Techniques
Sample rules
GCP Detect gcploit framework
- source: splunk
- technicques:
- T1078
Description
This search provides detection of GCPloit exploitation framework. This framework can be used to escalate privileges and move laterally from compromised high privilege accounts.
Detection logic
`google_gcp_pubsub_message` data.protoPayload.request.function.timeout=539s
| table src src_user data.resource.labels.project_id data.protoPayload.request.function.serviceAccountEmail data.protoPayload.authorizationInfo{}.permission data.protoPayload.request.location http_user_agent
| `gcp_detect_gcploit_framework_filter`