Tor client IP address identified within Google Cloud environment

gcp

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1090-proxy

Goal

Detect when Tor client activity is seen in Google Cloud Audit Logs.

Strategy

This rule monitors Google Cloud Audit Logs to determine when an activity had originated from a Tor client. Datadog enriches all ingested logs with expert-curated threat intelligence in real time. An attacker may use a Tor client to anonymize their true origin.

Triage and response

  1. Investigate other activities performed by the identity {{@usr.id}} using the Cloud SIEM - User Investigation dashboard.
  2. If the results of the triage indicate that an attacker had taken the action, begin your company’s incident response process and an investigation.