Disable a GCP Log Sink

idempotent

Platform: GCP

Mappings

• MITRE ATT&CK
  • Defense Evasion

Description

Disables a Cloud Logging sink that exports audit logs to a storage destination. Simulates an attacker temporarily halting audit log export to impair detection, without permanently destroying the sink configuration.

Warm-up:

• Create a GCS bucket
• Create a log sink exporting audit logs (cloudaudit.googleapis.com) to the bucket

Detonation:

• Disable the log sink by setting its disabled field to true

Revert:

• Re-enable the log sink by setting its disabled field back to false

References:

• https://cloud.google.com/logging/docs/export/configure_export_v2
• https://cloud.google.com/logging/docs/reference/v2/rest/v2/projects.sinks/update
• https://attack.mitre.org/techniques/T1562/008/
• https://redcanary.com/threat-detection-report/trends/cloud-attacks/

Instructions

Detonate with Stratus Red Team

stratus detonate gcp.defense-evasion.disable-logging-sink

Detection

Identify when a log sink is updated using the GCP Admin Activity audit log event google.logging.v2.ConfigServiceV2.UpdateSink. Inspect the request to check whether the disabled field was set to true.