持續性:GCE 管理員新增開機指令碼

本文說明 Security Command Center 中的威脅發現項目類型。威脅偵測工具在雲端資源中偵測到潛在威脅時,就會產生威脅發現項目。如需可用威脅發現項目的完整清單,請參閱威脅發現項目索引

總覽

在超過七天前建立的執行個體上,startup-scriptstartup-script-url Compute Engine 執行個體中繼資料鍵已變更。

Event Threat Detection 是這項發現項目的來源。

回應方式

下列應變計畫可能適用於這項發現,但也可能影響作業。 請仔細評估調查期間收集到的資訊,找出解決問題的最佳方式。

如要回應這項發現項目,請按照下列步驟操作:

  1. 確認變更是否為成員的有意行為,或是由攻擊者實作,藉此為貴機構導入新的存取權。

  2. 使用下列篩選條件檢查記錄:

    protopayload.resource.labels.instance_id=INSTANCE_ID
protoPayload.serviceName="compute.googleapis.com"
((protoPayload.metadata.instanceMetaData.addedMetadataKey : "startup-script" OR
protoPayload.metadata.instanceMetaData.modifiedMetadataKey : "startup-script" ) OR
(protoPayload.metadata.instanceMetaData.addedMetadataKey : "startup-script-url" OR
protoPayload.metadata.instanceMetaData.modifiedMetadataKey : "startup-script-url" ))
logName="organizations/ORGANIZATION_ID/logs/cloudaudit.googleapis.com%2Factivity

    更改下列內容:

    • INSTANCE_ID:在發現項目中列出的 gceInstanceId
    • ORGANIZATION_ID:您的機構 ID

  3. 觸發這項發現項目的研究事件:

發現項目 JSON 範例

以下是發現項目 JSON 的範例。

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/COMPUTE_INSTANCE_NAME",
    "category": "Persistence: GCE Admin Added Startup Script",
    "sourceProperties": {
      "sourceId": {
        "projectNumber": "PROJECT_NUMBER",
        "customerOrganizationNumber": "ORGANIZATION_ID"
      },
      "detectionCategory": {
        "technique": "persistence",
        "indicator": "audit_log",
        "ruleName": "gce_admin",
        "subRuleName": "instance_add_startup_script"
      },
      "detectionPriority": "LOW",
      "affectedResources": [{
        "gcpResourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/COMPUTE_INSTANCE_NAME"
      }, {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }],
      "evidence": [{
        "sourceLogId": {
          "projectId": "0",
          "resourceContainer": "organizations/ORGANIZATION_ID",
          "timestamp": {
            "seconds": "1621624109",
            "nanos": 3.73721E8
          },
          "insertId": "INSERT_ID"
        }
      }],
      "properties": {
        "callerIp": "IP_ADDRESS",
        "principalEmail": "PRINCIPAL_EMAIL",
        "gceInstanceId": "COMPUTE_INSTANCE_ID",
        "projectId": "PROJECT_ID",
        "metadataKeyOperation": "ADDED",
        "callerUserAgent": "USER_AGENT",
      },
      "contextUris": {
      "mitreUri": {
          "displayName": "MITRE Link",
          "url": "https://attack.mitre.org/techniques/T1543/"
        },
        "cloudLoggingQueryUri": [{
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query\u003dtimestamp%3D%222021-05-21T19:08:29.373721Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%220%22?project\u003d0"
        }]
      }
    },
  "resource": {
    "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/COMPUTE_INSTANCE_NAME",
  }
}

後續步驟