storage.objects.delete
storage.objects.delete
Event
Deletes objects from Cloud Storage, used in data destruction or anti-forensics operations.
Security Context
- Deleting Cloud Storage objects can permanently destroy data if versioning is not enabled, causing irreversible data loss for backups, application data, and forensic evidence.
- Adversaries delete storage objects as part of destructive attacks, ransomware operations, or anti-forensics cleanup to remove evidence of exfiltrated data or staging buckets.
Log Source
Cloud Audit Logs
Sample Event
Adversarial. Draco deletes the object events/iam/2026-04-15/draco-actions.json.gz from the fantasticlogs-niffler-archive bucket — a long-term audit-log archive bucket where the security team mirrors all Cloud Audit Logs for 7-year retention. Deleting this specific object removes the forensic trail of Draco’s actions from the long-term archive (the SIEM still has it from the live stream, but the archive — which is supposed to be tamper-evident — no longer has the matching record). Versioning is not enabled on this bucket, so the object is irrecoverable. Data Access logs are not enabled by default for storage.googleapis.com — without per-bucket enablement, this delete is silent.
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalEmail": "draco@fantasticlogs.cloud" }, "requestMetadata": { "callerIp": "203.0.113.66", "callerSuppliedUserAgent": "google-cloud-sdk gcloud/465.0.0 command/gcloud.storage.rm invocation-id/90000000000000000000010000001000 environment/None environment-version/None client-os/LINUX client-os-ver/(5,15,0) client-pltf-arch/x86_64 interactive/False from-script/False python/3.11.6 term/xterm-256color (Linux 5.15.0-1052-aws),gzip(gfe)", "requestAttributes": { "time": "2026-04-15T18:01:14.221987654Z", "auth": {} }, "destinationAttributes": {} }, "serviceName": "storage.googleapis.com", "methodName": "storage.objects.delete", "authorizationInfo": [ { "resource": "projects/_/buckets/fantasticlogs-niffler-archive/objects/events/iam/2026-04-15/draco-actions.json.gz", "permission": "storage.objects.delete", "granted": true, "resourceAttributes": { "service": "storage.googleapis.com", "name": "projects/_/buckets/fantasticlogs-niffler-archive/objects/events/iam/2026-04-15/draco-actions.json.gz", "type": "storage.googleapis.com/Object" } } ], "resourceName": "projects/_/buckets/fantasticlogs-niffler-archive/objects/events/iam/2026-04-15/draco-actions.json.gz", "resourceLocation": { "currentLocations": [ "us-central1" ] } }, "insertId": "evt010000001000", "resource": { "type": "gcs_bucket", "labels": { "project_id": "fantasticlogs-prod", "bucket_name": "fantasticlogs-niffler-archive", "location": "us-central1" } }, "timestamp": "2026-04-15T18:01:14.123456789Z", "severity": "INFO", "logName": "projects/fantasticlogs-prod/logs/cloudaudit.googleapis.com%2Fdata_access", "receiveTimestamp": "2026-04-15T18:01:14.567890123Z"}MITRE ATT&CK Mapping
Tactics: Impact
- T1485 — Data Destruction — Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and r...