Google Full Network Traffic Packet Capture
Identifies potential full network packet capture in gcp. This feature can potentially be abused to read sensitive data from unencrypted internal traffic.
Sigma rule (View on GitHub)
1title: Google Full Network Traffic Packet Capture
2id: 980a7598-1e7f-4962-9372-2d754c930d0e
3status: test
4description: Identifies potential full network packet capture in gcp. This feature can potentially be abused to read sensitive data from unencrypted internal traffic.
5references:
6 - https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging
7 - https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.PacketMirrorings.html
8author: Austin Songer @austinsonger
9date: 2021-08-13
10modified: 2022-10-09
11tags:
12 - attack.collection
13 - attack.t1074
14logsource:
15 product: gcp
16 service: gcp.audit
17detection:
18 selection:
19 gcp.audit.method_name:
20 - v*.Compute.PacketMirrorings.Get
21 - v*.Compute.PacketMirrorings.Delete
22 - v*.Compute.PacketMirrorings.Insert
23 - v*.Compute.PacketMirrorings.Patch
24 - v*.Compute.PacketMirrorings.List
25 - v*.Compute.PacketMirrorings.aggregatedList
26 condition: selection
27falsepositives:
28 - Full Network Packet Capture may be done by a system or network administrator.
29 - If known behavior is causing false positives, it can be exempted from the rule.
30level: medium
References
-
Autopilot Standard This document describes the audit logs created by Google Kubernetes Engine as part of Cloud Audit Logs. Overview Google Cloud services write audit logs to help you answer the que...
Read More -
Modifier and Type Method and Description Compute.PacketMirrorings.AggregatedList aggregatedList(java.lang.String project) Retrieves an aggregated list of packetMirrorings. Compute.PacketMirrorings....
Read More
Related rules
- Cisco Stage Data
- 7Zip Compressing Dump Files
- ADFS Database Named Pipe Connection By Uncommon Tool
- AWS EC2 VM Export Failure
- Audio Capture