EnableServiceAccount
GCP
EnableServiceAccount
Event
Re-enables a previously disabled GCP service account, restoring its ability to authenticate and make API calls.
Security Context
- Account manipulation is a primary persistence technique, allowing adversaries to maintain access through modified permissions or credentials.
Log Source
Cloud Audit Logs
Sample Event
Adversarial. Hermione previously disabled the phoenix-backup@fantasticlogs-prod.iam.gserviceaccount.com SA after Neville flagged it in a quarterly audit (“unused for 90 days”). Draco — who has iam.serviceAccounts.enable via the custom role he created earlier — silently re-enables it. The SA’s IAM bindings, keys, and group memberships are all restored instantly, recovering an attack path that defenders had assumed was closed. This is a low-noise persistence move because no new key or binding is created.
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalEmail": "draco@fantasticlogs.cloud" }, "requestMetadata": { "callerIp": "203.0.113.66", "callerSuppliedUserAgent": "google-cloud-sdk gcloud/465.0.0 command/gcloud.iam.service-accounts.enable invocation-id/90000000000000000000001111110000 environment/None environment-version/None client-os/LINUX client-os-ver/(5,15,0) client-pltf-arch/x86_64 interactive/False from-script/False python/3.11.6 term/xterm-256color (Linux 5.15.0-1052-aws),gzip(gfe)", "requestAttributes": { "time": "2026-04-15T15:41:33.221987654Z", "auth": {} }, "destinationAttributes": {} }, "serviceName": "iam.googleapis.com", "methodName": "google.iam.admin.v1.EnableServiceAccount", "authorizationInfo": [ { "resource": "projects/-/serviceAccounts/100000000000000000010", "permission": "iam.serviceAccounts.enable", "granted": true, "resourceAttributes": { "service": "iam.googleapis.com", "name": "projects/-/serviceAccounts/100000000000000000010", "type": "iam.googleapis.com/ServiceAccount" } } ], "resourceName": "projects/-/serviceAccounts/100000000000000000010", "request": { "@type": "type.googleapis.com/google.iam.admin.v1.EnableServiceAccountRequest", "name": "projects/fantasticlogs-prod/serviceAccounts/phoenix-backup@fantasticlogs-prod.iam.gserviceaccount.com" }, "response": { "@type": "type.googleapis.com/google.protobuf.Empty" } }, "insertId": "evt001111110000", "resource": { "type": "service_account", "labels": { "email_id": "phoenix-backup@fantasticlogs-prod.iam.gserviceaccount.com", "project_id": "fantasticlogs-prod", "unique_id": "100000000000000000010" } }, "timestamp": "2026-04-15T15:41:33.123456789Z", "severity": "NOTICE", "logName": "projects/fantasticlogs-prod/logs/cloudaudit.googleapis.com%2Factivity", "receiveTimestamp": "2026-04-15T15:41:33.567890123Z"}MITRE ATT&CK Mapping
Tactics: Persistence Privilege Escalation
Techniques:
- T1098 — Account Manipulation — Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include accoun...