Google Compute Engine network created

gcp

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1578-modify-cloud-compute-infrastructure

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when a Google Compute Engine network is created.

Strategy

This rule lets you monitor Google Compute Engine activity audit logs to determine when the following method is invoked to create a new Compute Engine network:

  • beta.compute.networks.insert
  • v*.compute.networks.insert

An attacker could create a compute network with the intention of enabling cryptomining and bypassing networking limitations.

Triage and response

Review the Compute Engine network.

Changelog

  • 17 August 2023 - Updated query to replace attribute @threat_intel.results.subcategory:tor with @threat_intel.results.category:tor.
  • 30 September 2024 - Updated query to replace attribute @threat_intel.results.subcategory:anonymizer.