Detecting Google Cloud Platform cross-account activity
You are a Google Cloud Platform (GCP) admin who manages access to GCP resources and services across your organization using GCP Identity and Access Management (IAM) functionality. As part of your role, you need to be able to track when a user assumes an IAM role in another GCP account to obtain cross-account access to services and resources in that account. Accessing new roles could be an indication of malicious activity that you need to monitor closely.
IAM provides the ability to create and manage GCP users, groups, and roles-each with their own unique set of privileges and defined access to specific resources (such as Compute instances, the GCP Management Console, API, or the command-line interface). Unlike conventional (human) users, IAM roles are potentially assumable by anyone in the organization. They provide users with dynamically created temporary security credentials that expire within a set time period.
However, problems can occur in between the time when the temporary credentials are issued and when they expire. This gap represents a window of opportunity for a malicious actor to can leverage the temporary credentials to spin up or remove instances, create new users, elevate privileges, and perform other malicious activities throughout the environment.
These searches are designed to help you monitor your GCP Audit logs logs for evidence of suspicious cross-account activity. For example, while accessing multiple GCP accounts and roles may be perfectly valid behavior, it may be suspicious when an account requests privileges of an account it has not accessed in the past.
Data required
How to use Splunk software for this use case
- Some commands, parameters, and field names in the searches below may need to be adjusted to match your environment.
- To optimize the searches, you should specify an index and a time range when appropriate.
- ► GCP accounts with high risk roles by project
-
This search provides detection of accounts with high risk roles by projects. Compromised accounts with high risk roles can move laterally or escalate privileges at different projects, depending on your organization's schema.
This search may result in some false positives. Accounts with high risk roles should be reduced to the minimum number needed. However, specific tasks and setups may be expected behavior within your organization.
| search (sourcetype="google:gcp:pubsub:message" ("data.protoPayload.request.policy.bindings{}.role"=roles/owner OR roles/composer.admin OR roles/dataflow.admin OR roles/dataflow.developer OR roles/dataproc.admin OR roles/dataproc.editor OR roles/editor OR roles/iam.serviceAccountAdmin OR roles/iam.serviceAccountTokenCreator OR roles/iam.serviceAccountUser)) | table "data.resource.type", "data.protoPayload.authenticationInfo.principalEmail", "data.protoPayload.authorizationInfo{}.permission", "data.protoPayload.authorizationInfo{}.resource", "data.protoPayload.response.bindings{}.role", "data.protoPayload.response.bindings{}.members{}"
- ► GCPloit exploitation framework
-
This search provides detection of the GCPloit exploitation framework. This framework can be used to escalate privileges and move laterally from compromised high privilege accounts.
This search may result in some false positives since the
Payload.request.function.timeout
value can possibly be matched with other functions or requests. However, the source user and target request account may indicate an attempt to move laterally across accounts or projects.| search ("data.protoPayload.request.function.timeout"=539s sourcetype="google:gcp:pubsub:message") | table src, src_user, "data.resource.labels.project_id", "data.protoPayload.request.function.serviceAccountEmail", "data.protoPayload.authorizationInfo{}.permission", "data.protoPayload.request.location", http_user_agent
- ► High risk GCP permissions by resource and account
-
This search provides detection of high risk permissions by resource and accounts. These are permissions that can allow attackers with compromised accounts to move laterally and escalate privileges.
This search may result in some false positives since high risk permissions are part of any GCP environment. However, it is important to track resource and accounts usage.
| search (sourcetype="google:gcp:pubsub:message" ("data.protoPayload.authorizationInfo{}.permission"=iam.serviceAccounts.getaccesstoken OR composer.environments.create OR dataflow.jobs.create OR dataproc.clusters.create OR iam.serviceAccounts.actas OR iam.serviceAccounts.setIamPolicy)) | table "data.protoPayload.requestMetadata.callerIp", "data.protoPayload.authenticationInfo.principalEmail", "data.protoPayload.authorizationInfo{}.permission", "data.protoPayload.response.bindings{}.members{}", "data.resource.labels.project_id"
- ► GCP Oauth token abuse
-
This search provides detection of possible GCP Oauth token abuse. GCP Oauth tokens without time limits can be exfiltrated and reused to keep access sessions alive without further control of authentication, allowing attackers to access and move laterally.
| search (sourcetype="google:gcp:pubsub:message" type.googleapis.com/google.cloud.audit.AuditLog) | table "protoPayload.@type", "protoPayload.status.details{}.@type", "protoPayload.status.details{}.violations{}.callerIp", "protoPayload.status.details{}.violations{}.type", "protoPayload.status.message"
Next steps
The content in this article comes from Splunk Enterprise Security (ES). As a Splunk premium security solution, ES solves a wide range of security analytics and operations use cases including continuous security monitoring, advanced threat detection, compliance, incident investigation, forensics and incident response. Splunk ES delivers an end-to-end view of an organization's security posture with flexible investigations, unmatched performance, and the most flexible deployment options offered in the cloud, on-premises, or hybrid deployment models. If you have questions about this use case, see the Security Research team's support options on GitHub.
In addition, Splunk Enterprise Security provides a number of other searches to help reinforce your Cloud Security posture, including:
- Detecting AWS cross-account activity
- Detecting AWS network ACL activity
- Detecting AWS suspicious provisioning activities
- Monitoring user activity spikes in AWS
- Monitoring AWS EC2 for suspicious login activities
- Monitoring AWS S3 for suspicious activities
- Monitoring AWS for suspicious traffic
- Monitoring AWS EC2 for unusual modifications