Suspicious GCP API calls indicating service account creation
Description
AlphaSOC detected creation of a GCP service account via
google.iam.admin.v1.CreateServiceAccount. Adversaries create service accounts
to establish persistent access to GCP resources. Service accounts can be granted
IAM roles and used to generate long-lived credentials such as service account
keys, enabling access that persists even after the initial compromise is
remediated.
Impact
Unauthorized service accounts can be used to maintain persistent access to GCP environments. When assigned overly permissive IAM roles, they may enable unauthorized data access, resource manipulation, or escalation of privileges, increasing the risk of prolonged compromise and lateral movement within the environment.
Severity
| Severity | Condition |
|---|---|
Informational | Unexpected action, ASN, user agent or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Review GCP audit logs for the CreateServiceAccount action. Identify the
service account name, assigned roles, and the principal that created it. Check
if any keys were created for the service account.
If unauthorized, immediately delete the service account and any associated keys. Review IAM bindings to identify what permissions were granted. Investigate the compromised identity for additional persistence mechanisms.