Privilege Escalation: External Member Added To Privileged Group

This document describes a threat finding type in Security Command Center. Threat findings are generated by threat detectors when they detect a potential threat in your cloud resources. For a full list of available threat findings, see Threat findings index.

Finding description

This finding isn't available for project-level activations.

An external member was added to a privileged Google Group (a group granted sensitive roles or permissions). To respond to this finding, do the following:

Step 1: Review finding details

1. Open a Privilege Escalation: External Member Added To Privileged Group finding, as directed in Reviewing findings. The details panel for the finding opens to the Summary tab.

2. On the Summary tab, review the information in the following sections:

   • What was detected, especially the following fields:
     • Principal email: the account that made the changes.
   • Affected resource
   • Related links, especially the following fields:
     • Cloud Logging URI: link to Logging entries.
     • MITRE ATT&CK method: link to the MITRE ATT&CK documentation.
     • Related findings: links to any related findings.

3. In the detail panel, click the JSON tab.

4. In the JSON, note the following fields.

   • groupName: the Google Group where the changes were made
   • externalMember: the newly added external member
   • sensitiveRoles: the sensitive roles associated with this group

Step 2: Review group members

1. Go to Google Groups.

   Go to Google Groups

2. Click the name of the group you want to review.

3. In the navigation menu, click Members.

4. If the newly added external member should not be in this group, click the checkbox next to the members name, and then select remove_circle_outline Remove member or not_interested Ban member.

   To remove or members, you must be a Google Workspace Admin, or assigned the Owner or Manager role in the Google Group. For more information, see Assign roles to a group's members.

Step 3: Check logs

1. On the Summary tab of the finding details panel, click the Cloud Logging URI link to open the Logs Explorer.

2. If necessary, select your project.

3. On the page that loads, check logs for Google Group membership changes using the following filters:

   • protoPayload.methodName="google.apps.cloudidentity.groups.v1.MembershipsService.UpdateMembership"
   • protoPayload.authenticationInfo.principalEmail="principalEmail"

Step 4: Research attack and response methods

1. Review the MITRE ATT&CK framework entry for this finding type: Valid Accounts.
2. To determine if additional remediation steps are necessary, combine your investigation results with MITRE research.

What's next

• Learn how to work with threat findings in Security Command Center.
• Refer to the Threat findings index.
• Learn how to review a finding through the Google Cloud console.
• Learn about the services that generate threat findings.