UTMSTACK logoUTMSTACK logo
Cloud Google Cloud

Detection rules for Google Cloud data sources. Each rule includes its MITRE ATT&CK mapping, impact rating, and a description of what it detects.

This category contains 34 detection rules.

RuleCategoryTechniqueImpact (C/I/A)
Anthos Security Policy ViolationsSecurity Control BypassT1562 - Impair DefensesC:3 / I:3 / A:2
Binary Authorization Bypass DetectionDefense EvasionT1553 - Subvert Trust ControlsC:3 / I:3 / A:2
Cloud Identity Suspicious Sign-ins DetectionInitial AccessT1078 - Valid AccountsC:3 / I:2 / A:1
GCP 2-step verification disabledDefense EvasionT1562 - Impair DefensesC:1 / I:2 / A:3
GCP Audit Log Disabling or TamperingDefense EvasionT1562.008 - Impair Defenses: Disable Cloud LogsC:3 / I:3 / A:2
GCP BigQuery Data Exfiltration DetectionData ExfiltrationT1567 - Exfiltration Over Web ServiceC:3 / I:1 / A:1
GCP Break-Glass Container Workload DeployedDefense EvasionT1548 - Abuse Elevation Control MechanismC:3 / I:3 / A:2
GCP Cloud Function and Cloud Run AbusePersistenceT1059 - Command and Scripting InterpreterC:2 / I:2 / A:1
GCP Cloud Storage Data ExfiltrationData ExfiltrationT1530 - Data from Cloud Storage ObjectC:3 / I:1 / A:1
GCP Cryptomining Instance Launch DetectionResource HijackingT1496 - Resource HijackingC:1 / I:2 / A:3
GCP Custom Role with Overly Permissive PermissionsPrivilege EscalationT1098 - Account ManipulationC:3 / I:3 / A:1
GCP DLP Re-Identification API CallCollectionT1565 - Data ManipulationC:3 / I:2 / A:0
GCP Domain-Wide API Access GrantedPrivilege EscalationT1098 - Account ManipulationC:3 / I:3 / A:2
GCP KMS Key Destruction or DisablingImpactT1552 - Unsecured CredentialsC:1 / I:3 / A:3
GCP Network Packet Capture ConfigurationCredential AccessT1040 - Network SniffingC:3 / I:1 / A:1
GCP Project Manipulation and Shadow ProjectsAccount ManipulationT1578 - Modify Cloud Compute InfrastructureC:2 / I:3 / A:3
GCP Secret Manager Bulk Access DetectionCredential AccessT1552 - Unsecured CredentialsC:3 / I:1 / A:1
GCP Service Account Impersonation DetectionCredential AccessT1550.001 - Use Alternate Authentication Material: Application Access TokenC:3 / I:3 / A:1
GCP Workload Identity Federation AbuseCredential AccessT1078 - Valid AccountsC:3 / I:3 / A:1
GCP account is probably used for spammingInitial AccessT1566 - PhishingC:1 / I:2 / A:3
GCP detected account with password leakInitial AccessT1078 - Valid AccountsC:3 / I:3 / A:2
GCP probable Defense Evasion, Logging Sink DeletionDefense EvasionT1562 - Impair DefensesC:1 / I:2 / A:3
GCP probable Exfiltration, Logging Sink ModificationExfiltrationT1537 - Transfer Data to Cloud AccountC:3 / I:2 / A:2
GCP probable Government-backed attackCollectionT1560 - Archive Collected DataC:3 / I:3 / A:2
GCP probable Impact, Storage Bucket DeletedImpactT1485 - Data DestructionC:1 / I:2 / A:3
GCP probable Password GuessingCredential AccessT1110.001 - Brute Force: Password GuessingC:3 / I:3 / A:2
GCP probable Privilege Escalation, Kubernetes role bindings created or patchedPrivilege EscalationT1548 - Abuse Elevation Control MechanismC:1 / I:2 / A:3
GCP probable hijacked accountCollectionT1560 - Archive Collected DataC:3 / I:3 / A:2
GCP suspicious login blockedInitial AccessT1078 - Valid AccountsC:1 / I:2 / A:3
GCP suspicious login from less secure appInitial AccessT1190 - Exploit Public-Facing ApplicationC:1 / I:2 / A:3
GCP suspicious programmatic loginCredential AccessT1110 - Brute ForceC:1 / I:2 / A:3
GKE Kubernetes Admission Webhook ModifiedPersistenceT1078.004 - Valid Accounts: Cloud AccountsC:3 / I:3 / A:2
Google Cloud Service Account Key Creation SpikeCredential AccessAccount ManipulationC:3 / I:3 / A:2
Google Workspace MFA Enforcement DisabledDefense EvasionT1556 - Modify Authentication ProcessC:3 / I:3 / A:1

Rule Example

Below is an example of a rule definition for Anthos Security Policy Violations (view in repository):

# Rule version v1.0.0

dataTypes:
  - google
name: Anthos Security Policy Violations
impact:
  confidentiality: 3
  integrity: 3
  availability: 2
category: Security Control Bypass
technique: "T1562 - Impair Defenses"
adversary: origin
references:
  - https://cloud.google.com/anthos/docs/concepts/overview
  - https://attack.mitre.org/techniques/T1562/
description: |
  Detects security-related events in Google Anthos environments including policy violations, authentication failures, and suspicious container activities. Monitors Anthos Service Mesh, Config Management, and Policy Controller events.
  
