GCP Logging Sink Deletion for Defense Evasion
Detection of Google Cloud Platform (GCP) Logging sink deletion, a technique used by adversaries to impair defenses and evade detection by preventing log entries from being exported to designated destinations.
This threat brief focuses on the detection of a specific defense evasion technique in Google Cloud Platform (GCP): the deletion of Logging sinks. GCP Logging sinks are configured to export log entries to various destinations for analysis and storage. Attackers might delete these sinks to disrupt logging and monitoring, effectively evading detection. The behavior is detected by monitoring GCP audit logs for successful sink deletion events. The deletion action is performed using the Google Cloud Logging API. This activity is of concern to defenders because it directly impacts their ability to identify and respond to malicious activity within their GCP environment.
Attack Chain
- An attacker gains unauthorized access to a GCP account with sufficient privileges.
- The attacker enumerates existing Logging sinks within the target GCP project using
gcloud logging sinks listor the Cloud Logging API. - The attacker identifies a sink to delete, focusing on those critical for security monitoring.
- The attacker executes a
gcloud logging sinks delete [SINK_NAME]command or uses the Cloud Logging API to delete the target sink. - GCP audit logs record the
google.logging.v*.ConfigServiceV*.DeleteSinkevent with anevent.outcome:success. - Log entries that would have been exported to the sink's destination are no longer processed, leading to a gap in security monitoring.
- The attacker performs other malicious actions within the GCP environment, knowing that their activity is less likely to be detected due to the disabled logging.
Impact
A successful attack involving Logging sink deletion can severely impact an organization's security posture. The deletion of logging sinks prevents security teams from detecting malicious activities within the GCP environment. This can lead to delayed incident response and increased dwell time for attackers. Depending on the scope of the attack, this could affect multiple projects and services, leading to data breaches or service disruptions.
Recommendation
- Deploy the Sigma rule
GCP Logging Sink Deletionto your SIEM and tune for your environment to detect sink deletion events. - Review the audit logs for the specific event.action
google.logging.v*.ConfigServiceV*.DeleteSinkto identify the user or service account responsible for the deletion. - Implement additional monitoring and alerting for any future attempts to delete logging sinks, focusing on the specific event action and outcome fields used in the detection query.
Detection coverage 2
GCP Logging Sink Deletion
mediumDetects deletion of a logging sink in Google Cloud Platform, which can be indicative of defense evasion.
GCP Logging Sink Deletion - gcloud
mediumDetects deletion of a logging sink in Google Cloud Platform via gcloud command, which can be indicative of defense evasion.
Detection queries are available on the platform. Get full rules →