-
Notifications
You must be signed in to change notification settings - Fork 176
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[sync] GCP serviceusage.apiKeys.create Privilege Escalation rule (#55) (
#1076) Co-authored-by: akozlovets098 <[email protected]>
- Loading branch information
1 parent
7ec390a
commit b8fae38
Showing
1 changed file
with
176 additions
and
0 deletions.
There are no files selected for viewing
176 changes: 176 additions & 0 deletions
176
rules/gcp_audit_rules/gcp_serviceusage_apikeys_create_privilege_escalation.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,176 @@ | ||
| AnalysisType: rule | ||
| LogTypes: | ||
| - GCP.AuditLog | ||
| Description: Detects serviceusage.apiKeys.create method for privilege escalation in GCP. By default, API Keys are | ||
| created with no restrictions, which means they have access to the entire GCP project they were created in. We can | ||
| capitalize on that fact by creating a new API key that may have more privileges than our own user. | ||
| DisplayName: "GCP serviceusage.apiKeys.create Privilege Escalation" | ||
| RuleID: "GCP.serviceusage.apiKeys.create.Privilege.Escalation" | ||
| Enabled: true | ||
| Reference: https://rhinosecuritylabs.com/cloud-security/privilege-escalation-google-cloud-platform-part-2/ | ||
| Runbook: Confirm this was authorized and necessary behavior. This is not a vulnerability in GCP, it is a vulnerability | ||
| in how GCP environment is configured, so it is necessary to be aware of these attack vectors and to defend against | ||
| them. It’s also important to remember that privilege escalation does not necessarily need to pass through the | ||
| IAM service to be effective. Make sure to follow the principle of least-privilege in your environments to help | ||
| mitigate these security risks. | ||
| Reports: | ||
| MITRE ATT&CK: | ||
| - TA0004:T1548 # Abuse Elevation Control Mechanism | ||
| Severity: High | ||
| Detection: | ||
| - KeyPath: protoPayload.authorizationInfo | ||
| Condition: AnyElement | ||
| Expressions: | ||
| - Key: granted | ||
| Condition: Equals | ||
| Value: true | ||
| - Key: permission | ||
| Condition: Equals | ||
| Value: serviceusage.apiKeys.create | ||
| - KeyPath: protoPayload.methodName | ||
| Condition: EndsWith | ||
| Value: ApiKeys.CreateKey | ||
| AlertTitle: "[GCP]: [{protoPayload.authenticationInfo.principalEmail}] created new API Key in | ||
| project [{resource.labels.project_id}]" | ||
| AlertContext: | ||
| - KeyName: project | ||
| KeyValue: | ||
| KeyPath: resource.labels.project_id | ||
| - KeyName: principal | ||
| KeyValue: | ||
| KeyPath: protoPayload.authenticationInfo.principalEmail | ||
| - KeyName: caller_ip | ||
| KeyValue: | ||
| KeyPath: protoPayload.requestMetadata.callerIP | ||
| - KeyName: methodName | ||
| KeyValue: | ||
| KeyPath: protoPayload.methodName | ||
| - KeyName: resourceName | ||
| KeyValue: | ||
| KeyPath: protoPayload.resourceName | ||
| - KeyName: serviceName | ||
| KeyValue: | ||
| KeyPath: protoPayload.serviceName | ||
| DedupPeriodMinutes: 60 | ||
| Threshold: 1 | ||
| Tests: | ||
| - | ||
| Name: GCP API Key Created | ||
| ExpectedResult: true | ||
| Log: | ||
| { | ||
| "logName": "projects/some-project/logs/cloudaudit.googleapis.com%2Factivity", | ||
| "operation": { | ||
| "id": "operations/akmf.p7-1028347275902-fe0c0688-44a7-4dca-bc06-8456068e5673", | ||
| "last": true, | ||
| "producer": "apikeys.googleapis.com" | ||
| }, | ||
| "protoPayload": { | ||
| "at_sign_type": "type.googleapis.com/google.cloud.audit.AuditLog", | ||
| "authenticationInfo": { | ||
| "principalEmail": "[email protected]", | ||
| "principalSubject": "serviceAccount:[email protected]", | ||
| "serviceAccountKeyName": "//iam.googleapis.com/projects/some-project/serviceAccounts/[email protected]/keys/dc5344c246064589v76ec76f66bafc92b093ed41" | ||
