{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/pubsub/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Google Cloud Platform Pub/Sub"],"_cs_severities":["low"],"_cs_tags":["cloud","gcp","pubsub","subscription"],"_cs_type":"advisory","_cs_vendors":["Google"],"content_html":"\u003cp\u003eThis detection rule identifies the creation of a subscription within Google Cloud Platform's (GCP) Pub/Sub service. Pub/Sub is a messaging service that facilitates asynchronous communication between applications, decoupling event producers and consumers. A subscription represents a named resource that directs a stream of messages to a subscribing application. The rule focuses on detecting potentially malicious activity where an attacker creates an unauthorized subscription to intercept or exfiltrate sensitive data. The original Elastic detection rule was created in 2020 and updated in April 2026. This activity is relevant because unauthorized subscriptions can lead to significant data breaches and compromise of sensitive information within cloud environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to a GCP account, potentially through compromised credentials or a misconfigured IAM role.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the gcloud CLI or the GCP console to interact with the Pub/Sub service.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a request to create a new Pub/Sub subscription. This request includes specifying the topic to subscribe to and configuring the subscription's settings.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the subscription creation request, which is logged as a \u003ccode\u003egoogle.pubsub.v*.Subscriber.CreateSubscription\u003c/code\u003e event in the GCP audit logs.\u003c/li\u003e\n\u003cli\u003eThe newly created subscription begins receiving messages published to the specified topic.\u003c/li\u003e\n\u003cli\u003eThe attacker configures the subscription to forward messages to an external endpoint or stores them in a cloud storage bucket under their control.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the collected data from the external endpoint or storage bucket.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to cover their tracks by deleting logs or modifying audit configurations (not covered by this specific rule).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the exfiltration of sensitive data transmitted through the Pub/Sub service. This includes potentially confidential business data, customer information, or internal communications. The number of victims depends on the scope of the compromised GCP environment and the sensitivity of the data handled by the affected Pub/Sub topics. Financial losses, reputational damage, and legal ramifications are all potential consequences of a successful attack.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;GCP Pub/Sub Subscription Creation Detected\u0026quot; to your SIEM and tune for your environment to detect suspicious subscription creation activities.\u003c/li\u003e\n\u003cli\u003eReview the permissions and roles assigned to users and service accounts involved in subscription creation activities to ensure they adhere to the principle of least privilege (reference the overview section).\u003c/li\u003e\n\u003cli\u003eEnable and monitor GCP audit logs to capture all subscription creation events (reference the rule description).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by checking the associated project and topic details to ensure they align with expected configurations (reference the rule's investigation guide).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-05-02T10:00:00Z","date_published":"2024-05-02T10:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-05-gcp-pubsub-subscription-creation/","summary":"This rule detects the creation of a subscription in Google Cloud Platform (GCP) Pub/Sub, which could indicate unauthorized access to data streams by adversaries attempting to intercept or exfiltrate sensitive information.","title":"GCP Pub/Sub Subscription Creation","url":"https://feed.craftedsignal.io/briefs/2024-05-gcp-pubsub-subscription-creation/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["GCP Pub/Sub"],"_cs_severities":["low"],"_cs_tags":["gcp","pubsub","defense-evasion","cloud"],"_cs_type":"advisory","_cs_vendors":["Google"],"content_html":"\u003cp\u003eThe Google Cloud Platform (GCP) Pub/Sub service facilitates asynchronous messaging between applications. A publisher application creates and sends messages to a topic, and subscriber applications receive those messages. Deleting a Pub/Sub topic can interrupt this communication, potentially disrupting services that rely on the topic for message flow. This action can be exploited by attackers as a defense evasion technique to impair logging or event-driven automation. This rule identifies the deletion of a topic in Google Cloud Platform (GCP) by monitoring audit logs for \u003ccode\u003egoogle.pubsub.v*.Publisher.DeleteTopic\u003c/code\u003e events. Defenders should investigate unexpected topic deletions, as they might indicate malicious activity or unauthorized access. The activity is logged in GCP audit logs, and can be accessed via the GCP Fleet integration or Filebeat module.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to a GCP account with sufficient permissions to manage Pub/Sub topics.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates existing Pub/Sub topics to identify a target for deletion.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the \u003ccode\u003egoogle.pubsub.v*.Publisher.DeleteTopic\u003c/code\u003e API call to delete the target topic.\u003c/li\u003e\n\u003cli\u003eThe GCP audit logs record the successful topic deletion event with event.action:google.pubsub.v*.Publisher.DeleteTopic and event.outcome:success.\u003c/li\u003e\n\u003cli\u003eApplications that publish to or subscribe from the deleted topic experience disruptions in message flow.