GAIA GCPW Credential Theft Attack Chain

Severity: high
Time window: 6h
Tags: GAIA, Google Workspace, Windows, Credential Theft, Credential Dumping, GCPW
Reference: https://businessinsights.bitdefender.com/the-chain-reaction-new-methods-for-extending-local-breaches-in-google-workspace
Source: github.com/panther-labs/panther-analysis

Detects the GAIA (Google Account Information and Authentication) credential theft attack chain: credential dumping tool execution on Windows followed by anomalous Google Workspace authentication. This pattern indicates an attacker has extracted OAuth refresh tokens from a Windows machine and is using them to authenticate to Google Workspace.

MITRE ATT&CK coverage

Tactic	Techniques
Initial Access	`T1078.004` Valid Accounts: Cloud Accounts
Credential Access	`T1003.001` OS Credential Dumping: LSASS Memory
Lateral Movement	`T1550` Use Alternate Authentication Material

Rule body yaml

AnalysisType: correlation_rule
RuleID: "GAIA.Credential.Theft.Attack.Chain"
DisplayName: "GAIA GCPW Credential Theft Attack Chain"
Enabled: false
Severity: High
Description: |
  Detects the GAIA (Google Account Information and Authentication) credential theft
  attack chain: credential dumping tool execution on Windows followed by anomalous Google
  Workspace authentication. This pattern indicates an attacker has extracted OAuth refresh
  tokens from a Windows machine and is using them to authenticate to Google Workspace.
Reports:
  MITRE ATT&CK:
    - TA0006:T1003 # Credential Access: OS Credential Dumping
    - TA0006:T1003.001 # Credential Access: LSASS Memory
    - TA0001:T1078.004 # Initial Access: Valid Accounts: Cloud Accounts
    - TA0006:T1550 # Credential Access: Use Alternate Authentication Material
Tags:
  - GAIA
  - Google Workspace
  - Windows
  - Credential Theft
  - Credential Dumping
  - GCPW
Reference: https://businessinsights.bitdefender.com/the-chain-reaction-new-methods-for-extending-local-breaches-in-google-workspace
Runbook: |
  1. Query Windows.EventLogs for all process creation events (EventID 4688 or 1) on the Computer hostname from the Windows alert in the 24 hours before and after the credential dump timestamp to identify the parent process, command line arguments, and any follow-on suspicious activity
  2. Query GSuite.ActivityEvent for all login and OAuth token events by the user_email from the Google alert in the 48 hours after the Windows credential dump timestamp to establish the full timeline of authentication activity and identify the anomalous_login_type and source ip_address fields
  3. Verify that p_alert_context.username_normalized from the Windows Credential Dumping Tool alert matches p_alert_context.username_normalized from the Google Workspace Login Type Anomaly alert, and calculate the time gap between p_alert_creation_time values to assess if the attack timeline is consistent with GAIA credential theft exploitation (typically within 6 hours)
Detection:
  - Sequence:
      - ID: Windows Credential Dump
        RuleID: Windows.Credential.Dumping.Tool
      - ID: Google Login Anomaly
        RuleID: Google.Workspace.Login.Type.Anomaly
    Transitions:
      - ID: Credential Dump followed by Login Anomaly
        From: Windows Credential Dump
        To: Google Login Anomaly
        WithinTimeFrameMinutes: 360
        Match:
          - From: p_alert_context.username_normalized
            To: p_alert_context.username_normalized
    Schedule:
      RateMinutes: 1440
      TimeoutMinutes: 10
    LookbackWindowMinutes: 2160
Tests:
  - Name: Credential dump followed by login anomaly for same user
    ExpectedResult: true
    RuleOutputs:
      - ID: Windows Credential Dump
        Matches:
          p_alert_context.username_normalized:
            janedoe:
              - "2024-01-15T10:00:00Z"
      - ID: Google Login Anomaly
        Matches:
          p_alert_context.username_normalized:
            janedoe:
              - "2024-01-15T10:30:00Z"
  - Name: Credential dump and login anomaly for different users
    ExpectedResult: false
    RuleOutputs:
      - ID: Windows Credential Dump
        Matches:
          p_alert_context.username_normalized:
            janedoe:
              - "2024-01-15T10:00:00Z"
      - ID: Google Login Anomaly
        Matches:
          p_alert_context.username_normalized:
            johnsmith:
              - "2024-01-15T14:30:00Z"
  - Name: Login anomaly without preceding credential dump
    ExpectedResult: false
    RuleOutputs:
      - ID: Google Login Anomaly
        Matches:
          p_alert_context.username_normalized:
            janedoe:
              - "2024-01-15T14:30:00Z"

Detection logic

Stage 1: `step Windows Credential Dump` ordered before `$Google Login Anomaly`

References detection Windows.Credential.Dumping.Tool.

Stage 2: `step Google Login Anomaly` ordered after `$Windows Credential Dump`

References detection Google.Workspace.Login.Type.Anomaly.

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

GAIA GCPW Credential Theft Attack Chain

MITRE ATT&CK coverage

Rule body yaml

Detection logic

Stage 1: `step Windows Credential Dump` ordered before `$Google Login Anomaly`

Stage 2: `step Google Login Anomaly` ordered after `$Windows Credential Dump`

Keyboard shortcuts

Search operators

GAIA GCPW Credential Theft Attack Chain

MITRE ATT&CK coverage

Rule body yaml

Detection logic

Stage 1: step Windows Credential Dump ordered before $Google Login Anomaly

Stage 2: step Google Login Anomaly ordered after $Windows Credential Dump

Stage 1: `step Windows Credential Dump` ordered before `$Google Login Anomaly`

Stage 2: `step Google Login Anomaly` ordered after `$Windows Credential Dump`