| }, | ||
| "authorizationInfo": [ | ||
| { | ||
| "granted": true, | ||
| "permission": "serviceusage.apiKeys.create", | ||
| "resource": "projectnumbers/1028347245602", | ||
| "resourceAttributes": { } | ||
| } | ||
| ], | ||
| "methodName": "google.api.apikeys.v2.ApiKeys.CreateKey", | ||
| "request": { | ||
| "@type": "type.googleapis.com/google.api.apikeys.v2.CreateKeyRequest", | ||
| "parent": "projects/some-project/locations/global" | ||
| }, | ||
| "requestMetadata": { | ||
| "callerIP": "189.163.74.177", | ||
| "callerSuppliedUserAgent": "(gzip),gzip(gfe)", | ||
| "destinationAttributes": { }, | ||
| "requestAttributes": { } | ||
| }, | ||
| "resourceName": "projects/1028347245602", | ||
| "response": { | ||
| "@type": "type.googleapis.com/google.api.apikeys.v2.Key", | ||
| "createTime": "1970-01-01T00:00:00Z", | ||
| "etag": "W/\"DSLGu9UKHwqq2ICm7YPE7g==\"", | ||
| "name": "projects/1028347245602/locations/global/keys/bf67db25-d748-4335-ae08-7f0e65fnfy02", | ||
| "updateTime": "1970-01-01T00:00:00Z" | ||
| }, | ||
| "serviceName": "apikeys.googleapis.com", | ||
| "status": { } | ||
| }, | ||
| "receiveTimestamp": "2024-01-25 13:28:18.961519813", | ||
| "resource": { | ||
| "labels": { | ||
| "method": "google.api.apikeys.v2.ApiKeys.CreateKey", | ||
| "project_id": "some-project", | ||
| "service": "apikeys.googleapis.com" | ||
| }, | ||
| "type": "audited_resource" | ||
| }, | ||
| "severity": "NOTICE", | ||
| "timestamp": "2024-01-25 13:28:18.961519813" | ||
| } | ||
| - | ||
| Name: GCP API Key Not Created | ||
| ExpectedResult: false | ||
| Log: | ||
| { | ||
| "logName": "projects/some-project/logs/cloudaudit.googleapis.com%2Factivity", | ||
| "operation": { | ||
| "id": "operations/akmf.p7-1028347275902-fe0c0688-44a7-4dca-bc06-8456068e5673", | ||
| "last": true, | ||
| "producer": "apikeys.googleapis.com" | ||
| }, | ||
| "protoPayload": { | ||
| "at_sign_type": "type.googleapis.com/google.cloud.audit.AuditLog", | ||
| "authenticationInfo": { | ||
| "principalEmail": "[email protected]", | ||
| "principalSubject": "serviceAccount:[email protected]", | ||
| "serviceAccountKeyName": "//iam.googleapis.com/projects/some-project/serviceAccounts/[email protected]/keys/dc5344c246064589v76ec76f66bafc92b093ed41" | ||
| }, | ||
| "authorizationInfo": [ | ||
| { | ||
| "granted": false, | ||
| "permission": "serviceusage.apiKeys.create", | ||
| "resource": "projectnumbers/1028347245602", | ||
| "resourceAttributes": { } | ||
| } | ||
| ], | ||
| "methodName": "google.api.apikeys.v2.ApiKeys.CreateKey", | ||
| "request": { | ||
| "@type": "type.googleapis.com/google.api.apikeys.v2.CreateKeyRequest", | ||
| "parent": "projects/some-project/locations/global" | ||
| }, | ||
| "requestMetadata": { | ||
| "callerIP": "189.163.74.177", | ||
| "callerSuppliedUserAgent": "(gzip),gzip(gfe)", | ||
| "destinationAttributes": { }, | ||
| "requestAttributes": { } | ||
| }, | ||
| "resourceName": "projects/1028347245602", | ||
| "response": { | ||
| "@type": "type.googleapis.com/google.api.apikeys.v2.Key", | ||
| "createTime": "1970-01-01T00:00:00Z", | ||
| "etag": "W/\"DSLGu9UKHwqq2ICm7YPE7g==\"", | ||
| "name": "projects/1028347245602/locations/global/keys/bf67db25-d748-4335-ae08-7f0e65fnfy02", | ||
| "updateTime": "1970-01-01T00:00:00Z" | ||
| }, | ||
| "serviceName": "apikeys.googleapis.com", | ||
| "status": { } | ||
| }, | ||
| "receiveTimestamp": "2024-01-25 13:28:18.961519813", | ||
| "resource": { | ||
| "labels": { | ||
| "method": "google.api.apikeys.v2.ApiKeys.CreateKey", | ||
| "project_id": "some-project", | ||
| "service": "apikeys.googleapis.com" | ||
| }, | ||
| "type": "audited_resource" | ||
| }, | ||
| "severity": "NOTICE", | ||
| "timestamp": "2024-01-25 13:28:18.961519813" | ||
| } |