Skip to content

compute.firewalls.patch

GCP

compute.firewalls.patch

service: GCP - Compute Engine
techniques:

Event

Modifies an existing firewall rule in a GCP VPC network.

Security Context

  • Modifying network security controls can open unauthorized access paths while removing evidence of the original restrictive configuration.

Log Source

Cloud Audit Logs

Sample Event

Adversarial. Draco modifies the existing billywig-public-ingress firewall rule on the production VPC to widen its sourceRanges from 198.51.100.0/24 (corporate egress range) to 0.0.0.0/0, exposing the BILLYWIG edge fleet’s port 22 (SSH) to the entire internet. This both opens an inbound persistence path and weakens the security posture broadly. The adversary picked patch over delete because it’s lower-noise — a delete would create an immediate “rule disappeared” alert, while a quiet broaden-to-0.0.0.0/0 often slips past detection that doesn’t inspect sourceRanges. Compute LROs emit a paired last entry on completion; this is the first entry.

{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "draco@fantasticlogs.cloud"
},
"requestMetadata": {
"callerIp": "203.0.113.66",
"callerSuppliedUserAgent": "google-cloud-sdk gcloud/465.0.0 command/gcloud.compute.firewall-rules.update invocation-id/90000000000000000000001111101011 environment/None environment-version/None client-os/LINUX client-os-ver/(5,15,0) client-pltf-arch/x86_64 interactive/False from-script/False python/3.11.6 term/xterm-256color (Linux 5.15.0-1052-aws),gzip(gfe)",
"requestAttributes": {
"time": "2026-04-15T14:11:09.221987654Z",
"auth": {}
},
"destinationAttributes": {}
},
"serviceName": "compute.googleapis.com",
"methodName": "v1.compute.firewalls.patch",
"authorizationInfo": [
{
"permission": "compute.firewalls.update",
"granted": true,
"resourceAttributes": {
"service": "compute",
"name": "projects/fantasticlogs-prod/global/firewalls/billywig-public-ingress",
"type": "compute.firewalls"
}
},
{
"permission": "compute.networks.updatePolicy",
"granted": true,
"resourceAttributes": {
"service": "compute",
"name": "projects/fantasticlogs-prod/global/networks/default",
"type": "compute.networks"
}
}
],
"resourceName": "projects/fantasticlogs-prod/global/firewalls/billywig-public-ingress",
"request": {
"@type": "type.googleapis.com/compute.firewalls.patch",
"name": "billywig-public-ingress",
"alloweds": [
{
"IPProtocol": "tcp",
"ports": [
"22",
"443"
]
}
],
"sourceRanges": [
"0.0.0.0/0"
],
"direction": "INGRESS",
"priority": 1000
},
"response": {
"@type": "type.googleapis.com/operation",
"id": "8200000000000001111101011",
"name": "operation-1776265869000-62fa224b3a201-ab001011-cd001011",
"operationType": "patch",
"targetId": "6100000000000001111101011",
"targetLink": "https://www.googleapis.com/compute/v1/projects/fantasticlogs-prod/global/firewalls/billywig-public-ingress",
"selfLink": "https://www.googleapis.com/compute/v1/projects/fantasticlogs-prod/global/operations/operation-1776265869000-62fa224b3a201-ab001011-cd001011",
"selfLinkWithId": "https://www.googleapis.com/compute/v1/projects/fantasticlogs-prod/global/operations/8200000000000001111101011",
"user": "draco@fantasticlogs.cloud",
"status": "RUNNING",
"progress": "0",
"insertTime": "2026-04-15T07:11:09.301-07:00",
"startTime": "2026-04-15T07:11:09.318-07:00"
},
"resourceLocation": {
"currentLocations": [
"global"
]
}
},
"insertId": "evt001111101011",
"resource": {
"type": "gce_firewall_rule",
"labels": {
"project_id": "fantasticlogs-prod",
"firewall_rule_id": "6100000000000001111101011"
}
},
"timestamp": "2026-04-15T14:11:09.123456789Z",
"severity": "NOTICE",
"logName": "projects/fantasticlogs-prod/logs/cloudaudit.googleapis.com%2Factivity",
"operation": {
"id": "operation-1776265869000-62fa224b3a201-ab001011-cd001011",
"producer": "compute.googleapis.com",
"first": true
},
"receiveTimestamp": "2026-04-15T14:11:09.567890123Z"
}

MITRE ATT&CK Mapping

Tactics: Defense Impairment

Techniques:
  • T1686.001 — Cloud Firewall — Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud resources.