{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/google-cloud-logging/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Google Cloud Platform","Google Cloud Logging"],"_cs_severities":["medium"],"_cs_tags":["gcp","logging","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["Google"],"content_html":"\u003cp\u003eThis threat brief focuses on the detection of a specific defense evasion technique in Google Cloud Platform (GCP): the deletion of Logging sinks. GCP Logging sinks are configured to export log entries to various destinations for analysis and storage. Attackers might delete these sinks to disrupt logging and monitoring, effectively evading detection. The behavior is detected by monitoring GCP audit logs for successful sink deletion events. The deletion action is performed using the Google Cloud Logging API. This activity is of concern to defenders because it directly impacts their ability to identify and respond to malicious activity within their GCP environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to a GCP account with sufficient privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates existing Logging sinks within the target GCP project using \u003ccode\u003egcloud logging sinks list\u003c/code\u003e or the Cloud Logging API.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a sink to delete, focusing on those critical for security monitoring.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a \u003ccode\u003egcloud logging sinks delete [SINK_NAME]\u003c/code\u003e command or uses the Cloud Logging API to delete the target sink.\u003c/li\u003e\n\u003cli\u003eGCP audit logs record the \u003ccode\u003egoogle.logging.v*.ConfigServiceV*.DeleteSink\u003c/code\u003e event with an \u003ccode\u003eevent.outcome:success\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eLog entries that would have been exported to the sink's destination are no longer processed, leading to a gap in security monitoring.\u003c/li\u003e\n\u003cli\u003eThe attacker performs other malicious actions within the GCP environment, knowing that their activity is less likely to be detected due to the disabled logging.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack involving Logging sink deletion can severely impact an organization's security posture. The deletion of logging sinks prevents security teams from detecting malicious activities within the GCP environment. This can lead to delayed incident response and increased dwell time for attackers. Depending on the scope of the attack, this could affect multiple projects and services, leading to data breaches or service disruptions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eGCP Logging Sink Deletion\u003c/code\u003e to your SIEM and tune for your environment to detect sink deletion events.\u003c/li\u003e\n\u003cli\u003eReview the audit logs for the specific event.action \u003ccode\u003egoogle.logging.v*.ConfigServiceV*.DeleteSink\u003c/code\u003e to identify the user or service account responsible for the deletion.\u003c/li\u003e\n\u003cli\u003eImplement additional monitoring and alerting for any future attempts to delete logging sinks, focusing on the specific event action and outcome fields used in the detection query.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-26T12:00:00Z","date_published":"2024-01-26T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-26-gcp-logging-sink-deletion/","summary":"Detection of Google Cloud Platform (GCP) Logging sink deletion, a technique used by adversaries to impair defenses and evade detection by preventing log entries from being exported to designated destinations.","title":"GCP Logging Sink Deletion for Defense Evasion","url":"https://feed.craftedsignal.io/briefs/2024-01-26-gcp-logging-sink-deletion/"}],"language":"en","title":"CraftedSignal Threat Feed - Google Cloud Logging","version":"https://jsonfeed.org/version/1.1"}