Privilege Escalation: Privileged Group Opened To Public

This document describes a threat finding type in Security Command Center. Threat findings are generated by threat detectors when they detect a potential threat in your cloud resources. For a full list of available threat findings, see Threat findings index.

Finding description

This finding isn't available for project-level activations.

A privileged Google Group (a group granted sensitive roles or permissions) was made accessible to the general public. To respond to this finding, do the following:

Step 1: Review finding details

1. Open a Privilege Escalation: Privileged Group Opened To Public finding, as directed in Reviewing findings. The details panel for the finding opens to the Summary tab.

2. On the Summary tab, review the information in the following sections:

   • What was detected, especially the following fields:
     • Principal email: the account that made the changes, which might be compromised.
   • Affected resource
   • Related links, especially the following fields:
     • Cloud Logging URI: link to Logging entries.
     • MITRE ATT&CK method: link to the MITRE ATT&CK documentation.
     • Related findings: links to any related findings.
   1. Click the JSON tab.
   2. In the JSON, note the following fields.
   • groupName: the Google Group where the changes were made
   • sensitiveRoles: the sensitive roles associated with this group
   • whoCanJoin: the joinability setting of the group

Step 2: Review group access settings

1. Go to the Admin Console for Google Groups. You must be a Google Workspace Admin to sign in to the console.

   Go to Admin Console

2. In the navigation pane, click Directory, and then select Groups.

3. Click the name of the group you want to review.

4. Click Access Settings, and then, under Who can join the group, review the group's joinability setting.

5. In the drop-down menu, if needed, change the joinability setting.

Step 3: Check logs

1. On the Summary tab of the finding details panel, click the Cloud Logging URI link to open the Logs Explorer.

2. If necessary, select your project.

3. On the page that loads, check logs for Google Group settings changes using the following filters:

   • protoPayload.methodName="google.admin.AdminService.changeGroupSetting"
   • protoPayload.authenticationInfo.principalEmail="principalEmail"

Step 4: Research attack and response methods

1. Review the MITRE ATT&CK framework entry for this finding type: Valid Accounts.
2. To determine if additional remediation steps are necessary, combine your investigation results with MITRE research.

What's next

• Learn how to work with threat findings in Security Command Center.
• Refer to the Threat findings index.
• Learn how to review a finding through the Google Cloud console.
• Learn about the services that generate threat findings.