Fake Google Cloud Service Accounts with High Permissions

Engage Goals: EGO0001 Expose

Engage Approach: EAP0002 Detect

Engage Actions: EAC0012 Personas, EAC0018 Security Controls

Name of Element: Fake Google Cloud Service Accounts with High Permissions

Description of Element:

Create decoy service accounts with names suggesting elevated privileges (e.g., “deployment-admin,” “database-owner”) but with restricted access. Monitor any attempts to utilize these accounts, which could indicate an attacker attempting privilege escalation or lateral movement.

Technical Context:

Placement: Within the organization’s Google Cloud project, alongside legitimate service accounts.

Requires understanding of Google Cloud IAM roles and permissions management.

Create service accounts using the gcloud iam service-accounts create command. Assign misleadingly powerful roles (e.g., “roles/owner”, “roles/storage.admin”) but restrict actual permissions using IAM conditions or custom roles with limited privileges. Utilize Cloud Audit Logs to monitor access attempts and API calls made by these accounts.

Other:

Att&ck/Engage Mapping: T1078 Valid Accounts, E1503 Decoy Account

Fake Google Cloud Service Accounts with High Permissions

Leave a Reply Cancel reply

ORION Detlab: Forging Resilient Detections in the HEFAISTOS Ecosystem

The Maieutic Engine: Birth of a New Detection Engineering Paradigm

The Forge, The Guide, and The Hunter: Unifying Detection Engineering with the Mythological Triad of HEFAISTOS, KEDALION, and ORION

Dendrite: Bridging the Synaptic Gap Between External Intelligence and Internal Defense