[sync] GCP serviceusage.apiKeys.create Privilege Escalation rule (#55) #1076
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Co-authored-by: Evan Gibler <evan.gibler@panther.com>
arielkr256
approved these changes
Jan 30, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Goal
Detect serviceusage.apiKeys.create method for privilege escalation in GCP. Depending on what logs are generated by the exploit, this ticket could result in multiple detections.
Categorization
TA0004:T1548
Strategy Abstract
It is non-IAM service privilege escalation method. This permission doesn't belong to the “IAM” family.
Technical Context
Here we work with method of authenticating with GCP APIs known as API keys. By default, they are created with no restrictions, which means they have access to the entire GCP project they were created in. We can capitalize on that fact by creating a new API key that may have more privileges than our own user. There is no official API for this, so a custom HTTP request needs to be sent to https://apikeys.clients6.google.com/ (or https://apikeys.googleapis.com/). This was discovered by monitoring the HTTP requests and responses while browsing the GCP web console. For documentation on the restrictions associated with API keys, visit this link.
Blind Spots and Assumptions
Assumes proper GCP logging and audit policies.
False Positives
Legitimate administrative activity that is authorized and expected.
Validation
The exploit script for this method can be found here.
Priority
High or Critical
Response
This is not a vulnerability in GCP, this is a vulnerability in how you have configured your GCP environment, so it is your responsibility to be aware of these attack vectors and to defend against them. It’s also important to remember that privilege escalation does not necessarily need to pass through the IAM service to be effective. Make sure to follow the principle of least-privilege in your environments to help mitigate these security risks.
Additional Resources
https://rhinosecuritylabs.com/cloud-security/privilege-escalation-google-cloud-platform-part-2/
https://cloud.google.com/docs/authentication/api-keys