while this search has no known false positives, it is possible that a gcp admin has legitimately created a public bucket for a specific purpose. that said, gcp strongly advises against granting full control to the \"allusers\" group.

Techniques

T1530

Sample rules

Detect New Open GCP Storage Buckets

source: splunk
technicques:
- T1530

Description

The following analytic identifies the creation of new open/public GCP Storage buckets. It leverages GCP PubSub events, specifically monitoring for the storage.setIamPermissions method and checks if the allUsers member is added. This activity is significant because open storage buckets can expose sensitive data to the public, posing a severe security risk. If confirmed malicious, an attacker could access, modify, or delete data within the bucket, leading to data breaches and potential compliance violations.

Detection logic

`google_gcp_pubsub_message` data.resource.type=gcs_bucket data.protoPayload.methodName=storage.setIamPermissions 
| spath output=action path=data.protoPayload.serviceData.policyDelta.bindingDeltas{}.action 
| spath output=user path=data.protoPayload.authenticationInfo.principalEmail 
| spath output=location path=data.protoPayload.resourceLocation.currentLocations{} 
| spath output=src path=data.protoPayload.requestMetadata.callerIp 
| spath output=bucketName path=data.protoPayload.resourceName 
| spath output=role path=data.protoPayload.serviceData.policyDelta.bindingDeltas{}.role 
| spath output=member path=data.protoPayload.serviceData.policyDelta.bindingDeltas{}.member 
| search (member=allUsers AND action=ADD) 
| table  _time, bucketName, src, user, location, action, role, member 
| search `detect_new_open_gcp_storage_buckets_filter`