From 33c853068ad2db84fd8c0ade5d7d29a50a067ceb Mon Sep 17 00:00:00 2001
From: developutm <development@utmstack.com>
Date: Tue, 9 Jun 2026 14:56:24 +0000
Subject: [PATCH 1/2] feature(rules/google): add rule IAM Policy Changed -
 Privilege Escalation

---
 rules/cloud/google/gcp_iam_policy_changed.yml | 30 +++++++++++++++++++
 1 file changed, 30 insertions(+)
 create mode 100644 rules/cloud/google/gcp_iam_policy_changed.yml

diff --git a/rules/cloud/google/gcp_iam_policy_changed.yml b/rules/cloud/google/gcp_iam_policy_changed.yml
new file mode 100644
index 000000000..ffcfa649d
--- /dev/null
+++ b/rules/cloud/google/gcp_iam_policy_changed.yml
@@ -0,0 +1,30 @@
+# Rule version v1.0.0
+
+dataTypes:
+  - google
+name: GCP IAM Policy Changed — Privilege Escalation
+impact:
+  confidentiality: 4
+  integrity: 4
+  availability: 3
+category: Privilege Escalation
+technique: "T1098 - Account Manipulation"
+adversary: origin
+references:
+  - https://cloud.google.com/iam/docs/audit-logging#admin-activity
+  - https://cloud.google.com/logging/docs/audit/cal-categories#iam
+  - https://attack.mitre.org/techniques/T1098/
+description: |
+  Detects changes to IAM policies at the project or resource level in GCP. This includes granting high-privilege roles (Owner, Editor, IAM Admin) to users or service accounts. Attackers commonly use IAM policy modifications to escalate privileges and establish persistence.
+
+  Next Steps:
+  1. Verify if the IAM change was authorized and matches a change request
+  2. Check which roles were granted — especially Owner, Editor, or IAM Admin
+  3. Identify the target user or service account receiving new privileges
+  4. If unauthorized, revoke the binding immediately and rotate credentials
+  5. Review the actor's session for other privilege escalation attempts
+  6. Check if the service account's workload identity was compromised
+where: |
+  oneof("log.protoPayloadServiceName", ["cloudresourcemanager.googleapis.com", "pubsub.googleapis.com"]) &&
+  oneof("log.protoPayloadMethodName", ["SetIamPolicy", "google.iam.v1.IAMPolicy.SetIamPolicy"]) &&
+  exists("log.protoPayload.request.policy.auditConfigs") && contains("log.logName", "activity") && exists("origin.user")

From e1672e8206b3abe386d60c82a943c6f6251a957f Mon Sep 17 00:00:00 2001
From: developutm <development@utmstack.com>
Date: Tue, 9 Jun 2026 18:41:53 +0000
Subject: [PATCH 2/2] fix(rule/google): changing
 'exists(log.protoPayload.request.policy.auditConfigs)' to
 'exists(log.protoPayload.request.policy.bindings) to improve detection logic

---
 rules/cloud/google/gcp_iam_policy_changed.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/cloud/google/gcp_iam_policy_changed.yml b/rules/cloud/google/gcp_iam_policy_changed.yml
index ffcfa649d..611d275c5 100644
--- a/rules/cloud/google/gcp_iam_policy_changed.yml
+++ b/rules/cloud/google/gcp_iam_policy_changed.yml
@@ -27,4 +27,4 @@ description: |
 where: |
   oneof("log.protoPayloadServiceName", ["cloudresourcemanager.googleapis.com", "pubsub.googleapis.com"]) &&
   oneof("log.protoPayloadMethodName", ["SetIamPolicy", "google.iam.v1.IAMPolicy.SetIamPolicy"]) &&
-  exists("log.protoPayload.request.policy.auditConfigs") && contains("log.logName", "activity") && exists("origin.user")
+  exists("log.protoPayload.request.policy.bindings") && contains("log.logName", "activity") && exists("origin.user")