GCP detection coverage

← Back to main site

Home/ Targets/ GCP

☁GCP detections

Clankerusecase tracks 13 detection use cases covering the GCP attack surface across 13 MITRE ATT&CK techniques.

Detections targeting Google Cloud Platform — Cloud Audit Logs, IAM, Compute, GKE.

Open Detection Library → View on the matrix

13Use cases

13Techniques

3Articles

3Kill-chain phases

Top techniques on GCP (13)

T1098Account Manipulation4 T1562.008T1562.0083 T1526Cloud Service Discovery2 T1136.003Cloud Account1 T1552Unsecured Credentials1 T1530Data from Cloud Storage1 T1078Valid Accounts1 T1567.002Exfiltration to Cloud Storage1 T1059.004Unix Shell1 T1552.001Credentials In Files1 T1552.005Cloud Instance Metadata API1 T1555.006Cloud Secrets Management Stores1 T1078.004Cloud Accounts1

Installation (6)

GCP project external principal added as owner Internal install · alerting DD GCP Compute Engine firewall rule modified Internal install · alerting DD GCP custom IAM role created Internal install · alerting DD GCP Cloud Logging bucket deleted Internal install · alerting DD GCP Cloud Logging sink modified Internal install · alerting DD GCP Cloud Storage bucket permissions modified Internal install · alerting DD

Command & Control (1)

[LLM] Exfiltration to kubernetes-el attacker webhook.site UUIDs (Pwn Request payload) Bespoke c2 · alerting DSΣPDD

Actions on Objectives (6)

GCP service-account key created Internal actions · alerting DD Detect New Open GCP Storage Buckets ESCU actions · alerting P gcp detect oauth token abuse ESCU actions · hunting P GCP Kubernetes cluster scan detection ESCU actions · alerting P [LLM] GCP Cloud Logging sink disabled or deleted Bespoke actions · alerting ΣPDD [LLM] Bun/Node initiating multi-cloud secret-manager enumeration burst (Sha1-Hulud aL0 harvest) Bespoke actions · alerting DSPDDCS

Recent articles citing GCP-targeted detections

high Blinding the Watchmen: Abusing Cloud Logging Services for Defense Evasion and Visibility

high kubernetes-el Compromised: How a Pwn Request Exploited a Popular Emacs Package

high Sha1-Hulud: The Second Coming - Zapier, ENS Domains, and Other Prominent NPM Packages Compromised