{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/pub/sub/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Pub/Sub"],"_cs_severities":["low"],"_cs_tags":["gcp","pubsub","defense_evasion","cloud"],"_cs_type":"advisory","_cs_vendors":["Google"],"content_html":"\u003cp\u003eThis rule detects the deletion of a subscription within Google Cloud Platform's (GCP) Pub/Sub service. GCP Pub/Sub is a messaging service that facilitates asynchronous communication between services. A subscription represents the stream of messages delivered to subscribing applications. An attacker may delete a Pub/Sub subscription as a form of defense evasion, to disrupt the flow of information, or as part of a broader attack aimed at impairing the target's infrastructure. The rule focuses on identifying successful subscription deletions logged in GCP audit logs and helps defenders identify potentially malicious activity targeting GCP environments. The original rule was created on 2020/09/23 and updated on 2026/04/10.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains access to a GCP account or service account with sufficient privileges to manage Pub/Sub subscriptions.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the GCP environment using stolen credentials or a compromised service account.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a target Pub/Sub subscription that is critical for application communication or monitoring.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the \u003ccode\u003egoogle.pubsub.v*.Subscriber.DeleteSubscription\u003c/code\u003e API call to delete the targeted subscription.\u003c/li\u003e\n\u003cli\u003eGCP audit logs record the successful deletion of the subscription with \u003ccode\u003eevent.outcome:success\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe deletion disrupts message delivery to the subscribing application, potentially causing service disruptions or data loss.\u003c/li\u003e\n\u003cli\u003eThe attacker may delete multiple subscriptions to maximize impact and hinder incident response efforts.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful subscription deletion can lead to disruption of services relying on Pub/Sub for asynchronous communication. While the severity is rated as \u0026quot;low,\u0026quot; the impact can be significant if critical services are affected. The potential for data loss and operational disruption exists, especially if the deleted subscription is not immediately restored. The number of affected victims or sectors is dependent on the targeted subscriptions and applications within the GCP environment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eGCP Pub/Sub Subscription Deletion\u003c/code\u003e to your SIEM to detect unauthorized subscription deletions.\u003c/li\u003e\n\u003cli\u003eReview the audit logs for the specific \u003ccode\u003eevent.action: google.pubsub.v*.Subscriber.DeleteSubscription\u003c/code\u003e to identify the user or service account responsible for the deletion.\u003c/li\u003e\n\u003cli\u003eImplement additional access controls and monitoring for Pub/Sub resources to prevent unauthorized deletions in the future.\u003c/li\u003e\n\u003cli\u003eEnsure that the GCP Fleet integration, Filebeat module, or similarly structured data is configured to collect relevant GCP audit logs.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule, following the investigation steps outlined in the rule's note field.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-12T18:00:00Z","date_published":"2024-01-12T18:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-12-gcp-pubsub-deletion/","summary":"Detection of a Google Cloud Platform Pub/Sub subscription deletion, which can be used by adversaries to disrupt communication, evade detection, or impair defenses.","title":"GCP Pub/Sub Subscription Deletion","url":"https://feed.craftedsignal.io/briefs/2024-01-12-gcp-pubsub-deletion/"}],"language":"en","title":"CraftedSignal Threat Feed - Pub/Sub","version":"https://jsonfeed.org/version/1.1"}