GAM - Token Search Refinement \ Revocations \ Logs

[Brian Short]

With todays Phishing google event, GAM fortunately aided us in a number of ways by mitigating the following worm before Google's resolution.

Related: https://www.theverge.com/2017/5/3/15537064/google-docs-phishing-attack-fixed

gam all users delete token clientid 1024674817942-fstip2shineo1lsego38uvsg8n2d3421.apps.googleusercontent.com <!-- among the the few app ID's associated with the malicious app -->

Getting all users in G Suite account (may take some time on a large account)...

Got ***** users...

done getting **** users.

Deleted token for *****
Deleted token for *****

Deleted token for *****
Deleted token for *****

gam all users show token clientid 632715883535-h36sb9m6fot4vusucprsab95naef791n.apps.googleusercontent.com <!-- among the few app ID's associated with the malicious app -->

Getting all users in G Suite account (may take some time on a large account)...

Got ***** users...

done getting **** users.

Deleted token for *****
Deleted token for *****

Deleted token for *****
Deleted token for *****

We were able to effectively sweep accounts of the malicious client ID's, but there wasn't a way for us to programmatically flag new ID's of the same function. I imagine (just like the article mentions), the attack will inspire other exploits in this manner, so I'm hoping we can maybe leverage GAM to combat this.

*******
I'd like to know if there's a way to refine token searches. The output for our org was over 8GB's which is a lot. Curious if there's some parameters we can specify for a time \ date range. This would aid the discovery of client-id's and help us align tooling to catalog unique ID's for audit since google doesn't have a nice way to manage this... hence todays exploit.

Command used: gam all users show tokens todrive
result = Screenshot

[Jay Lee]

There's not really any way to refine the token list. The API has a method to get all tokens for a user:

https://developers.google.com/admin-sdk/directory/v1/reference/tokens/list

the API call has no query parameter or ability to narrow down the results.

Jay

--
You received this message because you are subscribed to the Google Groups "GAM for G Suite" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-manager+unsub...@googlegroups.com.
To post to this group, send email to google-apps-manager@googlegroups.com.
Visit this group at https://groups.google.com/group/google-apps-manager.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/78deeaba-978b-4612-98c1-29c38198468b%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Bri Hatch]

Here are the four clientids we identified:

1535050614-8i934kb9l0snc0iocqb0iv27lli0r858.apps.googleusercontent.com

366668462857-3qkidqn8oseh9v3fhm3085kpb747bgm7.apps.googleusercontent.com

623002641392-km6voeicvso16uuk7pvc8mvbqheobnft.apps.googleusercontent.com

946634442539-bpj9bmemdvoedu8d3or6c69am3mi71dh.apps.googleusercontent.com

To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-manager+unsubscribe...@googlegroups.com.

To post to this group, send email to google-apps-manager@googlegroups.com.
Visit this group at https://groups.google.com/group/google-apps-manager.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/78deeaba-978b-4612-98c1-29c38198468b%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "GAM for G Suite" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-manager+unsub...@googlegroups.com.
To post to this group, send email to google-apps-manager@googlegroups.com.
Visit this group at https://groups.google.com/group/google-apps-manager.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/CA%2BVVBp84z8gSV2BV_GPF7x-u8QEjGxtp0crhO36aCZmZ2ZJ3hQ%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

--

Bri Hatch, Systems and Security Engineer. http://www.ifokr.org/bri/

The sooner you fall behind, the more time you'll have to catch up.

[Jay Lee]

AmplifiedIT has crowdsourced more IDs:

https://docs.google.com/document/d/1MlPBIifIrl3c4jhs0O_EtbRCC8euZ8qO-DxzO-ASYv4/edit

Jay

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/CA%2BVVBp84z8gSV2BV_GPF7x-u8QEjGxtp0crhO36aCZmZ2ZJ3hQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

--

Bri Hatch, Systems and Security Engineer. http://www.ifokr.org/bri/

The sooner you fall behind, the more time you'll have to catch up.

