Unexpected GCP API calls indicating service account disabling
Description
AlphaSOC detected disabling of a GCP service account via
google.iam.admin.v1.DisableServiceAccount. Disabled service accounts cannot
authenticate to GCP services, breaking any applications using them.
Adversaries may disable service accounts to cause denial of service for applications, disrupt security monitoring that relies on service accounts, or as preparation for account takeover attacks.
Impact
Disabling a service account immediately prevents applications from authenticating using that account. This can cause service outages for dependent workloads. Unlike deletion, the account remains and can be re-enabled, but the disruption is immediate.
Severity
| Severity | Condition |
|---|---|
Informational | Unexpected action, ASN, user agent or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Review GCP audit logs for the DisableServiceAccount action. Identify which
service account was disabled, what applications depend on it, and the principal
responsible.
If unauthorized, immediately re-enable the service account to restore functionality. Investigate the compromised identity for additional disruptive activities. Review why this service account was targeted and assess if sensitive operations depend on it.