{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/custom-role/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Google Cloud Platform"],"_cs_severities":["medium"],"_cs_tags":["gcp","iam","custom-role","initial-access","persistence","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":["Google"],"content_html":"\u003cp\u003eThis threat brief focuses on the detection of IAM custom role creation within Google Cloud Platform (GCP). IAM custom roles are user-defined roles that bundle one or more supported permissions, allowing for tailored access management. While legitimate use cases exist, adversaries can exploit this feature by creating roles with excessive permissions, potentially leading to privilege escalation or persistence. This activity can be used to maintain unauthorized access and control within the GCP environment. Defenders should monitor for anomalous role creation activity, especially roles with broad or unusual permission sets, as these could signal malicious intent. The rule is designed to work with GCP Fleet integration, Filebeat module, or similarly structured data.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a GCP account, possibly through compromised credentials or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the GCP environment using valid credentials (T1078).\u003c/li\u003e\n\u003cli\u003eThe attacker explores existing IAM roles and permissions to identify potential escalation paths.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a custom IAM role with overly permissive privileges (T1098, T1098.003), granting themselves access to critical resources.\u003c/li\u003e\n\u003cli\u003eThe attacker creates the custom IAM role using the \u003ccode\u003egoogle.iam.admin.v*.CreateRole\u003c/code\u003e API call.\u003c/li\u003e\n\u003cli\u003eThe event is logged as a successful operation (\u003ccode\u003eevent.outcome:success\u003c/code\u003e) in the GCP audit logs.\u003c/li\u003e\n\u003cli\u003eThe attacker assigns the newly created custom role to a compromised or attacker-controlled user or service account.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the escalated privileges to access sensitive data, modify configurations, or deploy malicious workloads, achieving persistence or further compromising the environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to significant damage, including unauthorized access to sensitive data, compromised systems, and potential data exfiltration. The creation of custom roles with excessive permissions can enable adversaries to maintain persistent access to the GCP environment, escalate privileges, and bypass existing security controls. Organizations may experience data breaches, financial losses, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM to detect suspicious IAM custom role creation events in GCP (logsource: gcp.audit).\u003c/li\u003e\n\u003cli\u003eReview and audit existing IAM roles and permissions regularly to identify and remediate overly permissive configurations.\u003c/li\u003e\n\u003cli\u003eImplement the principle of least privilege when assigning permissions to IAM roles, both built-in and custom.\u003c/li\u003e\n\u003cli\u003eMonitor GCP audit logs for \u003ccode\u003egoogle.iam.admin.v*.CreateRole\u003c/code\u003e events and investigate any unexpected or unauthorized role creation activity.\u003c/li\u003e\n\u003cli\u003eEnsure that only authorized personnel have the necessary permissions to create custom IAM roles, and implement controls to prevent unauthorized role creation.\u003c/li\u003e\n\u003cli\u003eEstablish a baseline of expected role creation activity and investigate any deviations from this baseline.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T15:00:00Z","date_published":"2024-01-02T15:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-gcp-iam-custom-role-creation/","summary":"Detection of Identity and Access Management (IAM) custom role creation in Google Cloud Platform (GCP), which can indicate potential privilege escalation or persistence by adversaries creating roles with excessive permissions.","title":"GCP IAM Custom Role Creation","url":"https://feed.craftedsignal.io/briefs/2024-01-gcp-iam-custom-role-creation/"}],"language":"en","title":"CraftedSignal Threat Feed - Custom-Role","version":"https://jsonfeed.org/version/1.1"}