Google Full Network Traffic Packet Capture

calendar Oct 12, 2023 · attack.collection attack.t1074  ·
Share on: linkedin copy

Identifies potential full network packet capture in gcp. This feature can potentially be abused to read sensitive data from unencrypted internal traffic.

Sigma rule (View on GitHub)

 1title: Google Full Network Traffic Packet Capture
 2id: 980a7598-1e7f-4962-9372-2d754c930d0e
 3status: test
 4description: Identifies potential full network packet capture in gcp. This feature can potentially be abused to read sensitive data from unencrypted internal traffic.
 5references:
 6    - https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging
 7    - https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.PacketMirrorings.html
 8author: Austin Songer @austinsonger
 9date: 2021/08/13
10modified: 2022/10/09
11tags:
12    - attack.collection
13    - attack.t1074
14logsource:
15    product: gcp
16    service: gcp.audit
17detection:
18    selection:
19        gcp.audit.method_name:
20            - v*.Compute.PacketMirrorings.Get
21            - v*.Compute.PacketMirrorings.Delete
22            - v*.Compute.PacketMirrorings.Insert
23            - v*.Compute.PacketMirrorings.Patch
24            - v*.Compute.PacketMirrorings.List
25            - v*.Compute.PacketMirrorings.aggregatedList
26    condition: selection
27falsepositives:
28    - Full Network Packet Capture may be done by a system or network administrator.
29    - If known behavior is causing false positives, it can be exempted from the rule.
30level: medium

References

Related rules

to-top