  Next Steps:
  - Review the specific policy violation details in the event logs
  - Verify if the violation was authorized or represents a legitimate security concern
  - Check the source IP and user account associated with the violation
  - Examine recent configuration changes to Anthos security policies
  - Validate that security controls are properly configured and enforced
  - Consider implementing additional monitoring for the affected resources
where: |
  (
    oneOf("log.protoPayload.serviceName", ["anthos.googleapis.com", "anthospolicycontroller.googleapis.com", "anthosservicemesh.googleapis.com"]) ||
    oneOf("log.resourceType", ["k8s_cluster", "gke_cluster"])
  ) && 
  (
    contains("log.protoPayload.methodName", "Policy") ||
    oneOf("log.jsonPayload.type", ["admission.k8s.io/violation", "policy.violation", "security.alert"]) ||
    oneOf("log.severity", ["ERROR", "WARNING"])
  ) &&
  (
    equals("log.protoPayload.response.status", "PERMISSION_DENIED") ||
    contains("log.protoPayload.status.message", "violation") ||
    contains("log.protoPayload.status.message", "denied") ||
    contains("log.jsonPayload.details", "policy")
  )
groupBy:
  - lastEvent.log.protoPayload.resourceName
  - lastEvent.log.resource.labels.project_id

Rule Details

Anthos Security Policy Violations

Detects security-related events in Google Anthos environments including policy violations, authentication failures, and suspicious container activities. Monitors Anthos Service Mesh, Config Management, and Policy Controller events.

Binary Authorization Bypass Detection

Detects attempts to bypass Binary Authorization controls including use of breakglass deployments, policy violations, and unauthorized container deployments. These events could indicate attempts to deploy untrusted or malicious container images.

Cloud Identity Suspicious Sign-ins Detection

Detects suspicious sign-in attempts to Google Cloud Identity, including logins from unfamiliar locations, unusual IP addresses, or after multiple failed attempts. These could indicate compromised credentials or unauthorized access attempts.

GCP 2-step verification disabled

Google Cloud has detected that 2-step verification was disabled for the organization or a user

GCP Audit Log Disabling or Tampering

Detects attempts to disable GCP audit logging including sink deletion, log exclusion filter creation, and audit configuration changes. Attackers may manipulate logging infrastructure to hide their activities from security monitoring.

GCP BigQuery Data Exfiltration Detection

Detects BigQuery operations that may indicate data exfiltration including large data exports, table copies to external projects, and extract jobs writing to external storage. Attackers may use BigQuery to query and export large datasets from compromised projects.

GCP Break-Glass Container Workload Deployed

Detects deployment of container workloads using the break-glass mechanism to bypass Binary Authorization policy. While legitimate in emergency scenarios, this bypasses security controls and can be abused to deploy malicious or untrusted container images.

GCP Cloud Function and Cloud Run Abuse

Detects creation or modification of Cloud Functions and Cloud Run services which can be used for persistence, backdoor access, or command execution. Attackers may deploy serverless functions with high-privilege service accounts to maintain access or exfiltrate data.

GCP Cloud Storage Data Exfiltration

Detects GCP Cloud Storage operations indicating potential data exfiltration including making buckets publicly accessible, modifying IAM policies to grant allUsers access, or bulk object downloads. These actions may indicate an attacker attempting to exfiltrate data from cloud storage.

GCP Cryptomining Instance Launch Detection

Detects creation of GPU-accelerated or high-compute GCP instances commonly used for cryptomining. Attackers with compromised GCP credentials frequently launch expensive GPU instances (a2, g2) or compute-optimized instances in unusual regions for cryptocurrency mining operations.

GCP Custom Role with Overly Permissive Permissions

Detects creation or modification of GCP custom IAM roles which may include overly permissive permissions for privilege escalation. Attackers may create custom roles with broad permissions like iam.serviceAccountKeys.create, iam.serviceAccounts.actAs, or compute.instances.setMetadata to escalate privileges.

GCP DLP Re-Identification API Call

Detects calls to the DLP re-identification API which reverses data de-identification. This is a sensitive operation that could expose previously protected PII, financial data, or health records. Unauthorized use indicates potential data exfiltration attempts.

GCP Domain-Wide API Access Granted

Detects when domain-wide delegation is granted to a service account in Google Workspace. This allows the service account to impersonate any user in the domain and access their data, making it a high-impact privilege escalation vector.

GCP KMS Key Destruction or Disabling

Detects destruction or disabling of Cloud KMS key versions which could render encrypted data unrecoverable. Attackers may destroy encryption keys as part of a destructive attack to prevent data recovery or to disrupt operations dependent on encrypted resources.

