This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Detecting suspicious service account behavior with SCC Premium

Posted on 12-19-2023 11:40 AM
vaskenh
Staff
Reply posted on --/--/---- --:-- AM

In this community post, we’ll take a closer look at detecting suspicious service account behavior in Google Cloud using SCC Premium.  

Service accounts are commonly leveraged by attackers to establish a foothold in cloud environments as part of an attack scenario.  Compromised service accounts can exhibit suspicious activity in a number of ways.  Our research has identified attackers who gain access to compromised service accounts will enumerate the IAM roles and permissions associated with that account to understand their ability to move laterally within an environment.  Doing so establishes potential next steps in leveraging the account for future malicious activity.

In this scenario, we’ll use a VM Instance in GCP to manually trigger a finding in SCC Premium related to service account self-investigation.  We’ll cover the required configuration needed to trigger this finding, then execute a gcloud command from the system using the default service account associated with the VM.  We’ll then take a closer look at the finding generated in SCC Premium and discuss potential next steps from an investigative perspective.

This scenario involves a single Compute VM Instance and an associated configuration change related to Audit Logs.  In order for GCP to log the activity related to the gcloud command we will run, we first need to enable Admin Read access for the Cloud Resource Manager API under IAM & Admin.  In the Google Cloud Console, navigate to IAM & Admin, then select Audit Logs.  Search for Cloud Resource Manager API, and edit this configuration entry to enable Admin Read access as shown below.  Select Save.


vaskenh_0-1703014520398.png

With this configuration change, we can proceed to generate the Service Account Self-Investigation finding in SCC Premium.  Navigate to Compute Engine, then select VM Instances.  From the list of VM Instances, establish command-line access to a VM and run the following gcloud command:

gcloud projects get-iam-policy $(gcloud config get project)

Running this command will return a list of IAM policy bindings for the specified resources.  This information is useful because it lists the roles assigned to the service account.   For example, in the truncated output below we see that the service account being used has admin rights to BigQuery.

[root@vm /]# gcloud projects get-iam-policy $(gcloud config get project)

auditConfigs:
- auditLogConfigs:
  - logType: ADMIN_READ
  service: cloudresourcemanager.googleapis.com
bindings:
- members:
  - serviceAccount:[email protected]
  role: projects/myproject/roles/automation-engineers
- members:
  - serviceAccount:[email protected]
  role: roles/bigquery.admin
- members:
  - serviceAccount:[email protected]
  role: roles/chronicle.serviceAgent

Now that the service account roles have been enumerated, we can switch to SCC Premium and look for the associated finding.  In Google Cloud Console, navigate to Security Command Center, then select Findings.  Review the list of findings for the finding titled Discovery: Service Account Self-Investigation, then select this finding to expand it.  Confirm that the Principal subject for this finding matches the service account associated with the Compute VM Instance.

vaskenh_1-1703014520389.png

In a real scenario, this finding should be investigated to determine whether the service account in question is compromised and whether the associated behavior observed is malicious in nature.    One way to investigate this service account further is by pivoting to all other SCC Premium findings that this service account is responsible for.  Locate the Principal subject field in the Finding, then use the triangle drop-down to select “Show all findings with this principal subject

vaskenh_2-1703014520394.png

Since we generated this SCC Premium finding as part of this demonstration, we can mute this finding to remove it from the list of active findings in SCC Premium.   In the Findings view, select the checkbox associated with this Finding then use the Mute Options drop-down to select Mute to mute this finding.

vaskenh_3-1703014520392.png

If Admin Read access for the Cloud Resource Manager API was enabled as part of instrumenting this scenario, you may wish to disable it at the conclusion of this activity.   In the Google Cloud Console, navigate to IAM & Admin, then select Audit Logs.  Search for Cloud Resource Manager API, and edit this configuration entry to disable Admin Read access.  Select Save.

Google Cloud provides additional tools for identifying misconfigured service accounts.  For example, IAM Recommender identifies accounts with excessive permissions and offers suggestions for removing or replacing assigned roles.  

vaskenh_4-1703014520400.png

The Attack Path Simulation engine in SCC Premium helps identify methods in which a high-value service account might be compromised.  It generates attack paths and attack exposure scores that represent hypothetical behavior by threat actors against high-value resources in your Google Cloud.

2 0 402
0 REPLIES 0