Potential Google Cloud cryptomining attack from Tor IP

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when a Google Compute Engine cryptomining attack is observed from a Tor IP.

Strategy

This rule monitors Google Cloud Audit Logs to determine when a compute network creation, compute image creation, or firewall rule creation event coincides with the creation of a compute engine and originates from a Tor client. Datadog enriches all ingested logs with expert-curated threat intelligence in real time. An attacker may use a Tor client to anonymize their true origin.

Triage and response

  1. Determine if the actions {{@evt.name}} taken by the user {{@usr.id}} from Tor IP address: {{@network.client.ip}} are legitimate by looking at past activity and the type of API calls occurring.
  2. Furthermore, use the Cloud SIEM - IP Investigation & User Investigation dashboards to see if the IP address: {{@network.client.ip}} & {{@usr.id}} have taken other actions.
  3. If the results of the triage indicate that an attacker has taken the action, begin your company’s incident response process and investigate.

Changelog

  • 17 August 2023 - Updated query to replace attribute @threat_intel.results.subcategory:tor with @threat_intel.results.category:tor.