The dark cloud around GCP service accounts | Red Canary
Tags
attack-pattern: | Data Cloud Account - T1087.004 Cloud Account - T1136.003 Credentials - T1589.001 Impersonation - T1656 Python - T1059.006 Ssh - T1021.004 Tool - T1588.002 |
Common Information
Type | Value |
---|---|
UUID | 4bc271dc-d94b-47d6-bf76-c0f57c2cff9b |
Fingerprint | 3fa8d091136610c5 |
Analysis status | DONE |
Considered CTI value | 0 |
Text language | |
Published | Dec. 5, 2024, midnight |
Added to db | Dec. 5, 2024, 11:24 p.m. |
Last updated | Dec. 24, 2024, 2:50 p.m. |
Headline | UNKNOWN |
Title | The dark cloud around GCP service accounts | Red Canary |
Detected Hints/Tags/Attributes | 49/1/37 |
Source URLs
Redirection | Url | |
---|---|---|
Details | Source | https://redcanary.com/blog/threat-detection/gcp-service-accounts/ |
URL Provider
RSS Feed
Details | Id | Enabled | Feed title | Url | Added to db |
---|---|---|---|---|---|
Details | 360 | ✔ | Red Canary | https://www.redcanary.co/feed/ | 2024-08-30 22:08 |
Attributes
Details | Type | #Events | CTI | Value |
---|---|---|---|---|
Details | Domain | 4 | iam.gserviceaccount.com |
|
Details | Domain | 3 | project-id.iam.gserviceaccount.com |
|
Details | Domain | 60 | accounts.google.com |
|
Details | Domain | 9 | oauth2.googleapis.com |
|
Details | Domain | 31 | www.googleapis.com |
|
Details | Domain | 19 | googleapis.com |
|
Details | Domain | 2 | project.iam.gserviceaccount.com |
|
Details | Domain | 1 | request.name |
|
Details | Domain | 5 | type.googleapis.com |
|
Details | Domain | 7 | google.cloud |
|
Details | Domain | 6 | iam.googleapis.com |
|
Details | Domain | 4 | cloudaudit.googleapis.com |
|
Details | Domain | 72 | cloud.google.com |
|
Details | 1 | some-name@project-id.iam.gserviceaccount.com |
||
Details | 1 | test-account@project.iam.gserviceaccount.com |
||
Details | 1 | serviceaccounts/test-account@project.iam.gserviceaccount.com |
||
Details | 1 | svc-acct@project.iam.gserviceaccount.com |
||
Details | 1 | iam.googleapis.com/projects/project/serviceaccounts/svc-acct@project.iam.gserviceaccount.com |
||
Details | 1 | projects/-/serviceaccounts/svc-acct@project.iam.gserviceaccount.com |
||
Details | 1 | projects/project/serviceaccounts/svc-acct@project.iam.gserviceaccount.com |
||
Details | File | 1 | access_key.json |
|
Details | File | 9 | request.json |
|
Details | File | 84 | response.json |
|
Details | File | 2 | access.json |
|
Details | File | 10 | access_tokens.db |
|
Details | File | 11 | credentials.db |
|
Details | File | 1 | service-accounts.key |
|
Details | md5 | 1 | 4ecd39c540d5451199b2c2d11f93ec5c |
|
Details | sha1 | 3 | 0123456789012345678901234567890123456789 |
|
Details | IPv4 | 677 | 0.0.0.0 |
|
Details | Url | 1 | https://iam.googleapis.com/v1/projects/<project>/serviceaccounts/test-account@<project-id>.iam.gserviceaccount.com/keys |
|
Details | Url | 3 | https://accounts.google.com/o/oauth2/auth |
|
Details | Url | 4 | https://oauth2.googleapis.com/token |
|
Details | Url | 3 | https://www.googleapis.com/oauth2/v1/certs |
|
Details | Url | 1 | https://www.googleapis.com/robot/v1/metadata/x509 |
|
Details | Url | 1 | https://cloud.google.com/docs/authentication/token-types#access |
|
Details | Url | 1 | https://cloud.google.com/iam/docs/service-account-creds#short |