GCP Logging Bucket Deletion for Defense Evasion
Detection of a Google Cloud Platform (GCP) logging bucket deletion, which can be used by adversaries to impair defenses and evade detection by removing or modifying cloud logs.
This threat brief focuses on the deletion of logging buckets within Google Cloud Platform (GCP). Log buckets are central to storing and organizing log data within GCP. An attacker may intentionally delete these buckets to disrupt incident response, forensics investigations, and overall security monitoring. The deletion of a bucket results in a pending state for seven days, during which logs continue to be routed to the bucket. To completely stop log routing, associated log sinks must also be deleted or modified. This activity matters to defenders as it represents a direct attempt to blind security teams by removing valuable audit data, increasing the dwell time of malicious activity.
Attack Chain
- The attacker gains unauthorized access to a GCP account through compromised credentials or other means.
- The attacker enumerates existing logging buckets to identify potential targets for deletion.
- The attacker attempts to delete a logging bucket using the
google.logging.v*.ConfigServiceV*.DeleteBucketAPI call. - The GCP audit logs record the bucket deletion attempt.
- If successful, the logging bucket enters a pending deletion state for seven days.
- To fully eliminate logs, the attacker identifies log sinks associated with the deleted bucket.
- The attacker deletes or modifies these log sinks to prevent further log routing to the affected bucket.
- The attacker successfully impairs the organization's ability to detect and respond to malicious activity by removing crucial log data.
Impact
A successful logging bucket deletion can severely impact an organization's security posture. It allows attackers to operate with reduced visibility, potentially increasing the dwell time and impact of attacks. Organizations may lose critical audit data, hindering incident response and forensic investigations. The sectors most affected are those heavily reliant on GCP for their infrastructure, including technology, finance, and healthcare. The impact can range from compliance violations to the inability to detect and respond to active threats, leading to data breaches and financial losses.
Recommendation
- Deploy the Sigma rule
GCP Logging Bucket Deletionto your SIEM to detect malicious bucket deletion attempts (rule provided below). - Review IAM permissions and roles to ensure that only authorized personnel have the ability to delete log buckets, reducing the risk of unauthorized deletions.
- Implement additional logging and monitoring for any changes to log sinks and bucket configurations to detect and respond to similar activities promptly.
- Investigate any alerts generated by the
GCP Logging Bucket DeletionSigma rule, focusing on unauthorized user accounts or suspicious source IP addresses. - Create exceptions for known maintenance periods or specific user accounts responsible for routine bucket deletions as described in the rule's false positives section.
Detection coverage 2
GCP Logging Bucket Deletion
mediumDetects the deletion of a logging bucket in Google Cloud Platform (GCP). Adversaries may delete log buckets to evade detection.
GCP Logging Sink Deletion
mediumDetects the deletion of a logging sink in Google Cloud Platform (GCP), often performed after a bucket deletion to completely eliminate logs.
Detection queries are available on the platform. Get full rules →