From e1b3b35d0b15f6d8215e706d0b5879b6b42f81d0 Mon Sep 17 00:00:00 2001
From: Evan Gibler <evan.gibler@panther.com>
Date: Tue, 30 Jan 2024 13:47:35 -0600
Subject: [PATCH] [sync] Add privilege escalation detection in GCP (#47)
 (#1072)

Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>
Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>
---
 ...ilege_escalation_by_deployments_create.yml | 57 +++++++++++++++++++
 1 file changed, 57 insertions(+)
 create mode 100644 rules/gcp_audit_rules/gcp_privilege_escalation_by_deployments_create.yml

diff --git a/rules/gcp_audit_rules/gcp_privilege_escalation_by_deployments_create.yml b/rules/gcp_audit_rules/gcp_privilege_escalation_by_deployments_create.yml
new file mode 100644
index 000000000..c68b58e91
--- /dev/null
+++ b/rules/gcp_audit_rules/gcp_privilege_escalation_by_deployments_create.yml
@@ -0,0 +1,57 @@
+AnalysisType: rule
+RuleID: "GCP Privilege Escalation By Deployments Create"
+DisplayName: "GCP.Privilege.Escalation.By.Deployments.Create"
+Description: "Detects privilege escalation in GCP by taking over the deploymentsmanager.deployments.create permission"
+Enabled: true
+LogTypes:
+    - GCP.AuditLog
+Severity: High
+DedupPeriodMinutes: 60
+Threshold: 1
+Reference: https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/
+Reports:
+  MITRE ATT&CK:
+    - TA0004:T1548
+Detection:
+    - All:
+        - KeyPath: protoPayload.authorizationInfo[*].granted
+          Condition: Contains
+          Value: true
+        - KeyPath: protoPayload.authorizationInfo[*].permission
+          Condition: Contains
+          Value: deploymentmanager.deployments.create
+Tests:
+    - Name: privilege-escalation
+      ExpectedResult: true
+      Log:
+        protoPayload:
+            authorizationInfo:
+                - granted: true
+                  permission: deploymentmanager.deployments.create
+            methodName: v2.deploymentmanager.deployments.insert
+            serviceName: deploymentmanager.googleapis.com
+        receiveTimestamp: "2024-01-19 13:47:19.465856238"
+        resource:
+            labels:
+                name: test-vm-deployment
+                project_id: panther-threat-research
+            type: deployment
+        severity: NOTICE
+        timestamp: "2024-01-19 13:47:18.279921000"
+    - Name: fail
+      ExpectedResult: false
+      Log:
+        protoPayload:
+            authorizationInfo:
+                - granted: афдиу
+                  permission: deploymentmanager.deployments.create
+            methodName: v2.deploymentmanager.deployments.insert
+            serviceName: deploymentmanager.googleapis.com
+        receiveTimestamp: "2024-01-19 13:47:19.465856238"
+        resource:
+            labels:
+                name: test-vm-deployment
+                project_id: panther-threat-research
+            type: deployment
+        severity: NOTICE
+        timestamp: "2024-01-19 13:47:18.279921000"