GCP Network Packet Capture Configuration

Detects creation or modification of Packet Mirroring configurations in GCP. Attackers use packet mirroring to capture network traffic for credential theft, data exfiltration, or reconnaissance.

GCP Project Manipulation and Shadow Projects

Detects GCP project creation, deletion, and undelete operations that could indicate shadow project creation for persistence or project deletion for impact. Attackers may create new projects outside organizational controls to host malicious workloads.

GCP Secret Manager Bulk Access Detection

Detects bulk access to GCP Secret Manager secrets which may indicate credential harvesting. Attackers who gain access to a GCP project may enumerate and retrieve all stored secrets to obtain API keys, database credentials, and other sensitive data.

GCP Service Account Impersonation Detection

Detects service account impersonation through token generation APIs including GenerateAccessToken, GenerateIdToken, and SignBlob. Attackers may impersonate service accounts to escalate privileges or access resources the service account has been granted.

GCP Workload Identity Federation Abuse

Detects creation or modification of workload identity pools and providers that enable external identities to access GCP resources. Attackers may create workload identity configurations to grant access to external attacker-controlled identity providers for persistent cloud access.

GCP account is probably used for spamming

A user's account was disabled because Google has become aware that it was used to engage in spamming. Usually, spamming is used to perform other attacks like phishing or spread malware.

GCP detected account with password leak

A user's account was disabled because a password leak was detected by google.

GCP probable Defense Evasion, Logging Sink Deletion

Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics are cross-listed here when those techniques include the added benefit of subverting defenses. Identifies a Logging sink deletion in Google Cloud Platform (GCP). Every time a log entry arrives, Logging compares the log entry to the sinks in that resource. Each sink whose filter matches the log entry writes a copy of the log entry to the sink's export destination. An adversary may delete a Logging sink to evade detection.

GCP probable Exfiltration, Logging Sink Modification

Exfiltration consists of techniques that adversaries may use to steal data from your network. Once they've collected data, adversaries often package it to avoid detection while removing it. This can include compression and encryption. Techniques for getting data out of a target network typically include transferring it over their command and control channel or an alternate channel and may also include putting size limits on the transmission. Identifies a modification to a Logging sink in Google Cloud Platform (GCP). Logging compares the log entry to the sinks in that resource. Each sink whose filter matches the log entry writes a copy of the log entry to the sink's export destination. An adversary may update a Logging sink to exfiltrate logs to a different export destination.

GCP probable Government-backed attack

A user's account might have been targeted by government-backed attack. Government-backed attackers are trying to access the account of one of your users. An attack happens to less than 0.1% of all Google Account users. There's a chance the alert is a false alarm. However, we believe we detected activities that government-backed attackers use to try to steal a password or other personal information. Such activity includes the user receiving an email containing a harmful attachment, links to malicious software downloads, or links to fake websites that are designed to access passwords.

GCP probable Impact, Storage Bucket Deleted

Impact consists of techniques that adversaries use to disrupt availability or compromise integrity by manipulating business and operational processes. Techniques used for impact can include destroying or tampering with data. In some cases, business processes can look fine, but may have been altered to benefit the adversaries goals. These techniques might be used by adversaries to follow through on their end goal or to provide cover for a confidentiality breach. Identifies when a Google Cloud Platform (GCP) storage bucket is deleted. An adversary may delete a storage bucket in order to disrupt their target's business operations.

GCP probable Password Guessing

Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism. An adversary may guess login credentials without prior knowledge of system or environment passwords during an operation by using a list of common passwords. Password guessing may or may not take into account the target's policies on password complexity or use policies that may lock accounts out after a number of failed attempts.

GCP probable Privilege Escalation, Kubernetes role bindings created or patched

Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities. Identifies the creation or patching of potentially malicious role bindings. Users can use role bindings and cluster role bindings to assign roles to Kubernetes subjects (users, groups, or service accounts).

GCP probable hijacked account

A user's account was disabled because Google has detected a suspicious activity indicating it might have been compromised. Hijacked account can be used to perform other attacks like data collection and exfiltration

GCP suspicious login blocked

A suspicious login to a user's account was detected and blocked by Google Cloud.

GCP suspicious login from less secure app

Less secure apps (LSAs) are non-Google apps that can access your Google account with only a username and password. They make your account more vulnerable to hijacking attempts.

GCP suspicious programmatic login

Google Cloud has detected a suspicious programmatic login. Programmatic login can be use to perform brute force attack.

GKE Kubernetes Admission Webhook Modified

Detects creation or modification of admission webhook configurations in Google Kubernetes Engine. Attackers use malicious admission controllers to inject sidecar containers, modify workload specs, or intercept secrets.

Google Cloud Service Account Key Creation Spike

Detects spikes in service account key creation which could indicate credential harvesting or preparation for unauthorized access. Service account keys provide long-term credentials that can be used to authenticate as the service account. Multiple key creations by the same user within a short timeframe may indicate malicious activity or preparation for privilege escalation attacks.

Google Workspace MFA Enforcement Disabled

Detects when MFA enforcement is disabled in Google Workspace. Disabling MFA removes a critical security control and enables credential-based attacks against all users in the organization.