Google Workspace User Organizational Unit Changed

This detection rule identifies when a user’s organizational unit is changed within Google Workspace. Google Workspace organizational units are used to manage access and permissions for groups of users. An attacker who has compromised a valid account may attempt to move that account to a different organizational unit to inherit permissions to applications and resources that were previously inaccessible. This can facilitate privilege escalation and lateral movement within the Google Workspace environment. The rule leverages Google Workspace admin audit logs to detect MOVE_USER_TO_ORG_UNIT events, providing visibility into potentially malicious configuration changes. This rule is designed for production environments.

Attack Chain

1. An attacker compromises a Google Workspace user account through credential theft or other means.
2. The attacker authenticates to the Google Workspace admin console using the compromised account.
3. The attacker navigates to the user management section of the admin console.
4. The attacker locates the target user account whose privileges they want to escalate.
5. The attacker modifies the organizational unit assignment for the target user.
6. The attacker moves the target user to an organizational unit with higher privileges or access to sensitive resources.
7. The target user now inherits the permissions and privileges associated with the new organizational unit.
8. The attacker leverages the newly acquired privileges to access restricted applications, data, or resources within the Google Workspace environment.

Impact

A successful attack could allow an adversary to escalate privileges within the Google Workspace environment, gain access to sensitive data, and potentially compromise critical business applications. While the rule’s severity is low, the impact of a successful privilege escalation can be significant. It is important to investigate all instances of organizational unit changes to determine if they are legitimate.

Recommendation

• Deploy the Sigma rule to your SIEM to detect unauthorized organizational unit changes.
• Investigate any alerts generated by the Sigma rule, focusing on identifying the actor, target user, and the previous and new organizational units involved.
• Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.
• Reduce the interval that the Google Workspace Filebeat module polls Google’s reporting API for new events to minimize potential false negatives. Refer to the Filebeat module documentation.
• Implement security best practices outlined by Google to protect against account compromise and privilege escalation. See Google Workspace security best practices.