Detectionmediumtest

Google Workspace User Granted Admin Privileges

Detects when an Google Workspace user is granted admin privileges.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Austin SongerCreated Mon Aug 23Updated Wed Oct 112d1b83e4-17c6-4896-a37b-29140b40a788cloud

Log Source

Google Cloudgoogle_workspace.admin

ProductGoogle Cloud← raw: gcp

Servicegoogle_workspace.admin← raw: google_workspace.admin

Detection Logic

detection:
    selection:
        eventService: admin.googleapis.com
        eventName:
            - GRANT_DELEGATED_ADMIN_PRIVILEGES
            - GRANT_ADMIN_PRIVILEGE
    condition: selection

False Positives

Google Workspace admin role privileges, may be modified by system administrators.

References

Resolving title…

cloud.google.com

Resolving title…

developers.google.com

MITRE ATT&CK

Tactics

TA0004 · Privilege Escalation TA0003 · Persistence

Techniques

T1098 · Account Manipulation

Rule Metadata

Rule ID

2d1b83e4-17c6-4896-a37b-29140b40a788

Status

test

Level

medium

Type

Detection

Created

Mon Aug 23

Modified

Wed Oct 11

Author

Austin Songer

Path

rules/cloud/gcp/gworkspace/gcp_gworkspace_user_granted_admin_privileges.yml

Raw Tags

attack.privilege-escalationattack.persistenceattack.t1098

View on GitHub