Skip to content

Create an Admin GCP Service Account

Platform: GCP

MITRE ATT&CK Tactics

  • Persistence
  • Privilege Escalation

Description

Establishes persistence by creating a new service account and assigning it owner permissions inside the current GCP project.

Warm-up: None

Detonation:

  • Create a service account
  • Update the current GCP project's IAM policy to bind the service account to the owner role'

References: - https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/

Instructions

Detonate with Stratus Red Team
stratus detonate gcp.persistence.create-admin-service-account

Detection

Using the following GCP Admin Activity audit logs events:

  • google.iam.admin.v1.CreateServiceAccount
  • SetIamPolicy with resource.type=project