud.

Strategy

This rule monitors Google Cloud Audit Logs to determine when a Google Compute Engine default service account is used from outside a Google Cloud environment. The usage of a Google Cloud default service account, such as the Compute Engine service account, from outside the Google Cloud environment, could serve as an indicator that the credentials of the service account have been compromised.

Triage and response

1. Determine if the actions {{@evt.name}} taken by the Compute Engine default service account {{@usr.id}} are legitimate by looking at past activity and the type of API calls occurring.
2. If the action is legitimate, consider including the IP address or ASN in a suppression list. See this article on Best practices for creating detection rules with Datadog Cloud SIEM for more information.
3. Otherwise, use the Cloud SIEM - IP Investigation dashboard to see if the IP address: {{@network.client.ip}} has taken other actions.
4. If the results of the triage indicate that an attacker has taken the action, begin your company’s incident response process and investigate.

Changelog

• 17 August 2023 - Updated query to replace attribute @threat_intel.results.subcategory:tor with @threat_intel.results.category:tor.