GCP Access Policy Deleted
Detects when an access policy that is applied to a GCP cloud resource is deleted. An adversary would be able to remove access policies to gain access to a GCP cloud resource.
Sigma rule (View on GitHub)
1title: GCP Access Policy Deleted
2id: 32438676-1dba-4ac7-bf69-b86cba995e05
3status: test
4description: |
5 Detects when an access policy that is applied to a GCP cloud resource is deleted.
6 An adversary would be able to remove access policies to gain access to a GCP cloud resource.
7references:
8 - https://cloud.google.com/access-context-manager/docs/audit-logging
9 - https://cloud.google.com/logging/docs/audit/understanding-audit-logs
10 - https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog
11author: Bryan Lim
12date: 2024-01-12
13tags:
14 - attack.persistence
15 - attack.privilege-escalation
16 - attack.t1098
17logsource:
18 product: gcp
19 service: gcp.audit
20detection:
21 selection:
22 data.protoPayload.authorizationInfo.permission:
23 - 'accesscontextmanager.accessPolicies.delete'
24 - 'accesscontextmanager.accessPolicies.accessLevels.delete'
25 - 'accesscontextmanager.accessPolicies.accessZones.delete'
26 - 'accesscontextmanager.accessPolicies.authorizedOrgsDescs.delete'
27 data.protoPayload.authorizationInfo.granted: 'true'
28 data.protoPayload.serviceName: 'accesscontextmanager.googleapis.com'
29 condition: selection
30falsepositives:
31 - Legitimate administrative activities
32level: medium
References
Related rules
- Bitbucket Global Permission Changed
- User Added to Local Administrator Group
- Google Workspace Application Access Level Modified
- Suspicious Processes Spawned by Java.EXE
- PUA - Process Hacker Execution