Potential Google Cloud cryptomining attack from Tor IP

Docs > Plateforme de sécurité Datadog > OOTB Rules > Potential Google Cloud cryptomining attack from Tor IP

Classification:

attack

Tactic:

Technique:

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect when a Google Compute Engine cryptomining attack is observed from a Tor IP.

Strategy

This rule monitors Google Cloud Audit Logs to determine when a compute network creation, compute image creation, or firewall rule creation event coincides with the creation of a compute engine and originates from a Tor client. Datadog enriches all ingested logs with expert-curated threat intelligence in real time. An attacker may use a Tor client to anonymize their true origin.

Triage and response

Determine if the actions {{@evt.name}} taken by the user {{@usr.id}} from Tor IP address: {{@network.client.ip}} are legitimate by looking at past activity and the type of API calls occurring.
Furthermore, use the Cloud SIEM - IP Investigation & User Investigation dashboards to see if the IP address: {{@network.client.ip}} & {{@usr.id}} have taken other actions.
If the results of the triage indicate that an attacker has taken the action, begin your company’s incident response process and investigate.

Changelog

17 August 2023 - Updated query to replace attribute @threat_intel.results.subcategory:tor with @threat_intel.results.category:tor.