GCP Service Account Creation for Persistence
Successful creation of a new service account in Google Cloud Platform (GCP) can indicate malicious persistence, as adversaries may create these accounts to evade detection by avoiding standard user accounts.
The creation of service accounts in Google Cloud Platform (GCP) is a common administrative task, but can be abused by attackers to maintain persistence. Service accounts are non-human accounts used by applications or VMs to make authorized API calls. Attackers may create service accounts to perform actions within a compromised GCP environment without relying on compromised user credentials, making their activities harder to track. The google.iam.admin.v*.CreateServiceAccount event indicates the creation of a new service account. Defenders should monitor for unexpected service account creation events, as they can signify unauthorized access or persistence mechanisms within a cloud environment.
Attack Chain
- An attacker gains initial access to a GCP environment, possibly through compromised credentials or a vulnerable application.
- The attacker enumerates existing IAM roles and permissions to identify potential escalation paths.
- The attacker attempts to create a new service account using the
google.iam.admin.v*.CreateServiceAccountAPI call. - The attacker assigns elevated privileges to the newly created service account, granting it broad access to GCP resources.
- The attacker uses the service account to perform actions within the GCP environment, such as accessing data or modifying configurations.
- The attacker leverages the service account for persistence, allowing them to regain access even if their initial access method is revoked.
- The attacker monitors the service account activity to ensure it maintains its privileges and has not been detected.
Impact
A successful attack can lead to unauthorized access to sensitive data, modification of critical system configurations, or disruption of services. Even though rated as "low" severity, successful exploitation could allow attackers to maintain a persistent presence within the GCP environment, potentially leading to significant data breaches or service outages.
Recommendation
- Deploy the Sigma rule
GCP Service Account Createdto your SIEM and tune for your environment to detect unexpected service account creation. - Review IAM policies and permissions regularly to identify and remove any excessive privileges granted to service accounts.
- Implement multi-factor authentication (MFA) for all user accounts, including service accounts where possible, to prevent unauthorized access.
- Monitor GCP audit logs for suspicious activity related to service account creation and usage, using the
event.action:google.iam.admin.v*.CreateServiceAccountfilter. - Implement automated workflows to validate and approve service account creation requests to ensure proper authorization and governance.
Detection coverage 2
GCP Service Account Created
lowDetects when a new service account is created in Google Cloud Platform (GCP).
GCP Service Account Created (Audit Logs)
lowDetects when a new service account is created in Google Cloud Platform (GCP) using audit logs.
Detection queries are available on the platform. Get full rules →