Name:GCP Detect gcploit framework id:a1c5a85e-a162-410c-a5d9-99ff639e5a52 version:4 date:2024-11-14 author:Rod Soto, Splunk status:experimental type:TTP Description:The following analytic identifies the use of the GCPloit exploitation framework within Google Cloud Platform (GCP). It detects specific GCP Pub/Sub messages with a function timeout of 539 seconds, which is indicative of GCPloit activity. This detection is significant as GCPloit can be used to escalate privileges and facilitate lateral movement from compromised high-privilege accounts. If confirmed malicious, this activity could allow attackers to gain unauthorized access, escalate their privileges, and move laterally within the GCP environment, potentially compromising sensitive data and critical resources. Data_source:
how_to_implement:You must install splunk GCP add-on. This search works with gcp:pubsub:message logs known_false_positives:Payload.request.function.timeout value can possibly be match with other functions or requests however the source user and target request account may indicate an attempt to move laterally accross acounts or projects References: -https://github.com/dxa4481/gcploit -https://www.youtube.com/watch?v=Ml09R38jpok drilldown_searches:
: tags: analytic_story: - 'GCP Cross Account Activity' asset_type:GCP Account mitre_attack_id: - 'T1078' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' security_domain:threat
