<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Pub/Sub - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/pub/sub/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 12 Jan 2024 18:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/pub/sub/feed.xml" rel="self" type="application/rss+xml"/><item><title>GCP Pub/Sub Subscription Deletion</title><link>https://feed.craftedsignal.io/briefs/2024-01-12-gcp-pubsub-deletion/</link><pubDate>Fri, 12 Jan 2024 18:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-12-gcp-pubsub-deletion/</guid><description>Detection of a Google Cloud Platform Pub/Sub subscription deletion, which can be used by adversaries to disrupt communication, evade detection, or impair defenses.</description><content:encoded><![CDATA[<p>This rule detects the deletion of a subscription within Google Cloud Platform's (GCP) Pub/Sub service. GCP Pub/Sub is a messaging service that facilitates asynchronous communication between services. A subscription represents the stream of messages delivered to subscribing applications. An attacker may delete a Pub/Sub subscription as a form of defense evasion, to disrupt the flow of information, or as part of a broader attack aimed at impairing the target's infrastructure. The rule focuses on identifying successful subscription deletions logged in GCP audit logs and helps defenders identify potentially malicious activity targeting GCP environments. The original rule was created on 2020/09/23 and updated on 2026/04/10.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker gains access to a GCP account or service account with sufficient privileges to manage Pub/Sub subscriptions.</li>
<li>The attacker authenticates to the GCP environment using stolen credentials or a compromised service account.</li>
<li>The attacker identifies a target Pub/Sub subscription that is critical for application communication or monitoring.</li>
<li>The attacker executes the <code>google.pubsub.v*.Subscriber.DeleteSubscription</code> API call to delete the targeted subscription.</li>
<li>GCP audit logs record the successful deletion of the subscription with <code>event.outcome:success</code>.</li>
<li>The deletion disrupts message delivery to the subscribing application, potentially causing service disruptions or data loss.</li>
<li>The attacker may delete multiple subscriptions to maximize impact and hinder incident response efforts.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful subscription deletion can lead to disruption of services relying on Pub/Sub for asynchronous communication. While the severity is rated as &quot;low,&quot; the impact can be significant if critical services are affected. The potential for data loss and operational disruption exists, especially if the deleted subscription is not immediately restored. The number of affected victims or sectors is dependent on the targeted subscriptions and applications within the GCP environment.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>GCP Pub/Sub Subscription Deletion</code> to your SIEM to detect unauthorized subscription deletions.</li>
<li>Review the audit logs for the specific <code>event.action: google.pubsub.v*.Subscriber.DeleteSubscription</code> to identify the user or service account responsible for the deletion.</li>
<li>Implement additional access controls and monitoring for Pub/Sub resources to prevent unauthorized deletions in the future.</li>
<li>Ensure that the GCP Fleet integration, Filebeat module, or similarly structured data is configured to collect relevant GCP audit logs.</li>
<li>Investigate any alerts triggered by the Sigma rule, following the investigation steps outlined in the rule's note field.</li>
</ul>
]]></content:encoded><category domain="severity">low</category><category domain="type">advisory</category><category>gcp</category><category>pubsub</category><category>defense_evasion</category><category>cloud</category></item></channel></rss>