Privilege Escalation: Sensitive Role Granted To Hybrid Group
Stay organized with collections
Save and categorize content based on your preferences.
This document describes a threat finding type in Security Command Center. Threat findings are generated by
threat detectors when they detect
a potential threat in your cloud resources. For a full list of available threat findings, see Threat findings index.
The following response plan might be appropriate for this finding, but might also impact operations.
Carefully evaluate the information you gather in your investigation to determine the best way to
resolve findings.
To respond to this finding, do the following:
Step 1: Review finding details
Open a Privilege Escalation: Sensitive Role Granted To Hybrid Group
finding, as directed in Reviewing findings. The details panel for the
finding opens to the Summary tab.
On the Summary tab, review the information in the following sections:
What was detected, especially the following fields:
Principal email: the account that made the changes, which
might be compromised.
Affected resource, especially the following fields:
Resource full name: the resource where the new role was granted.
Related links, especially the following fields:
Cloud Logging URI: link to Logging entries.
MITRE ATT&CK method: link to the MITRE ATT&CK documentation.
Related findings: links to any related findings.
Click the JSON tab.
In the JSON, note the following fields.
groupName: the Google Group where the changes were made
bindingDeltas: the sensitive roles that are newly granted to this group.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[],[],null,["# Privilege Escalation: Sensitive Role Granted To Hybrid Group\n\n| Premium and Enterprise [service tiers](/security-command-center/docs/service-tiers)\n\nThis document describes a threat finding type in Security Command Center. Threat findings are generated by\n[threat detectors](/security-command-center/docs/concepts-security-sources#threats) when they detect\na potential threat in your cloud resources. For a full list of available threat findings, see [Threat findings index](/security-command-center/docs/threat-findings-index).\n\nOverview\n--------\n\n[Sensitive roles or permissions](/security-command-center/docs/concepts-event-threat-detection-overview#sensitive_roles) were granted to a\nGoogle Group with external members.\n\nHow to respond\n--------------\n\n\nThe following response plan might be appropriate for this finding, but might also impact operations.\nCarefully evaluate the information you gather in your investigation to determine the best way to\nresolve findings.\n\nTo respond to this finding, do the following:\n\n### Step 1: Review finding details\n\n1. Open a `Privilege Escalation: Sensitive Role Granted To Hybrid Group`\n finding, as directed in [Reviewing findings](/security-command-center/docs/how-to-investigate-threats#reviewing_findings). The details panel for the\n finding opens to the **Summary** tab.\n\n2. On the **Summary** tab, review the information in the following sections:\n\n - **What was detected** , especially the following fields:\n - **Principal email**: the account that made the changes, which might be compromised.\n - **Affected resource** , especially the following fields:\n - **Resource full name**: the resource where the new role was granted.\n - **Related links** , especially the following fields:\n - **Cloud Logging URI**: link to Logging entries.\n - **MITRE ATT\\&CK method**: link to the MITRE ATT\\&CK documentation.\n - **Related findings**: links to any related findings.\n\n 1. Click the **JSON** tab.\n 2. In the JSON, note the following fields.\n\n - `groupName`: the Google Group where the changes were made\n - `bindingDeltas`: the sensitive roles that are newly granted to this group.\n\n### Step 2: Review group permissions\n\n1. Go to the **IAM** page in the Google Cloud console.\n\n [Go to IAM](https://console.cloud.google.com/iam-admin/iam)\n2. In the **Filter** field, enter the account name listed in `groupName`.\n\n3. Review the sensitive roles granted to the group.\n\n4. If the newly added sensitive role isn't needed, [revoke the role](/iam/docs/granting-changing-revoking-access#revoke-single-role).\n\n You need specific permissions to manage roles in your organization or project. For\n more information, see [Required permissions](/iam/docs/granting-changing-revoking-access#required-permissions).\n\n### Step 3: Check logs\n\n1. On the **Summary tab** of the finding details panel, click the **Cloud Logging URI** link to open the **Logs Explorer**.\n2. If necessary, select your project.\n\n3. On the page that loads, check logs for Google Group settings changes\n using the following filters:\n\n - `protoPayload.methodName=\"SetIamPolicy\"`\n - `protoPayload.authenticationInfo.principalEmail=\"`\u003cvar class=\"edit\" translate=\"no\"\u003eprincipalEmail\u003c/var\u003e`\"`\n\n### Step 4: Research attack and response methods\n\n1. Review the MITRE ATT\\&CK framework entry for this finding type: [Valid Accounts](https://attack.mitre.org/techniques/T1078).\n2. To determine if additional remediation steps are necessary, combine your investigation results with MITRE research.\n\nWhat's next\n-----------\n\n- Learn [how to work with threat\n findings in Security Command Center](/security-command-center/docs/how-to-investigate-threats).\n- Refer to the [Threat findings index](/security-command-center/docs/threat-findings-index).\n- Learn how to [review a\n finding](/security-command-center/docs/how-to-investigate-threats#reviewing_findings) through the Google Cloud console.\n- Learn about the [services that\n generate threat findings](/security-command-center/docs/concepts-security-sources#threats)."]]
