/
gcp_detect_gcploit_framework.yml
53 lines (53 loc) · 1.76 KB
/
gcp_detect_gcploit_framework.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
name: GCP Detect gcploit framework
id: a1c5a85e-a162-410c-a5d9-99ff639e5a52
version: 1
date: '2020-10-08'
author: Rod Soto, Splunk
status: experimental
type: TTP
description: This search provides detection of GCPloit exploitation framework. This
framework can be used to escalate privileges and move laterally from compromised
high privilege accounts.
data_source: []
search: '`google_gcp_pubsub_message` data.protoPayload.request.function.timeout=539s
| table src src_user data.resource.labels.project_id data.protoPayload.request.function.serviceAccountEmail
data.protoPayload.authorizationInfo{}.permission data.protoPayload.request.location
http_user_agent | `gcp_detect_gcploit_framework_filter`'
how_to_implement: You must install splunk GCP add-on. This search works with gcp:pubsub:message
logs
known_false_positives: Payload.request.function.timeout value can possibly be match
with other functions or requests however the source user and target request account
may indicate an attempt to move laterally accross acounts or projects
references:
- https://github.com/dxa4481/gcploit
- https://www.youtube.com/watch?v=Ml09R38jpok
tags:
analytic_story:
- GCP Cross Account Activity
asset_type: GCP Account
confidence: 50
impact: 50
message: tbd
mitre_attack_id:
- T1078
observable:
- name: user
type: User
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- data.protoPayload.request.function.timeout
- src
- src_user
- data.resource.labels.project_id
- data.protoPayload.request.function.serviceAccountEmail
- data.protoPayload.authorizationInfo{}.permission
- data.protoPayload.request.location
- http_user_agent
risk_score: 25
security_domain: threat