Sigma rules for CVE-2024-7889
9 rules · scoped to cve · back to CVE-2024-7889
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Google Workspace Out Of Domain Email Forwarding
id: 2a0bb2dd-eb5f-4517-8cb9-404f8ba764a5
status: experimental
description: Detects automatic email forwarding to external domains in Google Workspace, which may indicate data leakage or misuse.
references:
- https://developers.google.com/workspace/admin/reports/v1/appendix/activity/login#email_forwarding_out_of_domain
author: Tom kluter
date: 2026-04-28
tags:
- attack.t1114.003
- attack.collection
logsource:
product: gcp
service: google_workspace.login
detection:
selection:
protoPayload.serviceName: 'login.googleapis.com'
protoPayload.metadata.event.eventName: 'email_forwarding_out_of_domain'
condition: selection
falsepositives:
- Legitimate forwarding
level: medium
title: Google Workspace Government Attack Warning
id: eafe6f2b-cfec-4612-aec2-49563c33a087
status: experimental
description: Detects a login attempt in Google Workspace flagged as a potential attack by a government-backed threat actor
references:
- https://cloud.google.com/logging/docs/audit/gsuite-audit-logging
- https://cloud.google.com/logging/docs/audit/understanding-audit-logs
- https://developers.google.com/workspace/admin/reports/v1/appendix/activity/login#gov_attack_warning
author: Tom Kluter
date: 2026-04-28
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.impact
- attack.stealth
- attack.t1078
logsource:
product: gcp
service: google_workspace.login
detection:
selection:
protoPayload.serviceName: 'login.googleapis.com'
protoPayload.metadata.event.eventName: 'gov_attack_warning'
condition: selection
falsepositives:
- Unknown
level: medium
title: Google Workspace Role Modified or Deleted
id: 6aef64e3-60c6-4782-8db3-8448759c714e
status: test
description: Detects when an a role is modified or deleted in Google Workspace.
references:
- https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3
- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings
author: Austin Songer
date: 2021-08-24
modified: 2023-10-11
tags:
- attack.impact
logsource:
product: gcp
service: google_workspace.admin
detection:
selection:
eventService: admin.googleapis.com
eventName:
- DELETE_ROLE
- RENAME_ROLE
- UPDATE_ROLE
condition: selection
falsepositives:
- Unknown
level: medium
title: Google Workspace Granted Domain API Access
id: 04e2a23a-9b29-4a5c-be3a-3542e3f982ba
status: test
description: Detects when an API access service account is granted domain authority.
references:
- https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3
- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#AUTHORIZE_API_CLIENT_ACCESS
author: Austin Songer
date: 2021-08-23
modified: 2023-10-11
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1098
logsource:
product: gcp
service: google_workspace.admin
detection:
selection:
eventService: admin.googleapis.com
eventName: AUTHORIZE_API_CLIENT_ACCESS
condition: selection
falsepositives:
- Unknown
level: medium
title: Google Workspace User Granted Admin Privileges
id: 2d1b83e4-17c6-4896-a37b-29140b40a788
status: test
description: Detects when an Google Workspace user is granted admin privileges.
references:
- https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3
- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#GRANT_ADMIN_PRIVILEGE
author: Austin Songer
date: 2021-08-23
modified: 2023-10-11
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1098
logsource:
product: gcp
service: google_workspace.admin
detection:
selection:
eventService: admin.googleapis.com
eventName:
- GRANT_DELEGATED_ADMIN_PRIVILEGES
- GRANT_ADMIN_PRIVILEGE
condition: selection
falsepositives:
- Google Workspace admin role privileges, may be modified by system administrators.
level: medium
title: Google Workspace Application Removed
id: ee2803f0-71c8-4831-b48b-a1fc57601ee4
status: test
description: Detects when an an application is removed from Google Workspace.
references:
- https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3
- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION
- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION_FROM_WHITELIST
author: Austin Songer
date: 2021-08-26
modified: 2023-10-11
tags:
- attack.impact
logsource:
product: gcp
service: google_workspace.admin
detection:
selection:
eventService: admin.googleapis.com
eventName:
- REMOVE_APPLICATION
- REMOVE_APPLICATION_FROM_WHITELIST
condition: selection
falsepositives:
- Application being removed may be performed by a System Administrator.
level: medium
title: Google Workspace Application Access Level Modified
id: 22f2fb54-5312-435d-852f-7c74f81684ca
status: test
description: |
Detects when an access level is changed for a Google workspace application.
An access level is part of BeyondCorp Enterprise which is Google Workspace's way of enforcing Zero Trust model.
An adversary would be able to remove access levels to gain easier access to Google workspace resources.
references:
- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings
- https://support.google.com/a/answer/9261439
author: Bryan Lim
date: 2024-01-12
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1098.003
logsource:
product: gcp
service: google_workspace.admin
detection:
selection:
eventService: 'admin.googleapis.com'
eventName: 'CHANGE_APPLICATION_SETTING'
setting_name|startswith: 'ContextAwareAccess'
condition: selection
falsepositives:
- Legitimate administrative activities changing the access levels for an application
level: medium
title: Google Workspace MFA Disabled
id: 780601d1-6376-4f2a-884e-b8d45599f78c
status: test
description: Detects when multi-factor authentication (MFA) is disabled.
references:
- https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3
- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION
- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings?hl=en#ALLOW_STRONG_AUTHENTICATION
author: Austin Songer
date: 2021-08-26
modified: 2023-10-11
tags:
- attack.impact
logsource:
product: gcp
service: google_workspace.admin
detection:
selection_base:
eventService: admin.googleapis.com
eventName:
- ENFORCE_STRONG_AUTHENTICATION
- ALLOW_STRONG_AUTHENTICATION
selection_eventValue:
new_value: 'false'
condition: all of selection*
falsepositives:
- MFA may be disabled and performed by a system administrator.
level: medium
title: Google Workspace Role Privilege Deleted
id: bf638ef7-4d2d-44bb-a1dc-a238252e6267
status: test
description: Detects when an a role privilege is deleted in Google Workspace.
references:
- https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3
- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings
author: Austin Songer
date: 2021-08-24
modified: 2023-10-11
tags:
- attack.impact
logsource:
product: gcp
service: google_workspace.admin
detection:
selection:
eventService: admin.googleapis.com
eventName: REMOVE_PRIVILEGE
condition: selection
falsepositives:
- Unknown
level: medium