\u003c/li\u003e\n\u003cli\u003eLogging or event-driven automation that relies on the deleted topic is impaired, potentially hindering incident response or security monitoring.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful deletion of a Pub/Sub topic can disrupt critical services and impair defenses, leading to delayed incident response and reduced visibility into malicious activities. The impact is service disruption, data loss, and potential concealment of malicious activities. The severity is low, as the deletion itself does not directly compromise data but hinders visibility.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eGCP Pub/Sub Topic Deletion\u003c/code\u003e to your SIEM to detect unauthorized topic deletions by monitoring GCP audit logs.\u003c/li\u003e\n\u003cli\u003eReview the audit logs for the specific \u003ccode\u003eevent.action: google.pubsub.v*.Publisher.DeleteTopic\u003c/code\u003e to identify the exact time and user or service account responsible for the deletion, as described in the overview.\u003c/li\u003e\n\u003cli\u003eImplement stricter access controls and permissions for Pub/Sub topics to prevent unauthorized deletions in the future.\u003c/li\u003e\n\u003cli\u003eMonitor GCP audit logs for any related activities or anomalies around the same timeframe to identify potential malicious intent or unauthorized access.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-29T10:00:00Z","date_published":"2024-01-29T10:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-29-gcp-pubsub-topic-deletion/","summary":"Detection of Google Cloud Platform Pub/Sub topic deletions can indicate an attempt to disrupt message flow and potentially evade defenses by impairing logging or event-driven automation.","title":"GCP Pub/Sub Topic Deletion for Defense Evasion","url":"https://feed.craftedsignal.io/briefs/2024-01-29-gcp-pubsub-topic-deletion/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Pub/Sub"],"_cs_severities":["low"],"_cs_tags":["gcp","pubsub","defense_evasion","cloud"],"_cs_type":"advisory","_cs_vendors":["Google"],"content_html":"\u003cp\u003eThis rule detects the deletion of a subscription within Google Cloud Platform's (GCP) Pub/Sub service. GCP Pub/Sub is a messaging service that facilitates asynchronous communication between services. A subscription represents the stream of messages delivered to subscribing applications. An attacker may delete a Pub/Sub subscription as a form of defense evasion, to disrupt the flow of information, or as part of a broader attack aimed at impairing the target's infrastructure. The rule focuses on identifying successful subscription deletions logged in GCP audit logs and helps defenders identify potentially malicious activity targeting GCP environments. The original rule was created on 2020/09/23 and updated on 2026/04/10.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains access to a GCP account or service account with sufficient privileges to manage Pub/Sub subscriptions.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the GCP environment using stolen credentials or a compromised service account.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a target Pub/Sub subscription that is critical for application communication or monitoring.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the \u003ccode\u003egoogle.pubsub.v*.Subscriber.DeleteSubscription\u003c/code\u003e API call to delete the targeted subscription.\u003c/li\u003e\n\u003cli\u003eGCP audit logs record the successful deletion of the subscription with \u003ccode\u003eevent.outcome:success\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe deletion disrupts message delivery to the subscribing application, potentially causing service disruptions or data loss.\u003c/li\u003e\n\u003cli\u003eThe attacker may delete multiple subscriptions to maximize impact and hinder incident response efforts.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful subscription deletion can lead to disruption of services relying on Pub/Sub for asynchronous communication. While the severity is rated as \u0026quot;low,\u0026quot; the impact can be significant if critical services are affected. The potential for data loss and operational disruption exists, especially if the deleted subscription is not immediately restored. The number of affected victims or sectors is dependent on the targeted subscriptions and applications within the GCP environment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eGCP Pub/Sub Subscription Deletion\u003c/code\u003e to your SIEM to detect unauthorized subscription deletions.\u003c/li\u003e\n\u003cli\u003eReview the audit logs for the specific \u003ccode\u003eevent.action: google.pubsub.v*.Subscriber.DeleteSubscription\u003c/code\u003e to identify the user or service account responsible for the deletion.\u003c/li\u003e\n\u003cli\u003eImplement additional access controls and monitoring for Pub/Sub resources to prevent unauthorized deletions in the future.\u003c/li\u003e\n\u003cli\u003eEnsure that the GCP Fleet integration, Filebeat module, or similarly structured data is configured to collect relevant GCP audit logs.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule, following the investigation steps outlined in the rule's note field.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-12T18:00:00Z","date_published":"2024-01-12T18:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-12-gcp-pubsub-deletion/","summary":"Detection of a Google Cloud Platform Pub/Sub subscription deletion, which can be used by adversaries to disrupt communication, evade detection, or impair defenses.","title":"GCP Pub/Sub Subscription Deletion","url":"https://feed.craftedsignal.io/briefs/2024-01-12-gcp-pubsub-deletion/"}],"language":"en","title":"CraftedSignal Threat Feed - Pubsub","version":"https://jsonfeed.org/version/1.1"}