iam.serviceAccounts.signJwt
Event
Signs a JWT on behalf of a service account via the IAM Credentials API, used for authentication or token exchange.
Security Context
- Using valid cloud accounts allows adversaries to blend in with legitimate activity while accessing sensitive resources.
- Escalating privileges enables adversaries to access sensitive resources and perform administrative actions beyond their initial access level.
- Stealing application access tokens allows adversaries to impersonate applications and access resources on behalf of legitimate service principals.
Log Source
Cloud Audit Logs
Sample Event
MITRE ATT&CK Mapping
Tactics: Credential Access Privilege Escalation
Techniques:
- T1528 — Steal Application Access Token — Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources. Application access tokens are used to make authorized API requests on behalf of a user or service and are commonly used as a way to access resources in cloud and container-b...
- T1078.004 — Cloud Accounts — Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of r...