valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 01:45:21 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Create gcp_full_network_traffic_packet_capture.yml

Browse Source
This commit is contained in:
Austin Songer 2021-08-13 17:07:18 -05:00 committed by GitHub
parent 5b72cdb3c2
commit a973c6c445
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 26 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
rules/cloud/gcp/gcp_full_network_traffic_packet_capture.yml Normal file
View File

@ -0,0 +1,26 @@
title: Google Full Network Traffic Packet Capture
id: 980a7598-1e7f-4962-9372-2d754c930d0e
description: Identifies potential full network packet capture in AWS. This feature can potentially be abused to read sensitive data from unencrypted internal traffic.
author: Austin Songer
status: experimental
date: 2021/08/13
references:
- https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging
- https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.PacketMirrorings.html
logsource:
service: gcp.audit
detection:
selection:
gcp.audit.method_name:
- v*.Compute.PacketMirrorings.Get
- v*.Compute.PacketMirrorings.Delete
- v*.Compute.PacketMirrorings.Insert
- v*.Compute.PacketMirrorings.Patch
condition: selection
level: medium
tags:
- attack.collection
- attack.t1074
falsepositives:
- Full Network Packet Capture may be done by a system or network administrator.
- If known behavior is causing false positives, it can be exempted from the rule.