gcp oauth token abuse detection will only work if there are access policies in place along with audit logs.

t1078
gcp account
splunk

Techniques

T1078

Sample rules

gcp detect oauth token abuse

source: splunk
technicques:
- T1078

Description

This search provides detection of possible GCP Oauth token abuse. GCP Oauth token without time limit can be exfiltrated and reused for keeping access sessions alive without further control of authentication, allowing attackers to access and move laterally.

Detection logic

`google_gcp_pubsub_message` type.googleapis.com/google.cloud.audit.AuditLog 
|table protoPayload.@type protoPayload.status.details{}.@type protoPayload.status.details{}.violations{}.callerIp protoPayload.status.details{}.violations{}.type protoPayload.status.message  
| `gcp_detect_oauth_token_abuse_filter`