Create an Admin GCP Service Account

Platform: GCP

MITRE ATT&CK Tactics

• Persistence
• Privilege Escalation

Description

Establishes persistence by creating a new service account and assigning it owner permissions inside the current GCP project.

Warm-up: None

Detonation:

• Create a service account
• Update the current GCP project's IAM policy to bind the service account to the owner role'

References:

• https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/

Instructions

Detonate with Stratus Red Team

stratus detonate gcp.persistence.create-admin-service-account

Detection

Using the following GCP Admin Activity audit logs events:

• google.iam.admin.v1.CreateServiceAccount
• SetIamPolicy with resource.type=project