Get Caller Identity

Platform	Author	Last Update
gcp	Richard Slaney	2023-07-01

An adversary may attempt to verify their current identity with the credentials they hold. This could both be to verify that the credentials they hold are valid, and to get more information on their current identity for reconnaissance purposes.

MITRE IDs

• T1087.004

Required Permissions

• sts:GetCallerIdentity

Required Parameters

None

Attacker Action

gcloud auth list

Detection Case

ELK query

When logs are ingested into ELK, the following Lucene query can be used to identify relevant events.

eventName:GetCallerIdentity AND eventSource:*.sts.amazonaws.com  

Sigma Definition