Impersonate GCP Service Accounts
MITRE ATT&CK Tactics
- Privilege Escalation
Attempts to impersonate 10 different GCP service accounts in the project. Service account impersonation in GCP is the retrieval temporary credentials (OAuth bearer tokens) allowing the impersonator to 'act as' the targeted service account.
- Attempt to impersonate each of the 10 service accounts created for this detection. Only one impersonation request will succeed, simulating a successful privilege escalation.
- Resulting event name:
- Assigned IAM Permission:
Specify which derf attacker service account this attack should run as.
- See User Guide for Execution Instructions via the Google Cloud Console
- Programmatically execute this workflow with the following cli command:
Using GCP Admin Activity audit logs event
GenerateAccessToken. This event is not included in default logging and needs to be enabled. Specifically, IAM data access activity logs need to be enabled.
The principal caller is recorded in the log whether the event was a success or resulted in an error.