Deployment manager privilege escalation using serviceAccounts.keys.create

  • Updated on Mar 11, 2024
  • Published on Feb 19, 2024
Prev Next

Attack technique

Technique name: Deployment Manager Privilege Escalation Using serviceAccounts.keys.create

MITRE ATT&CK

  • Tactic: Privilege Escalation
  • Technique: Event Triggered Execution (T1546)

Technique description
The GCP Deployment Manager is a service that helps automatically set up and manage Google Cloud resources. It uses templates made in YAML, Python, or Jinja2 to specify what cloud resources to set up, like virtual machines, networks, or storage. The service works in the background, using a special GCP Service Account with high-privileged access to perform the actions. Deployment Manager can also be used for elevating privileges and compromising service accounts in the project by using the serviceAccounts.keys.create template. This allows creating a new key for any chosen Service Account for an attack, without needing the special permission iam.serviceAccounts.actAs on the Service Account that has been targeted.

Threat hunting theses breakdown

Deployment manager privilege escalation using serviceAccounts.keys.create

Relevant data sources: GCP Audit Logs

Thesis explanation
The thesis aims to detect new service account key creations, happened by the Deployment Manager service, and specifically by the service account <project number>@cloudservices.gserviceaccount.com which carries out the actions behind the scenes.

The query looks for CreateServiceAccountKey API calls made by the cloudservices.gserviceaccount.com Service Account with the Deployment Manager’s unique UA.

Blind spots

An attacker is leveraging different Deployment Manager templates to elevate privileges.

Recommended investigation flow

  • Investigate further actions made by the Service Account that has been targeted.
  • Investigate the Deployment action that triggered the Service Account Key creation.
    • Investigate the source IP address of the Deployment action.
    • Investigate the source IAM user of the Deployment action.
      • What are the privileges of the IAM user who created the Deployment compared to the target Service Account, does it make sense for him to escalate the privileges?
      • Investigate any additional and suspicious actions made by the IAM user, for example, the enumeration of multiple resources using GetIAMPolicy.

Hunters content

Detection: Potential Privilege Escalation Using Deployment Manager Service Account Key Creation

Hunting queries

https://gist.github.com/axon-git/a16be2f04643b0a0357e163423ad6080