--
You received this message because you are subscribed to the Google Groups "GAM for G Suite" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-manager+unsub...@googlegroups.com.
To post to this group, send email to google-apps-manager@googlegroups.com.
Visit this group at https://groups.google.com/group/google-apps-manager.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/CAE32uS4_%2B1JBWeOVoQp5T%2BYKewrVZ%3DniiJBB8STMWjOEPdWpXg%40mail.gmail.com.

[Zane C.]

token eventid's I found in our system:

73997885975-8p24fi1e7rdi7pj6dmmhucdm4dclednr.apps.googleusercontent.com
623002641392-km6voeicvso16uuk7pvc8mvbqheobnft.apps.googleusercontent.com
1024674817942-fstip2shineo1lsego38uvsg8n2d3421.apps.googleusercontent.com
946634442539-bpj9bmemdvoedu8d3or6c69am3mi71dh.apps.googleusercontent.com
366668462857-3qkidqn8oseh9v3fhm3085kpb747bgm7.apps.googleusercontent.com
346348828325-vlpb3e70lp89pd823qrcb9jfsmu556t8.apps.googleusercontent.com
187102321219-1cb4b2gdr0bqv5u5n35vi1hecjcp1sjg.apps.googleusercontent.com
632715883535-h36sb9m6fot4vusucprsab95naef791n.apps.googleusercontent.com
1535050614-8i934kb9l0snc0iocqb0iv27lli0r858.apps.googleusercontent.com
188775109388-t33r6vb45j8fgf8vpcp4q0e6qt2pe01n.apps.googleusercontent.com
460536350236-e7c608ekfn4bkuv0kfbs3sd0miom1b5l.apps.googleusercontent.com
580738000227-fi28h87j8kpm6ialvr0513oiat06vm8t.apps.googleusercontent.com
486656852011-tn9oth2r8rl6lr0h0n5jhs15htuqs51i.apps.googleusercontent.com
894076725911-937981kn5runm20dsaqn516dchn1b78v.apps.googleusercontent.com

To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-manager+unsub...@googlegroups.com.

To post to this group, send email to google-ap...@googlegroups.com.

Visit this group at https://groups.google.com/group/google-apps-manager.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/78deeaba-978b-4612-98c1-29c38198468b%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "GAM for G Suite" group.

To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-manager+unsub...@googlegroups.com.

To post to this group, send email to google-ap...@googlegroups.com.

Visit this group at https://groups.google.com/group/google-apps-manager.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/CA%2BVVBp84z8gSV2BV_GPF7x-u8QEjGxtp0crhO36aCZmZ2ZJ3hQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

--

Bri Hatch, Systems and Security Engineer. http://www.ifokr.org/bri/

The sooner you fall behind, the more time you'll have to catch up.

--
You received this message because you are subscribed to the Google Groups "GAM for G Suite" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-manager+unsub...@googlegroups.com.

To post to this group, send email to google-ap...@googlegroups.com.

Visit this group at https://groups.google.com/group/google-apps-manager.

[+KimNilsson]

A bit of a shame that GAM says it deletes the token even if there is none.

[Jay Lee]

The problem is that no matter what Client ID is specified for the tokens.delete() API call, it returns a successful response so GAM assumes such a token exists and was deleted.

I've just submitted a commit that will be in the next version. It does a tokens.get() API call first on these commands to confirm the token exists before deleting it. That does mean that for users who have authorized the Client ID, GAM needs to make two API calls instead of one so it will be slower but the command output should be accurate.

Jay

On Mon, May 8, 2017 at 11:42 AM, +KimNilsson <there.is.no.substitute@gmail.com> wrote:

A bit of a shame that GAM says it deletes the token even if there is none.

--

You received this message because you are subscribed to the Google Groups "GAM for G Suite" group.

To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-manager+unsubscribe...@googlegroups.com.
To post to this group, send email to google-apps-manager@googlegroups.com.

Visit this group at https://groups.google.com/group/google-apps-manager.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/ed5c1999-0f24-4e8b-af6a-65b0b7f75f5d%40googlegroups.com.