Skip to content
Threat Feed
medium advisory

GCP Virtual Private Cloud Route Deletion for Defense Evasion

An adversary may delete a Virtual Private Cloud (VPC) route in Google Cloud Platform (GCP) to disrupt network traffic flow and evade defenses.

This threat brief addresses the deletion of Virtual Private Cloud (VPC) routes within Google Cloud Platform (GCP) environments. VPC routes define network traffic paths between virtual machine (VM) instances and other destinations, both inside and outside the VPC network. An attacker may intentionally delete or modify these routes to disrupt network communications, potentially evading security controls or impairing critical services. This activity is often observed as part of a broader attack campaign, where adversaries attempt to weaken the security posture of the target environment. The Elastic detection rule "GCP Virtual Private Cloud Route Deletion", updated on 2026/04/10, identifies these events by monitoring GCP audit logs for route deletion actions. Defenders should prioritize monitoring VPC route configurations and access logs to detect and respond to unauthorized modifications.

Attack Chain

  1. The attacker gains unauthorized access to a GCP account with sufficient privileges to modify VPC configurations. This could be achieved through compromised credentials, privilege escalation, or exploiting misconfigured IAM roles.
  2. The attacker enumerates existing VPC routes to identify potential targets for disruption, using tools like gcloud compute routes list.
  3. The attacker selects a critical VPC route that is essential for network communication between key services or network segments.
  4. The attacker deletes the selected VPC route using gcloud compute routes delete [ROUTE_NAME], causing a disruption in network traffic flow.
  5. The successful deletion of the route is logged in GCP audit logs.
  6. Network services relying on the deleted route experience connectivity issues, leading to service degradation or failure.
  7. The attacker may repeat this process with other critical routes to further isolate network segments or prevent detection.

Impact

Successful deletion of VPC routes can lead to significant disruptions in network connectivity and service availability. Victims may experience degraded performance, application failures, or complete outages, depending on the criticality of the affected routes. The deletion of VPC routes can affect any organization utilizing GCP, especially those reliant on stable and predictable network traffic patterns. The risk score associated with this activity is 47.

Recommendation

  • Deploy the provided Sigma rule to your SIEM to detect VPC route deletion events in GCP audit logs (logsource: service: gcp and category: audit).
  • Review and harden IAM permissions to restrict access to VPC route management functions to authorized personnel only.
  • Implement automated monitoring and alerting for any changes to VPC route configurations.
  • Investigate any alerts generated by the Sigma rule by reviewing the associated audit logs and identifying the user or service account responsible for the route deletion.
  • Establish a process for quickly restoring deleted VPC routes from backups or configuration management tools.
  • Implement the recommendations in the provided investigation guide to analyze the context and impact of route deletion events.

Detection coverage 2

GCP VPC Route Deletion Detected

medium

Detects the deletion of a VPC route in Google Cloud Platform.

sigma tactics: defense_evasion techniques: T1562.007 sources: audit, gcp, gcp

GCP VPC Route Deletion by Unusual Identity

high

Detects VPC route deletion events performed by identities that do not typically manage network configurations.

sigma tactics: defense_evasion techniques: T1562.007 sources: audit, gcp, gcp

Detection queries are available on the platform. Get full rules →