> For the complete documentation index, see [llms.txt](https://docs.forestall.io/fsprotect/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.forestall.io/fsprotect/edges/gcp/gws_reset_password.md). # GWS\_RESET\_PASSWORD ## Summary | | | | -------------------------- | -------------------------------------------------------------------- | | **FSProtect ACL Alias** | GWS\_RESET\_PASSWORD | | **GCP Alias** | Persistence & Impersonation | | **Affected Object Types** | Users | | **Exploitation Certainty** | Certain | | **Granting Roles** | Google Workspace Super Admin, User Management Admin, Help Desk Admin | ## Description `GWS_RESET_PASSWORD` indicates that a Google Workspace identity can reset another user's password via the Admin Console or Admin SDK. Password reset is one of the most direct account takeover vectors in a Workspace environment — the attacker sets a new password, logs in as the target user, and gains access to all their Google services. Because Google Workspace identities are commonly used as the SSO provider for third-party SaaS applications, compromising a Workspace account can cascade to any downstream service that trusts Google sign-in. If the target user is a GCP project owner or has the GCP Console bookmarked, this edge leads directly into GCP. **Key abuse scenarios:** * Reset a user's password → log in as that user → access Gmail, Drive, GCP Console. * Reset a GCP project owner's password → access all projects and service accounts the user manages. * Reset a Super Admin's password → take over the entire Workspace organization. ## Identification ### GCP Console 1. Open **Google Admin Console** (`admin.google.com`) → **Account** → **Admin roles**. 2. Identify roles with the **Reset User Passwords** privilege: Super Admin, User Management Admin, Help Desk Admin. 3. Review who holds each of these roles under the **Admins** tab. ### gcloud CLI ```bash # List all admin roles with password reset privileges (Access token should be authorized on scope: https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly) ACCESS_TOKEN="your-access-token" curl -s \ -H "Authorization: Bearer $ACCESS_TOKEN" \ "https://admin.googleapis.com/admin/directory/v1/customer/my_customer/roles" \ | jq '.items[]? | select(.rolePrivileges[].privilegeName == "RESET_USER_PASSWORD") | {roleId: .roleId, roleName: .roleName}' ``` ## Exploitation ### gcloud CLI ```bash # Access token should be authorized on scope: ttps://www.googleapis.com/auth/admin.directory.user ACCESS_TOKEN="your-access-token" TARGET_USER="victim@example.com" # Reset the target user's password curl -s -X PUT \ -H "Authorization: Bearer $ACCESS_TOKEN" \ -H "Content-Type: application/json" \ -d '{"password": "NewP@ssw0rd123!", "changePasswordAtNextLogin": false}' \ "https://admin.googleapis.com/admin/directory/v1/users/${TARGET_USER}" # Revoke all active sessions to force re-authentication with the new password curl -s -X POST \ -H "Authorization: Bearer $ACCESS_TOKEN" \ "https://admin.googleapis.com/admin/directory/v1/users/${TARGET_USER}/signOut" ``` After resetting the password, sign in as the target user and enumerate GCP access: ```bash # Authenticate to GCP as the compromised user gcloud auth login # sign in with the target user's credentials # Enumerate GCP projects the user has access to gcloud projects list # List service accounts in a target project gcloud iam service-accounts list --project= ``` **Compound path:** `GWS_RESET_PASSWORD` → reset password of a GCP project Owner → log in as that user → enumerate and access all resources in the project, including creating SA keys or modifying IAM policy. ## Mitigation 1. **Enforce phishing-resistant MFA (passkeys/security keys)** — a password reset alone is insufficient to log in if strong MFA is required. 2. **Restrict password reset rights** to dedicated Help Desk accounts; never allow delegated admins to reset Super Admin passwords. 3. **Alert on admin-initiated password resets** in real-time via Admin Console audit log alerts. 4. **Scope Help Desk Admin** to specific OUs rather than the entire organization. ## Detection | Log Type | Method | Key Fields | | -------------- | ----------------- | -------------------------------------------- | | Admin Activity | `CHANGE_PASSWORD` | Admin audit log, `USER_EMAIL`, `ADMIN_EMAIL` | ```bash # Access token should be authorized on scope: https://www.googleapis.com/auth/admin.reports.audit.readonly ACCESS_TOKEN="your-access-token" curl -s \ -H "Authorization: Bearer $ACCESS_TOKEN" \ "https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=CHANGE_PASSWORD" \ | jq '.items[]? | {actor: .actor.email, target: (.events[].parameters[] | select(.name=="USER_EMAIL") | .value), time: .id.time}' ``` Alert on: * Admin-initiated password resets on Super Admin or GCP-privileged accounts. * Password resets outside business hours or from unexpected admin accounts. * Sign-ins from new devices or locations occurring shortly after a password reset. ## References * * --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.forestall.io/fsprotect/edges/gcp/gws_reset_password.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.