GCP Detect high risk permissions by resource and account

Original Source: [splunk source]
Name:GCP Detect high risk permissions by resource and account
id:2e70ef35-2187-431f-aedc-4503dc9b06ba
version:3
date:2024-10-17
author:Rod Soto, Splunk
status:deprecated
type:Hunting
Description:This search provides detection of high risk permissions by resource and accounts. These are permissions that can allow attackers with compromised accounts to move laterally and escalate privileges.
Data_source:
search:`google_gcp_pubsub_message` data.protoPayload.authorizationInfo{}.permission=iam.serviceAccounts.getaccesstoken OR iam.serviceAccounts.setIamPolicy OR iam.serviceAccounts.actas OR dataflow.jobs.create OR composer.environments.create OR dataproc.clusters.create |table data.protoPayload.requestMetadata.callerIp data.protoPayload.authenticationInfo.principalEmail data.protoPayload.authorizationInfo{}.permission data.protoPayload.response.bindings{}.members{} data.resource.labels.project_id
| `gcp_detect_high_risk_permissions_by_resource_and_account_filter`

how_to_implement:You must install splunk GCP add-on. This search works with gcp:pubsub:message logs
known_false_positives:High risk permissions are part of any GCP environment, however it is important to track resource and accounts usage, this search may produce false positives.
References:
  -https://github.com/dxa4481/gcploit
   -https://www.youtube.com/watch?v=Ml09R38jpok
   -https://cloud.google.com/iam/docs/permissions-reference
 drilldown_searches:
  :
tags:
  analytic_story:
    - 'GCP Cross Account Activity'
  asset_type:GCP Account
  confidence:50
  impact:50
  message:tbd
  mitre_attack_id:
    - 'T1078'
  observable:
    name:'data.protoPayload.authenticationInfo.principalEmail'
    type:'User'
    - role:
      - 'Victim'
  product:
    - 'Splunk Enterprise'
    - 'Splunk Enterprise Security'
    - 'Splunk Cloud'
  required_fields:
    - '_time'
    - 'data.protoPayload.authorizationInfo{}.permission'
    - 'data.protoPayload.requestMetadata.callerIp'
    - 'data.protoPayload.authenticationInfo.principalEmail'
    - 'data.protoPayload.authorizationInfo{}.permission'
    - 'data.protoPayload.response.bindings{}.members{}'
    - 'data.resource.labels.project_id'
  risk_score:25
  security_domain:threat

tests:
  :
manual_test:None

Related Analytic Stories


GCP Cross Account Activity

© 2024 DetectionCode Website. All Rights Reserved.