July 2024 (2)

BIG-IP Advanced WAF delivers a dedicated, dynamic dashboard ensuring compliance against threats listed in the OWASP Top 10, guided configurations for common WAF use cases, learning engine and customized policy building, and granular security policies for microservices and APIs.

The new integration includes:

• Ingestion of the data to the data lake

• Mapping the data to IOC Search

• Mapping to the Hunters Web Requests Schema

Learn more here

Detector ID: gsuite_drive_ownership_transferred

Google Drive is a cloud storage service that allows users to store and access files. It is available to users with a Google Workspace account.

Owners of sensitive files and folders can grant permissions to users who request internal or external access. Adversaries abuse this trust system by accessing Google Drive resources with improperly scoped permissions and shared settings. With that in mind, adversaries may abuse Google Workspace’s drive transferring feature by transferring a user’s drive into an account of their choice.

The detector will be based on the gsuite_activity logs.

Recommended investigation steps:

• Investigate the user who initiated the action and make sure he regularly conducts administrative operations.

• Investigate the source IP to identify anomalous or malicious address/geolocation

• Investigate the list of files transferred

• Determine if the source user was disabled or suspended after the operation, which could indicate normal administrative activity.

• Triage potentially related alerts based on the users involved, especially the user to which the files were transferred.

Detector ID: gsuite_domain_added_to_trusted_domains

Detects the addition of single or multiple domains to Google Workspace's Trusted Domains list (aka Allowlist).

Threat actors can do it to lower defense layers and maintain persistence.

For example, when the threat actor already has control over an admin user, they can leverage it to strengthen their persistence by ensuring their domain is trusted by the victim Google Workspace environment.

Recommended investigation steps:

• Verify that the user account should have administrative privileges that allow them to edit trusted domains in Google Workspace.

• Examine the reliability of the newly added domains.

• Consider talking with the user to evaluate why they added the third-party domain.

Detector ID: gsuite_mfa_enforcement_disabled

Multi-factor authentication (MFA) is a multi-step account login process requiring users to provide two or more verification factors to access a resource.

The detector detects when multi-factor authentication (MFA) enforcement is disabled for Google Workspace units, or organizations and cases of disabling MFA for specific users. An adversary may attempt to modify a password policy to weaken an organization’s security controls or to enable persistent access to compromised accounts.

The detector is based on the gsuite_activity logs.

Recommended investigation steps:

• Examine the user that initiated the action: which actions he did before and after disabling the MFA enforcement for a unit or organization, or before and after disabling the MFA to a specific user.

• Investigate the source IP to identify anomalous or malicious address/geolocation.

• Check for events of MFA enforcement enabled during the week before the MFA enforcement is disabled which can indicate an IT operation.

• Contact the actor and make sure that he disabled the MFA and that its action is authorized.

• In case of authorized action, contact the administrator and check if there should be more actions like this in the future and let your team members know about it.

• In case of disabling MFA for a specific user, examine its activity before and after its MFA was disabled and check if the user used MFA before the disabling which can indicate malicious action.

Detector ID: gcp_audit_dm_privesc_using_sa_key_template

The GCP Deployment Manager is a service that helps automatically set up and manage Google Cloud resources. It uses templates written in YAML, Python, or Jinja2 to specify what cloud resources to set up, like virtual machines, networks, or storage. The service works in the background, using a special GCP Service Account with high-privileged access to perform the actions.

Deployment Manager can also be used to elevate privileges and compromising service accounts in the project by using the serviceAccounts.keys.create template. This allows creating a new key for any chosen Service Account for an attack, without needing special permission iam.serviceAccounts.actAson on the Service Account that has been targeted.

The thesis aims to detect new service account key creations, happened by the Deployment Manager service, and specifically by the service account <project number>@cloudservices.gserviceaccount.com which carries out the actions behind the scenes. The query looks for CreateServiceAccountKey API calls made by cloudservices.gserviceaccount.com Service Account, and DM UA, which can’t be modified.

Recommended investigation steps:

• Investigate further actions made by the Service Account that has been targeted, including the Deployment action that triggered the Service Account Key creation, the source IP address and IAM user of the Deployment action

• Assess the privileges of the IAM user who initiated the Deployment compared to the target Service Account to determine if it makes sense for them to escalate privileges.

