---
title: >-
  Google Cloud Service Account Impersonation using GCPloit Exploitation
  Framework
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Google Cloud Service Account
  Impersonation using GCPloit Exploitation Framework
---

# Google Cloud Service Account Impersonation using GCPloit Exploitation Framework
Classification:attackTactic:[TA0004-privilege-escalation](https://attack.mitre.org/tactics/TA0004)Technique:[T1078-valid-accounts](https://attack.mitre.org/techniques/T1078) 
## Goal{% #goal %}

Detect possible Google Cloud Service Account impersonation activity using the [gcploit](https://github.com/dxa4481/gcploit) exploitation framework.

## Strategy{% #strategy %}

Monitor Google Cloud Function Logs `source:gcp.cloud.function` and detect if the following sequence of events has occurred within a one minute window:

- Function is created - `google.cloud.functions.v1.CloudFunctionsService.CreateFunction` with a timeout of 539s (`@data.protoPayload.request.function.timeout:539s`)
- Function's IAM access control policy is enumerated - `google.cloud.functions.v1.CloudFunctionsService.GetIamPolicy`
- Function's IAM access control policy is set - `google.cloud.functions.v1.CloudFunctionsService.SetIamPolicy`

## Triage & Response{% #triage--response %}

1. Investigate if the function:`{{@function.name}}` was intentionally created by user `{{@usr.id}}`.
1. If unauthorized:
   - Revoke access of compromised credentials.
   - Remove unauthorized cloud functions.
   - Investigate other activities performed by the user `{{@usr.id}}` using the Cloud SIEM - User Investigation dashboard.