Explanation:
GCP SCC Detects when a service account credential is used to investigate the roles and permissions associated with that same service account.
System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
For this example:
xxx@xxx.iam.gserviceaccount.com had invoke the command "gcloud.projects.get-iam-policy".
Resolution:
This threat cannot be easily mitigated. Further investigation is required to ensure the action is expected.
This can be either an expected or unexpected action. You will need to investigate this with the technical team to understand why the command has been executed.
See the table below for recommended action after investigation.
| Yes / No | Action |
|---|---|
| Yes, it is expected | Update the JIRA ticket to be "False positive - Expected action from the service account". |
| No, it is not expected | Further investigation is needed to remove the invoked command for this service account. If it is not invoked from a known procedure, the service account is most likely compromised.
|
Pattern:
{
"serviceAccountGetsOwnIamPolicy": {
"principalEmail": "xxx@xxx.iam.gserviceaccount.com",
"projectId": "xxx",
"callerIp": "xx.xx.xx.xx",
"callerUserAgent": "google-cloud-sdk gcloud/346.0.0 command/gcloud.projects.get-iam-policy environment/None environment-version/None interactive/True from-script/False python/3.8.2 term/cygwin (Windows NT 10.0.19041),gzip(gfe)",
"rawUserAgent": "google-cloud-sdk gcloud/346.0.0 command/gcloud.projects.get-iam-policy invocation-id/xx environment/None environment-version/None interactive/True from-script/False python/3.8.2 term/cygwin (Windows NT 10.0.19041),gzip(gfe)"
}
}
The best way to get IT support is to use the new
Service One Platform.