Google Workspace user assigned super administrative role

gsuite

Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1098-account-manipulation

Set up the gsuite integration.

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detect when a user is added to the Super administrator role on Google Workspace.

Strategy

Monitor Google Workspace logs to detect ASSIGN_ROLE events where @usr.role is _SEED_ADMIN_ROLE (Super administrator).

Triage and response

  1. Verify with the Google admin ({{@usr.email}}) if the Google Workspace user ({{@event.parameters.USER_EMAIL}}) should legitimately be given the super admin role.
  2. If the user ({{@event.parameters.USER_EMAIL}}) was not legitimately added, investigate activity from the IP address ({{@network.client.ip}}) that made the role addition.
  3. Review activity around the Google Workspace admin who made the change ({{@usr.email}}) and the newly added super admin ({{@event.parameters.USER_EMAIL}}).
PREVIEWING: brett.blue/embedded-collector-release