Cloud function modified from GCP storage bucket

  • Updated on Mar 11, 2024
  • Published on Sep 27, 2023
Prev Next

Attack technique

Technique name: Cloud Function Modified From GCP Storage Bucket

MITRE ATT&CK:
Tactic: Privilege Escalation, Persistence
Technique: Event Triggered Execution (T1556)

Technique description:
Google Cloud Functions is a serverless compute service provided by GCP. Serverless computing, also known as Function-as-a-Service (FaaS), enables developers to run code in response to various events, such as HTTP requests, changes in cloud storage, or messages from Pub/Sub, without the need to manage underlying servers or infrastructure. The feature is equivalent to AWS Lambada feature.

By design, the source code of Cloud Functions is stored on Cloud Storage instances, which can be either in a default storage bucket or alternatively on a pre-defined storage instance. An actor with the appropriate permission for that storage instance can read and modify the source code from the storage instance itself and gain access to the service account attached to the function to escalate its privileges or gain long-term persistence.

Threat hunting theses breakdown

Cloud function modified from GCP storage bucket

Relevant data sources:

  • GCP Audit Logs

Thesis explanation:
The thesis aims to detect modification of the Cloud Function source code directly from the GCP Storage instance.
Since modification of objects isn’t logged in GCP audit logs, the thesis leverages a correlation between an automatic build operation happening after the source code has been updated, without a corresponding UpdateFunction or CreateFunction API call before. When updating the source code a function, either from the Console, API, or directly by uploading an object to the source bucket. A build operation will be invoked, hence, In case no UpdateFunction happened around the same minutes of the event, it means the modification happened directly from the GCP Storage.

Recommended investigation flow:

  • Investigate the role and permissions of the user who performed the API calls.
  • Investigate any suspicious or anomaly activity of the service account that is attached to the Cloud Function after the updation process.
  • Investigate the IP that performed the API call to update the Cloud Function.
  • Investigate the User Agent who performed the API call to update the Cloud Function.

Hunting queries

GitHub

Hunters content

Detection: Suspicious Cloud Function Modification From GCP Storage Bucket