GCP Pub/Sub Topic Deletion for Defense Evasion
Detection of Google Cloud Platform Pub/Sub topic deletions can indicate an attempt to disrupt message flow and potentially evade defenses by impairing logging or event-driven automation.
The Google Cloud Platform (GCP) Pub/Sub service facilitates asynchronous messaging between applications. A publisher application creates and sends messages to a topic, and subscriber applications receive those messages. Deleting a Pub/Sub topic can interrupt this communication, potentially disrupting services that rely on the topic for message flow. This action can be exploited by attackers as a defense evasion technique to impair logging or event-driven automation. This rule identifies the deletion of a topic in Google Cloud Platform (GCP) by monitoring audit logs for google.pubsub.v*.Publisher.DeleteTopic events. Defenders should investigate unexpected topic deletions, as they might indicate malicious activity or unauthorized access. The activity is logged in GCP audit logs, and can be accessed via the GCP Fleet integration or Filebeat module.
Attack Chain
- An attacker gains unauthorized access to a GCP account with sufficient permissions to manage Pub/Sub topics.
- The attacker enumerates existing Pub/Sub topics to identify a target for deletion.
- The attacker executes the
google.pubsub.v*.Publisher.DeleteTopicAPI call to delete the target topic. - The GCP audit logs record the successful topic deletion event with event.action:google.pubsub.v*.Publisher.DeleteTopic and event.outcome:success.
- Applications that publish to or subscribe from the deleted topic experience disruptions in message flow.
- Logging or event-driven automation that relies on the deleted topic is impaired, potentially hindering incident response or security monitoring.
Impact
Successful deletion of a Pub/Sub topic can disrupt critical services and impair defenses, leading to delayed incident response and reduced visibility into malicious activities. The impact is service disruption, data loss, and potential concealment of malicious activities. The severity is low, as the deletion itself does not directly compromise data but hinders visibility.
Recommendation
- Deploy the Sigma rule
GCP Pub/Sub Topic Deletionto your SIEM to detect unauthorized topic deletions by monitoring GCP audit logs. - Review the audit logs for the specific
event.action: google.pubsub.v*.Publisher.DeleteTopicto identify the exact time and user or service account responsible for the deletion, as described in the overview. - Implement stricter access controls and permissions for Pub/Sub topics to prevent unauthorized deletions in the future.
- Monitor GCP audit logs for any related activities or anomalies around the same timeframe to identify potential malicious intent or unauthorized access.
Detection coverage 2
GCP Pub/Sub Topic Deletion
lowDetects the deletion of a Pub/Sub topic in Google Cloud Platform.
GCP Pub/Sub Topic Deletion by Unusual Identity
mediumDetects Pub/Sub topic deletion events performed by identities that do not typically manage Pub/Sub.
Detection queries are available on the platform. Get full rules →