Disable VPC Flow Logs on a Subnet

idempotent

Platform: GCP

Mappings

• MITRE ATT&CK
  • Defense Evasion

Description

Disables VPC flow logging on a subnet by patching its log configuration. VPC flow logs record network traffic metadata for all VM instances in a subnet, providing visibility for network monitoring and forensic investigation.

Warm-up:

• Create a VPC network
• Create a subnet with VPC flow logs enabled

Detonation:

• Disable VPC flow logs on the subnet by patching its logConfig.enable field to false

Revert:

• Re-enable VPC flow logs on the subnet

References:

• https://cloud.google.com/vpc/docs/using-flow-logs
• https://cloud.google.com/compute/docs/reference/rest/v1/subnetworks/patch
• https://github.com/GoogleCloudPlatform/security-analytics/blob/main/src/3.02/3.02.md
• https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/removing-vpc-flow-logs/

Instructions

Detonate with Stratus Red Team

stratus detonate gcp.defense-evasion.remove-vpc-flow-logs

Detection

Identify when VPC flow logging is disabled on a subnet by monitoring for v1.compute.subnetworks.patch events in GCP Admin Activity audit logs where the request sets logConfig.enable to false.