Google Cloud Service Account Impersonation activity using access token generation

gcp

Classification:

attack

Tactic:

TA0004-privilege-escalation

Technique:

T1078-valid-accounts

Goal

Detect Google Cloud service account impersonation activity through the use of access tokens.

Strategy

Monitor Google Cloud Admin Activity audit logs for event @evt.name:GenerateAccessToken:

  • Successful Attempts: @data.protoPayload.authorizationInfo.granted:true
  • Failed Attempts: @evt.outcome:PERMISSION_DENIED

Triage & Response

  1. Investigate if the user {{@usr.id}} from IP address:{{@network.client.ip}} intended to perform this activity.
  2. If unauthorized:
    • Revoke access of compromised user and service account.
    • Investigate other activities performed by the user {{@usr.id}} using the Cloud SIEM - User Investigation dashboard.
    • Investigate other activities performed by the IP {{@network.client.ip}} using the Cloud SIEM - IP Investigation dashboard.