Suspicious GCP API calls indicating Pub/Sub topic creation
Description
AlphaSOC detected creation of a GCP Pub/Sub topic via
google.pubsub.v1.Publisher.CreateTopic. Adversaries may create topics to stage
data for exfiltration, establish command-and-control channels, or create covert
communication paths within the GCP environment. Topics can be configured to push
messages to external endpoints.
Impact
Unauthorized topics can serve as staging areas for data exfiltration or as communication channels for attackers. Data published to attacker-controlled topics can be delivered to external endpoints, enabling data theft without direct external network connections from compromised resources.
Severity
| Severity | Condition |
|---|---|
Informational | Unexpected action, ASN, user agent or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Review GCP audit logs for the CreateTopic action. Identify the topic
configuration, any associated subscriptions, and the principal responsible.
Check if the topic has push subscriptions configured to external endpoints.
If unauthorized, delete the topic and any associated subscriptions. Review message logs if available to determine what data may have been exfiltrated. Investigate the compromised identity for additional staging or exfiltration activities.