Google Cloud Service Account Impersonation using GCPloit Exploitation Framework

Goal

Detect possible Google Cloud Service Account impersonation activity using the gcploit exploitation framework.

Strategy

Monitor Google Cloud Function Logs source:gcp.cloud.function and detect if the following sequence of events has occurred within a one minute window:

  • Function is created - google.cloud.functions.v1.CloudFunctionsService.CreateFunction with a timeout of 539s (@data.protoPayload.request.function.timeout:539s)
  • Function’s IAM access control policy is enumerated - google.cloud.functions.v1.CloudFunctionsService.GetIamPolicy
  • Function’s IAM access control policy is set - google.cloud.functions.v1.CloudFunctionsService.SetIamPolicy

Triage & Response

  1. Investigate if the function:{{@function.name}} was intentionally created by user {{@usr.id}}.
  2. If unauthorized:
    • Revoke access of compromised credentials.
    • Remove unauthorized cloud functions.
    • Investigate other activities performed by the user {{@usr.id}} using the Cloud SIEM - User Investigation dashboard.