Privilege Escalation: Sensitive Role Granted To Hybrid Group

This document describes a threat finding type in Security Command Center. Threat findings are generated by threat detectors when they detect a potential threat in your cloud resources. For a full list of available threat findings, see Threat findings index.

Finding description

Sensitive roles or permissions were granted to a Google Group with external members. To respond to this finding, do the following:

Step 1: Review finding details

1. Open a Privilege Escalation: Sensitive Role Granted To Hybrid Group finding, as directed in Reviewing findings. The details panel for the finding opens to the Summary tab.

2. On the Summary tab, review the information in the following sections:

   • What was detected, especially the following fields:
     • Principal email: the account that made the changes, which might be compromised.
   • Affected resource, especially the following fields:
     • Resource full name: the resource where the new role was granted.
   • Related links, especially the following fields:
     • Cloud Logging URI: link to Logging entries.
     • MITRE ATT&CK method: link to the MITRE ATT&CK documentation.
     • Related findings: links to any related findings.
   1. Click the JSON tab.
   2. In the JSON, note the following fields.
   • groupName: the Google Group where the changes were made
   • bindingDeltas: the sensitive roles that are newly granted to this group.

Step 2: Review group permissions

1. Go to the IAM page in the Google Cloud console.

   Go to IAM

2. In the Filter field, enter the account name listed in groupName.

3. Review the sensitive roles granted to the group.

4. If the newly added sensitive role isn't needed, revoke the role.

   You need specific permissions to manage roles in your organization or project. For more information, see Required permissions.

Step 3: Check logs

1. On the Summary tab of the finding details panel, click the Cloud Logging URI link to open the Logs Explorer.

2. If necessary, select your project.

3. On the page that loads, check logs for Google Group settings changes using the following filters:

   • protoPayload.methodName="SetIamPolicy"
   • protoPayload.authenticationInfo.principalEmail="principalEmail"

Step 4: Research attack and response methods

1. Review the MITRE ATT&CK framework entry for this finding type: Valid Accounts.
2. To determine if additional remediation steps are necessary, combine your investigation results with MITRE research.

What's next

• Learn how to work with threat findings in Security Command Center.
• Refer to the Threat findings index.
• Learn how to review a finding through the Google Cloud console.
• Learn about the services that generate threat findings.