Potential Google Cloud cryptomining attack from Tor IP
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Goal
Detect when a Google Compute Engine cryptomining attack is observed from a Tor IP.
Strategy
This rule monitors Google Cloud Audit Logs to determine when a compute network creation, compute image creation, or firewall rule creation event coincides with the creation of a compute engine and originates from a Tor client. Datadog enriches all ingested logs with expert-curated threat intelligence in real time. An attacker may use a Tor client to anonymize their true origin.
Triage and response
- Determine if the actions
{{@evt.name}}
taken by the user {{@usr.id}}
from Tor IP address: {{@network.client.ip}}
are legitimate by looking at past activity and the type of API calls occurring. - Furthermore, use the Cloud SIEM - IP Investigation & User Investigation dashboards to see if the IP address:
{{@network.client.ip}}
& {{@usr.id}}
have taken other actions. - If the results of the triage indicate that an attacker has taken the action, begin your company’s incident response process and investigate.
Changelog
- 17 August 2023 - Updated query to replace attribute
@threat_intel.results.subcategory:tor
with @threat_intel.results.category:tor
.