• Investigate any additional and suspicious actions made by the IAM user, for example, the enumeration of multiple resources using GetIAMPolicy.

Detector ID: gsuite_external_user_added_to_group

Detects a Google Workspace user account from a domain without recent successful logins and user activity, added to an existing group.

Adversaries may add user accounts as a means of initial access to the organization to intercept shared files or emails with that specific group or as a means of persistence to preserve their foothold in the network.

Recommended investigation steps:

• Examine the user that initiated the action: which actions he did before and after disabling the MFA enforcement for a unit or organization, or before and after disabling the MFA to a specific user.

• Investigate the source IP to identify anomalous or malicious address/geolocation.

• Check for events of MFA enforcement enabled during the week before the MFA enforcement is disabled which can indicate an IT operation.

• Contact the actor and make sure that he disabled the MFA and that its action is authorized.

• In case of authorized action, contact the administrator and check if there should be more actions like this in the future and let your team members know about it.

• In case of disabling MFA for a specific user, examine its activity before and after its MFA was disabled and check if the user used MFA before the disabling which can indicate malicious action.

Detector ID: gsuite_custom_admin_role_created

Detects when a custom admin role is created in Google Workspace.

An adversary may create a custom admin role to elevate the permissions of other user accounts and persist in their target environment.

Google Workspace roles allow super administrators to assign specific permissions to users or groups. Admin roles in Google Workspace grant users access to the Google Admin console, where more domain-wide settings are accessible. Google Workspace contains prebuilt administrator roles for performing business functions related to users, groups, and services. Custom administrator roles can be created where prebuilt roles are not preferred or as a means of privilege escalation and persistence when it's a malicious action of an attacker.

Recommended investigation steps:

• Examine the actor’s activity, and check his actions before and after creating the custom admin role. Contact the actor and ensure he has created the custom admin role. If the actor didn’t do this, disable or limit its account during the investigation process.

• Check the source IP to identify anomalous or malicious address or geolocation.

• Check whether this role was assigned to a user. In case it was assigned check the user’s activity.

Detector ID: gsuite_admin_role_assignment

Adversaries may try to assign a role to a compromised account and by that extend its permissions, and strengthen the overall persistence over the Google Workspace tenant.

The detector looks for role assignment events for both pre-built admin roles (e.g., Super Admin, Help Desk Admin) and custom roles. The detector will be based on event assign_role under the gsuite_activity logs.

Custom roles are also included since they may also consist of administrative permissions.

Recommended investigation steps:

• Examine the actor’s activity, and check his actions before and after creating the role assignment.

• Contact the actor and make sure that he has intentionally assign to the role.

• If the actor didn’t do this, disable or limit its account during the investigation process.

• Check the source IP to identify anomalous or malicious address or geolocation.

• Check the activity of the user that was assigned to a role.

Detector ID: gsuite_email_route_created_or_modified

Gmail is a popular cloud-based email service developed and managed by Google, and is one of many services available for users with Google Workspace accounts.

A creation of a custom global Gmail route by an administrator from the Google Workspace admin console could indicate an attempt to secretly forward sensitive emails to unintentional recipients, or Impersonate another user for phishing purposes.

Recommended investigation steps:

• Investigate the user who initiated the action and make sure they have administrative privileges.

• Investigate the source IP to identify anomalous or malicious address/geolocation

• Through the Google Workspace admin console, search for the route and view its settings to determine what is the impact of said route. This can be done by navigating to Apps > Google Workspace > Gmail > Routing.

• Through the Google Workspace admin console, check the emails forwarded through the route by going to Reporting > Email Log Search, the route will be displayed for each mail under “delivery details” in the Recipient tab (for further reading see here).

• Attempt to identify any phishing or data exfiltration attempts, depending on the direction of the route.

Detector ID: windows_event_machine_account_certificate_authentication

🚧 Availability

Effective July 14, 2024.

As part of this improvement, we’ve added an asset sensitivity scoring layer to raise confidence in cases of critical sensitivity assets (like domain controllers) that were targeted in the attack and can be more valuable to the attacker.

We kept the existing scoring layer of vulnerability management that raises confidence in case of severe vulnerability found in the asset.

Additionally, we adjusted the score threshold to align better with our scoring system and lowered the default confidence resulting in a default score of medium instead of high. Following the adjustments, we won't enter any leads into the SOC queue.