GCP Access Policy Deleted
Detects when an access policy that is applied to a GCP cloud resource is deleted. An adversary would be able to remove access policies to gain access to a GCP cloud resource.
Sigma rule (View on GitHub)
1title: GCP Access Policy Deleted
2id: 32438676-1dba-4ac7-bf69-b86cba995e05
3status: experimental
4description: |
5 Detects when an access policy that is applied to a GCP cloud resource is deleted.
6 An adversary would be able to remove access policies to gain access to a GCP cloud resource.
7references:
8 - https://cloud.google.com/access-context-manager/docs/audit-logging
9 - https://cloud.google.com/logging/docs/audit/understanding-audit-logs
10 - https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog
11author: Bryan Lim
12date: 2024/01/12
13tags:
14 - attack.persistence
15 - attack.privilege_escalation
16 - attack.t1098
17logsource:
18 product: gcp
19 service: gcp.audit
20detection:
21 selection:
22 data.protoPayload.authorizationInfo.permission:
23 - 'accesscontextmanager.accessPolicies.delete'
24 - 'accesscontextmanager.accessPolicies.accessLevels.delete'
25 - 'accesscontextmanager.accessPolicies.accessZones.delete'
26 - 'accesscontextmanager.accessPolicies.authorizedOrgsDescs.delete'
27 data.protoPayload.authorizationInfo.granted: 'true'
28 data.protoPayload.serviceName: 'accesscontextmanager.googleapis.com'
29 condition: selection
30falsepositives:
31 - Legitimate administrative activities
32level: medium
References
Related rules
- Google Workspace Application Access Level Modified
- Creation Of Non-Existent System DLL
- Potential DLL Sideloading Of Non-Existent DLLs From System Folders
- Uncommon Extension Shim Database Installation Via Sdbinst.EXE
- PSEXEC Remote Execution File Artefact