GCP

Google Cloud Platform (GCP) is a widely used cloud computing platform provided by Google. GCP offers a range of security capabilities to protect cloud data, applications, and infrastructure from threats. These mappings connect GCP security capabilities to adversary behaviors in MITRE ATT&CK®, providing GCP users with a comprehensive view of how native GCP security capabilities can be used to prevent, detect, and respond to prevalent cloud threats. As a result, GCP users can evaluate the effectiveness of native security controls against specific ATT&CK techniques and take a threat-informed approach to understand, prioritize, and mitigate adversary behaviors that are most important for their environment.

GCP Versions: 06.28.2022, 03.06.2025 ATT&CK Versions: 16.1, 10.0 ATT&CK Domain: Enterprise

Security Stack Mapping Methodology

SELECT VERSIONS

GCP Version

03.06.2025
06.28.2022
03.06.2025

ATT&CK Version

16.1
16.1
10.0

ATT&CK Domain

Enterprise
Enterprise

Capability Groups

All Mappings

Loading, please wait
Capability ID
Capability Description
Category
Value
ATT&CK ID
ATT&CK Name
Notes
artifact_analysis Artifact Analysis protectpartial T1068 Exploitation for Privilege Escalation
Comments
Artifact Analysis performs vulnerability scans on artifacts in Artifact Registry or Container Registry (deprecated). When Artifact Analysis is deployed, it can detect known Linux OS package vulnerabilities in various containers (e.g., Debian, Ubuntu, Alpine, RHEL, CentOS).
References
artifact_analysis Artifact Analysis protectpartial T1068 Exploitation for Privilege Escalation
Comments
Artifact Analysis scans container images uploaded to Artifact Registry or Container Registry (deprecated) for known software vulnerabilities and various system artifacts that could potentially be used to execute adversary-controlled code. Due to the medium threat protection coverage and temporal factor, this control was scored as partial.
References
artifact_analysis Artifact Analysis protectpartial T1078 Valid Accounts
Comments
Artifact Analysis scans container images uploaded to Artifact Registry or Container Registry (deprecated) for vulnerabilities that could potentially be used to escalate privileges, such as default accounts with root permissions in Docker containers. Due to the medium threat protection coverage and scan results being available 48 hours after completion, this control was scored as partial.
References
artifact_analysis Artifact Analysis detectpartial T1212 Exploitation for Credential Access
Comments
Artifact Analysis performs vulnerability scans on artifacts in Artifact Registry or Container Registry (deprecated). When Artifact Analysis is deployed, it can detect known vulnerabilities in various OS packages that could be used to escalate privileges and execute adversary-controlled code (e.g., Debian, Ubuntu, Alpine, RHEL, CentOS, National Vulnerability Database). Due to the medium threat detection coverage and temporal factor, the control was scored as partial.
References
artifact_analysis Artifact Analysis protectpartial T1525 Implant Internal Image
Comments
Artifact Analysis performs vulnerability scans on artifacts in Artifact Registry or Container Registry (deprecated). When Artifact Analysis is deployed, this security solution can detect known vulnerabilities in Docker containers. This information can be used to detect images that deviate from the baseline norm, and could indicate a malicious implanted images in the environment. Due to the medium threat detection coverage and temporal factor, the control was scored as partial.
References
artifact_analysis Artifact Analysis protectpartial T1610 Deploy Container
Comments
Artifact Analysis performs vulnerability scans on artifacts in Artifact Registry or Container Registry (deprecated). When Artifact Analysis is deployed, it can scan for known vulnerabilities in containers. This information can be used to detect malicious deployed containers used to evade defenses and execute processes in a target environment. Due to the medium threat detection coverage and temporal factor, the control was scored as partial.
References
cloud_ngfw Cloud Next-Generation Firewall (NGFW)_ protectpartial T1008 Fallback Channels
Comments
Cloud NGFW can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to block communication with known fallback channels by filtering based on known bad IP addresses and domains. This mapping is given a score of Partial because it only protects against known fallback channels and not channels yet to be identified.
References
google_secops Google Security Operations detectminimal T1016.001 Internet Connection Discovery
Comments
Google Security Ops is able to trigger an alert based off processes and command-line arguments that may indicate adversary reconnaissance and information discovery techniques for network configuration settings (e.g., "net config", "ipconfig.exe", "nbtstat.exe). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/possible_system_network_configuration_discovery__sysmon_windows_logs.yaral
References
google_secops Google Security Operations detectminimal T1016.002 Wi-Fi Discovery
Comments
Google Security Ops is able to trigger an alert based off processes and command-line arguments that may indicate adversary reconnaissance and information discovery techniques for network configuration settings (e.g., "net config", "ipconfig.exe", "nbtstat.exe). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/possible_system_network_configuration_discovery__sysmon_windows_logs.yaral
References
mandiant_asm Mandiant Attack Surface Management (ASM) detectsignificant T1021 Remote Services
Comments
Mandiant Attack Surface Management continuously discovers and assesses an organization's assets for vulnerabilities, misconfigurations, and exposures. This control can discover vulnerable Remote Services offered on the cloud or on hosted servers. Since this monitoring is continual and is derived from Mandiant cyber threat intelligence, this control is scored as significant.
References
Showing 1 to 10 of 518 rows
rows per page

Non-Mappable Capabilities

Non-mappable capabilities are either out of scope or unable to be mapped to any ATT&CK objects