Enumerate Permissions of a GCP Service Account

idempotent

Platform: GCP

Mappings

• MITRE ATT&CK
  • Discovery

Description

Enumerates permissions of a GCP service account by calling projects.testIamPermissions on a large number of permissions.

This simulates an attacker who has compromised a service account key and is enumerating what the service account has access to.

Warm-up:

• Create a GCP service account
• Grant a low-value permission set: Storage Object Viewer
• Create a service account key

Detonation:

• Call projects.testIamPermissions, with chunks of 100 permissions each time

References:

• https://securitylabs.datadoghq.com/articles/google-cloud-default-service-accounts/#enumerating-permissions-of-the-associated-service-account
• https://docs.cloud.google.com/iam/docs/reference/rest/v1/permissions/queryTestablePermissions
• https://cloud.google.com/resource-manager/reference/rest/v1/projects/testIamPermissions
• https://docs.cloud.google.com/iam/docs/roles-permissions

Instructions

Detonate with Stratus Red Team

stratus detonate gcp.discovery.enumerate-permissions

Detection

Monitor repeated calls to projects.testIamPermissions from the same service account.

Warning

These events are in Data Access audit logs, which are disabled by default. Enable Data Access logging for Resource Manager to capture this behavior.