google.iam.admin.v1.SetIAMPolicy or SetIAMPolicy
Event
Replaces the complete IAM policy for a GCP resource, controlling access for all principals.
Security Context
- Adversaries attach overly permissive policies to maintain persistent, elevated access even after initial credentials are rotated.
- Abusing elevation control mechanisms allows adversaries to bypass intended access restrictions and operate with higher privileges.
Log Source
Cloud Audit Logs
Sample Event
MITRE ATT&CK Mapping
Tactics: Privilege Escalation Persistence
Techniques:
- T1098 — Account Manipulation — Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups.
- T1548 — Abuse Elevation Control Mechanism — Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine.