A Command Line Interface (CLI) command was executed from a GCP serverless compute service

Cortex XDR Analytics Alert Reference by data source

Product

Cortex XDR

Last date published

2025-05-13

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	5 Days
Required Data	Requires: Gcp Audit Log
Detection Modules	Cloud
Detector Tags	Cloud Serverless Function Credentials Theft Analytics
ATT&CK Tactic	Initial Access (TA0001) Credential Access (TA0006)
ATT&CK Technique	Valid Accounts: Cloud Accounts (T1078.004) Steal Application Access Token (T1528) Unsecured Credentials (T1552)
Severity	Low

Description

A GCP serverless compute service token was used to execute a Command Line Interface (CLI) command.

Attacker's Goals

Exfiltrate serverless token and abuse it.

Investigative actions

Verify whether the serverless-attached identity's credentials were intentionally used in CLI.
Check what CLI commands were executed using the serverless attached token.
Check if the suspected serverless function is compromised.

Variations

Suspicious Command Line Interface (CLI) command was executed from a GCP Cloud Build service

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

A GCP serverless compute service token was used to execute a Command Line Interface (CLI) command.

Attacker's Goals

Exfiltrate serverless token and abuse it.

Investigative actions

Verify whether the serverless-attached identity's credentials were intentionally used in CLI.
Check what CLI commands were executed using the serverless attached token.
Check if the suspected serverless function is compromised.

Suspicious Command Line Interface (CLI) command was executed from a GCP serverless compute service

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Informational

Description

A GCP serverless compute service token was used to execute a Command Line Interface (CLI) command.

Attacker's Goals

Exfiltrate serverless token and abuse it.

Investigative actions

Verify whether the serverless-attached identity's credentials were intentionally used in CLI.
Check what CLI commands were executed using the serverless attached token.
Check if the suspected serverless function is compromised.

A Command Line Interface (CLI) command was executed from a GCP Cloud Build service

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

A GCP serverless compute service token was used to execute a Command Line Interface (CLI) command.

Attacker's Goals

Exfiltrate serverless token and abuse it.

Investigative actions

Verify whether the serverless-attached identity's credentials were intentionally used in CLI.
Check what CLI commands were executed using the serverless attached token.
Check if the suspected serverless function is compromised.

Unusual Command Line Interface (CLI) command was executed from a GCP serverless compute service

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Medium

Description

A GCP serverless compute service token was used to execute a Command Line Interface (CLI) command.

Attacker's Goals

Exfiltrate serverless token and abuse it.

Investigative actions

Verify whether the serverless-attached identity's credentials were intentionally used in CLI.
Check what CLI commands were executed using the serverless attached token.
Check if the suspected serverless function is compromised.