About
An attacker with access to your GCP project can create a service account to persist in your environment.
Understanding Impact
Business Impact
When an attacker creates a service account in your environment, they may continue to have access for an extended period of time even when the root cause of the breach is identified and fixed.
Technical Impact
Attackers typically attempt to create service accounts, assign them a privileged permissions on the project, and generate access keys for the newly created service account.
Detection
You can detect when someone creates a new service account by monitoring the GCP Admin Activity audit log for the event google.iam.admin.v1.CreateServiceAccount. Here is a sample (shortened) event:
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"serviceName": "iam.googleapis.com",
"methodName": "google.iam.admin.v1.CreateServiceAccount",
"resourceName": "projects/project-name",
"request": {
"name": "projects/project-name",
"service_account": {
"display_name": "created-service-account-name"
},
"@type": "type.googleapis.com/google.iam.admin.v1.CreateServiceAccountRequest",
"account_id": "created-service-account-name"
},
"resource": {
"type": "service_account",
"labels": {
"project_id": "project-name",
"unique_id": "XXXX",
"email_id": "created-service-account-name@project-name.iam.gserviceaccount.com"
}
}
}
}
Reproduce the attack
You can easily reproduce this attack in a self-contained manner with Stratus Red Team using the following command:
stratus detonate gcp.persistence.create-admin-service-accountSee also the related documentation.
How Datadog can help
Cloud SIEM
Datadog Cloud SIEM detects this attack using the out-of-the-box rule "Google Cloud Service Account created".
References
Create an Admin GCP Service Account
stratus-red-team.cloud
An Adventure in Google Cloud threat detection
securitylabs.datadoghq.com
Hunting for signs of persistence in the cloud
wiz.io