GCP Detect gcploit framework

Original Source: [splunk source]
Name:GCP Detect gcploit framework
id:a1c5a85e-a162-410c-a5d9-99ff639e5a52
version:3
date:2024-10-17
author:Rod Soto, Splunk
status:experimental
type:TTP
Description:The following analytic identifies the use of the GCPloit exploitation framework within Google Cloud Platform (GCP). It detects specific GCP Pub/Sub messages with a function timeout of 539 seconds, which is indicative of GCPloit activity. This detection is significant as GCPloit can be used to escalate privileges and facilitate lateral movement from compromised high-privilege accounts. If confirmed malicious, this activity could allow attackers to gain unauthorized access, escalate their privileges, and move laterally within the GCP environment, potentially compromising sensitive data and critical resources.
Data_source:
search:`google_gcp_pubsub_message` data.protoPayload.request.function.timeout=539s
| table src src_user data.resource.labels.project_id data.protoPayload.request.function.serviceAccountEmail data.protoPayload.authorizationInfo{}.permission data.protoPayload.request.location http_user_agent
| `gcp_detect_gcploit_framework_filter`

how_to_implement:You must install splunk GCP add-on. This search works with gcp:pubsub:message logs
known_false_positives:Payload.request.function.timeout value can possibly be match with other functions or requests however the source user and target request account may indicate an attempt to move laterally accross acounts or projects
References:
  -https://github.com/dxa4481/gcploit
   -https://www.youtube.com/watch?v=Ml09R38jpok
 drilldown_searches:
  :
tags:
  analytic_story:
    - 'GCP Cross Account Activity'
  asset_type:GCP Account
  confidence:50
  impact:50
  message:tbd
  mitre_attack_id:
    - 'T1078'
  observable:
    name:'user'
    type:'User'
    - role:
      - 'Victim'
  product:
    - 'Splunk Enterprise'
    - 'Splunk Enterprise Security'
    - 'Splunk Cloud'
  required_fields:
    - '_time'
    - 'data.protoPayload.request.function.timeout'
    - 'src'
    - 'src_user'
    - 'data.resource.labels.project_id'
    - 'data.protoPayload.request.function.serviceAccountEmail'
    - 'data.protoPayload.authorizationInfo{}.permission'
    - 'data.protoPayload.request.location'
    - 'http_user_agent'
  risk_score:25
  security_domain:threat

tests:
  :
manual_test:None

Related Analytic Stories


GCP Cross Account Activity

© 2024 DetectionCode Website. All Rights Reserved.