Tag
Google Workspace Custom Admin Role Created for Persistence
1 rule 2 TTPsAdversaries may create custom administrative roles in Google Workspace to establish persistence with tailored, elevated permissions, which are then assigned to compromised or attacker-controlled accounts to bypass security controls, grant OAuth access, or modify mail routing.
Google Workspace Admin Role Assigned to a User or Group
2 rules 2 TTPsAdversaries leverage the assignment of administrative roles within Google Workspace to an existing or new user/group, establishing persistence and escalating privileges to gain broad control over the tenant, including bypassing single sign-on.
Google Workspace Admin Role Deletion
2 rules 2 TTPsAdversaries with elevated privileges within Google Workspace may delete custom administrative roles to impede security operations, remove delegated administrator access, or obfuscate their activities during an active incident, leading to disrupted delegated administration, loss of security team access, or hindrance of incident response efforts.
Google Workspace Device Registration After OAuth from Suspicious ASN
2 rules 2 TTPsDetects a sequence of events in Google Workspace where OAuth authorization from a suspicious ASN is immediately followed by device registration, potentially indicating attacker-controlled device enrollment after user authorization of a sensitive client, possibly related to Tycoon2FA.