/
gcp_detect_high_risk_permissions_by_resource_and_account.yml
54 lines (54 loc) · 2.07 KB
/
gcp_detect_high_risk_permissions_by_resource_and_account.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
name: GCP Detect high risk permissions by resource and account
id: 2e70ef35-2187-431f-aedc-4503dc9b06ba
version: 1
date: '2020-10-09'
author: Rod Soto, Splunk
status: deprecated
type: Hunting
description: This search provides detection of high risk permissions by resource and
accounts. These are permissions that can allow attackers with compromised accounts
to move laterally and escalate privileges.
data_source: []
search: '`google_gcp_pubsub_message` data.protoPayload.authorizationInfo{}.permission=iam.serviceAccounts.getaccesstoken
OR iam.serviceAccounts.setIamPolicy OR iam.serviceAccounts.actas OR dataflow.jobs.create
OR composer.environments.create OR dataproc.clusters.create |table data.protoPayload.requestMetadata.callerIp
data.protoPayload.authenticationInfo.principalEmail data.protoPayload.authorizationInfo{}.permission
data.protoPayload.response.bindings{}.members{} data.resource.labels.project_id
| `gcp_detect_high_risk_permissions_by_resource_and_account_filter`'
how_to_implement: You must install splunk GCP add-on. This search works with gcp:pubsub:message
logs
known_false_positives: High risk permissions are part of any GCP environment, however
it is important to track resource and accounts usage, this search may produce false
positives.
references:
- https://github.com/dxa4481/gcploit
- https://www.youtube.com/watch?v=Ml09R38jpok
- https://cloud.google.com/iam/docs/permissions-reference
tags:
analytic_story:
- GCP Cross Account Activity
asset_type: GCP Account
confidence: 50
impact: 50
message: tbd
mitre_attack_id:
- T1078
observable:
- name: field
type: Unknown
role:
- Unknown
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- data.protoPayload.authorizationInfo{}.permission
- data.protoPayload.requestMetadata.callerIp
- data.protoPayload.authenticationInfo.principalEmail
- data.protoPayload.authorizationInfo{}.permission
- data.protoPayload.response.bindings{}.members{}
- data.resource.labels.project_id
risk_score: 25
security_domain: threat