Steal and Use the GCE Default Service Account Token from Outside Google Cloud

slow idempotent

Platform: GCP

Mappings

MITRE ATT&CK
- Credential Access
Initial Access

Description

Simulates the theft and use of GCE default service account credentials from outside of Google Cloud.

When a GCE instance is created, it is assigned a default service account ({project-number}-compute@developer.gserviceaccount.com). If an attacker gains access to the instance (for example through an SSRF vulnerability, a compromised SSH key, or a command injection), they can extract the OAuth2 access token from the instance metadata service and use it from outside of Google Cloud.

Warm-up:

Create a GCE instance running with the default compute service account
The instance runs a startup script that extracts the service account OAuth2 token from the instance metadata service and writes it to the serial port

Detonation:

Read the instance's serial port output to extract the stolen OAuth2 token
Use the stolen token from outside Google Cloud to set labels on the GCE instance, generating a GCP Admin Activity audit log from a non-Google IP address

References:

Instructions

Detonate with Stratus Red Team

stratus detonate gcp.initial-access.use-compute-sa-outside-gcp

Detection

Identify when a GCE default service account (*-compute@developer.gserviceaccount.com) is used from outside of Google Cloud by analyzing GCP audit logs.

The GCE default service account should typically only be used from within Google Cloud (e.g., from a GCE instance). Usage from external IP addresses with non-GCE user agents indicates potentially stolen credentials.

Detection criteria:

Monitor GCP audit logs where the caller identity matches *-compute@developer.gserviceaccount.com
Filter for calls where the caller IP does not belong to Google's IP ranges
Exclude calls with user agents containing GCE or gcloud (which indicate legitimate in-cloud usage)