elastic · Aryu-RU · Jun 1, 2026 · Jun 1, 2026 · Jun 1, 2026 · Jun 4, 2026
diff --git a/detection_rules/etc/non-ecs-schema.json b/detection_rules/etc/non-ecs-schema.json
@@ -184,6 +184,10 @@
     "google_workspace.token.scope.data.scope_name": "keyword",
     "google_workspace.device.account_state": "keyword"
   },
+  "logs-gcp.audit-*": {
+    "gcp.audit.request.policy.bindings.role": "keyword",
+    "gcp.audit.response.bindings.role": "keyword"
+  },
   "logs-ti_*": {
     "labels.is_ioc_transform_source": "keyword"
   },

diff --git a/rules/integrations/gcp/persistence_gcp_service_account_impersonation_role_grant.toml b/rules/integrations/gcp/persistence_gcp_service_account_impersonation_role_grant.toml
@@ -0,0 +1,155 @@
+[metadata]
+creation_date = "2026/05/30"
+integration = ["gcp"]
+maturity = "production"
+updated_date = "2026/05/30"
+
+[rule]
+author = ["Elastic", "Aryu Zaw"]
+description = """
+Identifies when a service account impersonation role is granted on a Google Cloud Platform (GCP) service account via a
+SetIamPolicy operation. Roles such as "roles/iam.serviceAccountTokenCreator", "roles/iam.serviceAccountUser", and
+"roles/iam.serviceAccountOpenIdTokenCreator" allow a principal to mint access or identity tokens for the target service
+account, or to act as it when deploying resources. Adversaries who have obtained sufficient privileges may grant
+themselves or an attacker-controlled principal one of these roles to impersonate a higher-privileged service account,
+escalating privileges and establishing durable, key-less persistence that survives credential rotation. This is a New
+Terms rule that alerts when the granting principal has not been observed performing this action in the last weeks.
+"""
+false_positives = [
+    """
+    Infrastructure-as-code tooling (e.g. Terraform), CI/CD pipelines, and platform automation routinely grant
+    serviceAccountUser or serviceAccountTokenCreator when wiring up workloads, deployments, or impersonation chains.
+    Identify the expected automation principals and target service accounts and add exceptions for them.
+    """,
+    """
+    Administrators may grant impersonation roles when onboarding new applications or delegating access. Verify that the
+    grant aligns with a known change and that both the granting principal and the added member are expected.
+    """,
+]
+from = "now-9m"
+index = ["logs-gcp.audit-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "GCP IAM Service Account Impersonation Role Granted"
+note = """## Triage and analysis
+
+### Investigating GCP IAM Service Account Impersonation Role Granted
+
+Granting an impersonation role on a service account lets the bound member obtain that service account's credentials
+without creating a long-lived key. `roles/iam.serviceAccountTokenCreator` and `roles/iam.serviceAccountOpenIdTokenCreator`
+allow minting OAuth2 access tokens and OpenID Connect identity tokens, while `roles/iam.serviceAccountUser` allows the
+member to attach (actAs) the service account to new resources. Adversaries abuse these grants to pivot to a
+higher-privileged identity, escalate privileges, and persist in a way that is unaffected by key rotation or password
+resets.
+
+### Possible investigation steps
+
+- Identify the granting principal via `user.email` and `user.id` and confirm whether that identity is expected to modify
+IAM policy on service accounts.
+- Review the target service account in `gcp.audit.resource_name` and determine the permissions it holds. Impersonating a
+service account with broad project or organization roles represents a significant escalation.
+- Inspect the granted binding in `gcp.audit.request` / `gcp.audit.response` to identify the member that was added
+(`user:`, `serviceAccount:`, `group:`, or an external domain). External or newly created members are higher risk.
+- Examine `gcp.audit.request_metadata.caller_ip` and `gcp.audit.request_metadata.caller_supplied_user_agent` to assess
+whether the change originated from an expected location or tool.
+- Correlate with recent activity by the granting principal, such as service account key creation, custom role creation,
+or `GenerateAccessToken` / `GenerateIdToken` calls that use the newly granted impersonation rights.
+
+### False positive analysis
+
+- Terraform, Deployment Manager, and CI/CD service accounts commonly grant serviceAccountUser and
+serviceAccountTokenCreator as part of normal provisioning. Baseline these principals and exclude them with exceptions.
+- One-time grants during application onboarding or delegation may be legitimate. Validate against change management
+before escalating.
+
+### Response and remediation
+
+- If the grant is unauthorized, remove the impersonation binding from the service account's IAM policy.
+- Revoke any access or identity tokens issued for the impacted service account and review its recent activity for abuse.
+- Investigate the granting principal for compromise, rotate its credentials if necessary, and review what other IAM
+changes it has made.
+- Restrict who can set IAM policy on service accounts and require justification or approval for impersonation grants."""
+references = [
+    "https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/backdooring-service-account/",
+    "https://stratus-red-team.cloud/attack-techniques/GCP/gcp.persistence.backdoor-service-account-policy/",
+    "https://cloud.google.com/iam/docs/service-account-impersonation",
+    "https://cloud.google.com/iam/docs/audit-logging/examples-service-accounts",
+]
+risk_score = 47
+rule_id = "197d2757-eea1-46f9-9ebd-84646d2b45fa"
+severity = "medium"
+tags = [
+    "Domain: Cloud",
+    "Data Source: GCP",
+    "Data Source: GCP Audit Logs",
+    "Data Source: Google Cloud Platform",
+    "Use Case: Identity and Access Audit",
+    "Use Case: Threat Detection",
+    "Tactic: Persistence",
+    "Tactic: Privilege Escalation",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "new_terms"
+
+query = '''
+data_stream.dataset: "gcp.audit"
+    and event.action: google.iam.admin.v*.SetIAMPolicy
+    and event.outcome: "success"
+    and (
+        gcp.audit.request.policy.bindings.role: (
+            "roles/iam.serviceAccountTokenCreator" or
+            "roles/iam.serviceAccountUser" or
+            "roles/iam.serviceAccountOpenIdTokenCreator"
+        )
+        or gcp.audit.response.bindings.role: (
+            "roles/iam.serviceAccountTokenCreator" or
+            "roles/iam.serviceAccountUser" or
+            "roles/iam.serviceAccountOpenIdTokenCreator"
+        )
+    )
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1098"
+name = "Account Manipulation"
+reference = "https://attack.mitre.org/techniques/T1098/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1098.003"
+name = "Additional Cloud Roles"
+reference = "https://attack.mitre.org/techniques/T1098/003/"
+
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1098"
+name = "Account Manipulation"
+reference = "https://attack.mitre.org/techniques/T1098/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1098.003"
+name = "Additional Cloud Roles"
+reference = "https://attack.mitre.org/techniques/T1098/003/"
+
+[rule.threat.tactic]
+id = "TA0004"
+name = "Privilege Escalation"
+reference = "https://attack.mitre.org/tactics/TA0004/"
+
+[rule.new_terms]
+field = "new_terms_fields"
+value = ["user.id"]
+[[rule.new_terms.history_window_start]]
+field = "history_window_start"
+value = "now-10d"