GCP Firewall Rule Deletion for Defense Evasion
The deletion of firewall rules in Google Cloud Platform (GCP) for Virtual Private Cloud (VPC) or App Engine is detected, potentially weakening security controls and enabling unauthorized access or data exfiltration by adversaries.
This detection identifies when a firewall rule is deleted in Google Cloud Platform (GCP) for Virtual Private Cloud (VPC) or App Engine. Firewall rules are critical for controlling network traffic to and from virtual machine (VM) instances or specific applications. An adversary may delete a firewall rule to weaken a target's security controls, facilitating unauthorized access or data exfiltration. This behavior can be indicative of a defense evasion attempt. The deletion events are captured in audit logs within GCP, which are then monitored for specific actions related to firewall rule deletion in either VPC or App Engine environments.
Attack Chain
- An attacker gains initial access to a GCP account, potentially through compromised credentials or exploiting a vulnerability.
- The attacker enumerates existing firewall rules within the VPC or App Engine environment to identify potential targets for deletion.
- Using compromised credentials or a service account, the attacker initiates the deletion of a specific firewall rule. The
gcloudCLI or GCP console could be used. - The firewall rule is removed, altering the network access control configuration.
- The attacker leverages the modified firewall configuration to establish unauthorized connections to internal resources.
- The attacker moves laterally within the GCP environment, accessing sensitive data or systems previously protected by the deleted firewall rule.
- The attacker exfiltrates data or performs other malicious activities, taking advantage of the weakened security posture.
Impact
Successful deletion of GCP firewall rules can lead to significant security breaches, including unauthorized access to sensitive data, lateral movement within the cloud environment, and potential data exfiltration. The impact is highly dependent on the scope and purpose of the deleted firewall rule. This activity allows attackers to bypass intended security controls.
Recommendation
- Deploy the Sigma rule
GCP Firewall Rule Deletionto your SIEM to detect unauthorized firewall deletions based ondata_stream.dataset:gcp.audit and event.action:(*.compute.firewalls.delete or google.appengine.*.Firewall.Delete*Rule). - Enable GCP audit logging to ensure that all firewall rule deletion events are captured for analysis.
- Review and update access controls and permissions for users and service accounts to minimize the risk of unauthorized firewall rule modifications.
- Implement enhanced monitoring and alerting for firewall rule changes to detect and respond to similar threats more quickly in the future, based on
event.actionlogs.
Detection coverage 2
GCP Firewall Rule Deletion
mediumDetects when a firewall rule is deleted in Google Cloud Platform (GCP) for Virtual Private Cloud (VPC) or App Engine.
GCP Compute Firewall Deletion via gcloud
mediumDetects firewall deletion events initiated via gcloud command-line tool
Detection queries are available on the platform. Get full rules →