GCP IAM role enumeration using get-IAM-policy

  • Updated on Mar 11, 2024
  • Published on Jul 19, 2023
Prev Next

Attack technique

Technique name: GCP IAM role enumeration using get-IAM-policy

MITRE ATT&CK
Tactic: Discovery
Technique: Cloud Infrastructure Discovery (T1580)

Technique description
Google Cloud Platform doesn't have a centralized location for managing organization roles. Instead, IAM policies, which are composed of users, service accounts, or groups, and their respective permissions, are attached directly to resources. To find out who has access to a certain resource, and with what permissions, a target user may need to use the Get-IAM-Policy method on that particular resource.

The Get-IAM-Policy is a legitimate API call in GCP, enabling users to retrieve the IAM policy of a specified resource. Suppose an attacker manages to compromise a GCP identity, they might attempt to aggressively enumerate the IAM policies linked to other resources. This is to potentially spot misconfigurations that they can exploit to gain broader access and perform lateral movement within the GCP domain.

Insights from threat intelligence
Given the crucial part, this method plays in the GCP attack chain, it's plausible to believe it has been opportunistically employed in real-world scenarios. However, concrete examples of attacks leveraging the Get-IAM-Policy for role enumeration are lacking, primarily because cloud-related incidents are seldom made public.


Threat hunting theses breakdown

Abnormal enumration activity using get-IAM-policy


Relevant data sources

  • GCP Audit Logs


Thesis explanation

The thesis looks for abnormal usage of Get-IAM-Policy API method on numerous target GCP resources over a short amount of time - 2 hours time window tumble. In addition to that, the thesis takes advantage of a UEBA algorithm to learn the activity of the IAM identity that performed the activity over time, in order to eliminate False Positives of generic IAM identities that perform resource enumerations for organizational usage, for example, authorized vulnerability scanners.


Recommended investigation flow

  • Investigate the source IP that initiated the Get-IAM-Policy API calls
    • Do the calls made from a managed organizational machine IP? (EDR / FW / Proxy correlations)
  • Investigate the user agent that initiated the Get-IAM-Policy API calls
  • Investigate the identity that initiated the Get-IAM-Policy API calls
    • Is it an identity service account or an IAM user member?
    • Does the enumeration process (Get-IAM-Policy API calls) happen repetitively? repetitive API calls might point to an authorized automated process.
    • Investigate any additional suspicious activity performed by the identity (any related lead at Hunters. Member IAM identity → Entity Search)
  • Review the diversity of the target enumerated resource type (eg: multiple resource types might be more suspicious)

Hunting queries

Github

Hunters content

Detection: GCP IAM Role Enumeration Using Get-IAM-Policy