Create an Admin GCP Service Account
Platform: GCP
MITRE ATT&CK Tactics
- Persistence
- Privilege Escalation
Description
Establishes persistence by creating a new service account and assigning it
owner
permissions inside the current GCP project.
Warm-up: None
Detonation:
- Create a service account
- Update the current GCP project's IAM policy to bind the service account to the
owner
role'
References: - https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/
Instructions
Detection
Using the following GCP Admin Activity audit logs events:
google.iam.admin.v1.CreateServiceAccount
SetIamPolicy
withresource.type=project