GCP Service Account Creation

calendar May 22, 2024 · Domain: Cloud Data Source: GCP Data Source: Google Cloud Platform Use Case: Identity and Access Audit Tactic: Persistence  ·
Share on: linkedin copy

Identifies when a new service account is created in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. If service accounts are not tracked and managed properly, they can present a security risk. An adversary may create a new service account to use during their operations in order to avoid using a standard user account and attempt to evade detection.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/09/22"
 3integration = ["gcp"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies when a new service account is created in Google Cloud Platform (GCP). A service account is a special type of
11account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to
12make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users
13through domain-wide delegation. If service accounts are not tracked and managed properly, they can present a security
14risk. An adversary may create a new service account to use during their operations in order to avoid using a standard
15user account and attempt to evade detection.
16"""
17false_positives = [
18    """
19    Service accounts can be created by system administrators. Verify that the behavior was expected. Exceptions can be
20    added to this rule to filter expected behavior.
21    """,
22]
23index = ["filebeat-*", "logs-gcp*"]
24language = "kuery"
25license = "Elastic License v2"
26name = "GCP Service Account Creation"
27note = """## Setup
28
29The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
30references = ["https://cloud.google.com/iam/docs/service-accounts"]
31risk_score = 21
32rule_id = "7ceb2216-47dd-4e64-9433-cddc99727623"
33severity = "low"
34tags = [
35    "Domain: Cloud",
36    "Data Source: GCP",
37    "Data Source: Google Cloud Platform",
38    "Use Case: Identity and Access Audit",
39    "Tactic: Persistence",
40]
41timestamp_override = "event.ingested"
42type = "query"
43
44query = '''
45event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccount and event.outcome:success
46'''
47
48
49[[rule.threat]]
50framework = "MITRE ATT&CK"
51[[rule.threat.technique]]
52id = "T1136"
53name = "Create Account"
54reference = "https://attack.mitre.org/techniques/T1136/"
55
56
57[rule.threat.tactic]
58id = "TA0003"
59name = "Persistence"
60reference = "https://attack.mitre.org/tactics/TA0003/"

Setup

The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

References

Related rules

to-top