Stay organized with collectionsSave and categorize content based on your preferences.
This document describes a threat finding type in Security Command Center. Threat findings are generated bythreat detectorswhen they detect
a potential threat in your cloud resources. For a full list of available threat findings, seeThreat findings index.
Overview
Malware is detected by examining VPC Flow Logs and Cloud DNS
logs for connections to known command and control domains and IP addresses.
How to respond
To respond to this finding, do the following:
Step 1: Review finding details
Open aMalware: Cryptomining Bad IPfinding, as directed inReviewing findings. The details panel for the
finding opens to theSummarytab.
On theSummarytab, review the information in the following sections:
What was detected, especially the following fields:
Source IP: the suspected cryptomining IP address.
Source port: the source port of the connection, if available.
Destination IP: the target IP address.
Destination port: the destination port of the connection, if
available.
Protocol: theIANAprotocol that is associated with the connection.
Affected resource
Related links, including the following fields:
Logging URI: link to Logging entries.
MITRE ATT&CK method: link to the MITRE ATT&CK documentation.
Related findings: links to any related findings.
Flow Analyzer: link to the Flow Analyzer feature of Network Intelligence Center. This field displays only when VPC Flow Logs is enabled.
In the detail view of the finding, click theSource propertiestab.
Expandpropertiesand note project and instance values in the
following field:
instanceDetails: note both the project ID and the name of the
Compute Engine instance. The project ID and instance name appear
as shown in the following example:
(jsonPayload.connection.src_ip="Properties_ip_0" OR jsonPayload.connection.dest_ip="Properties_ip_0")
Step 4: Research attack and response methods
Review MITRE ATT&CK framework entries for this finding type:Resource Hijacking.
To develop a response plan, combine your investigation results with MITRE
research.
Step 5: Implement your response
The following response plan might be appropriate for this finding, but might also impact operations.
Carefully evaluate the information you gather in your investigation to determine the best way to
resolve findings.
Contact the owner of the project containing malware.
Investigate the potentially compromised instance and remove any discovered
malware. To assist with detection and removal, use an endpoint detection and
response solution.
Block the malicious IP addresses byupdating firewall
rulesor by using Cloud Armor. You can
enable Cloud Armor on the Security Command CenterIntegrated
Servicespage. Depending on the data volume, Cloud Armor costs can
be significant. See theCloud Armor pricing guidefor more information.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["| Premium and Enterprise [service tiers](/security-command-center/docs/service-tiers)\n\nThis document describes a threat finding type in Security Command Center. Threat findings are generated by\n[threat detectors](/security-command-center/docs/concepts-security-sources#threats) when they detect\na potential threat in your cloud resources. For a full list of available threat findings, see [Threat findings index](/security-command-center/docs/threat-findings-index).\n\nOverview\n\nMalware is detected by examining VPC Flow Logs and Cloud DNS\nlogs for connections to known command and control domains and IP addresses.\n\nHow to respond\n\nTo respond to this finding, do the following:\n\nStep 1: Review finding details\n\n1. Open a `Malware: Cryptomining Bad IP` finding, as directed in\n [Reviewing findings](/security-command-center/docs/how-to-investigate-threats#reviewing_findings). The details panel for the\n finding opens to the **Summary** tab.\n\n2. On the **Summary** tab, review the information in the following sections:\n\n - **What was detected** , especially the following fields:\n - **Source IP**: the suspected cryptomining IP address.\n - **Source port**: the source port of the connection, if available.\n - **Destination IP**: the target IP address.\n - **Destination port**: the destination port of the connection, if available.\n - **Protocol** : the [IANA](https://www.iana.org/) protocol that is associated with the connection.\n - **Affected resource**\n - **Related links** , including the following fields:\n - **Logging URI**: link to Logging entries.\n - **MITRE ATT\\&CK method**: link to the MITRE ATT\\&CK documentation.\n - **Related findings**: links to any related findings.\n - **Flow Analyzer**: link to the Flow Analyzer feature of Network Intelligence Center. This field displays only when VPC Flow Logs is enabled.\n3. In the detail view of the finding, click the **Source properties** tab.\n\n4. Expand **properties** and note project and instance values in the\n following field:\n\n - `instanceDetails`: note both the project ID and the name of the\n Compute Engine instance. The project ID and instance name appear\n as shown in the following example:\n\n ```\n /projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_NAME\n ```\n5. To see the complete JSON for the finding, click the **JSON** tab.\n\nStep 2: Review permissions and settings\n\n1. In the Google Cloud console, go to the **Dashboard** page.\n\n \u003cbr /\u003e\n\n [Go to the Dashboard](https://console.cloud.google.com/home)\n\n \u003cbr /\u003e\n\n2. Select the project that is specified in\n `properties_project_id`.\n\n3. Navigate to the **Resources** card and click **Compute Engine**.\n\n4. Click the VM instance that matches `properties_sourceInstance`. Investigate\n the potentially compromised instance for malware.\n\n5. In the navigation pane, click **VPC Network** , then click **Firewall**.\n Remove or disable overly permissive firewall rules.\n\nStep 3: Check logs\n\n1. In the Google Cloud console, go to **Logs Explorer**.\n\n \u003cbr /\u003e\n\n [Go to Logs Explorer](https://console.cloud.google.com/logs/query)\n\n \u003cbr /\u003e\n\n2. On the Google Cloud console toolbar, select your project.\n\n3. On the page that loads, find VPC Flow Logs related to `Properties_ip_0`\n by using the following filter:\n\n - `logName=\"projects/`\u003cvar class=\"edit\" translate=\"no\"\u003eproperties_project_id\u003c/var\u003e`/logs/compute.googleapis.com%2Fvpc_flows\"`\n - `(jsonPayload.connection.src_ip=\"`\u003cvar class=\"edit\" translate=\"no\"\u003eProperties_ip_0\u003c/var\u003e`\" OR jsonPayload.connection.dest_ip=\"`\u003cvar class=\"edit\" translate=\"no\"\u003eProperties_ip_0\u003c/var\u003e`\")`\n\nStep 4: Research attack and response methods\n\n1. Review MITRE ATT\\&CK framework entries for this finding type: [Resource Hijacking](https://attack.mitre.org/techniques/T1496/).\n2. To develop a response plan, combine your investigation results with MITRE research.\n\nStep 5: Implement your response\n\n\nThe following response plan might be appropriate for this finding, but might also impact operations.\nCarefully evaluate the information you gather in your investigation to determine the best way to\nresolve findings.\n\n- Contact the owner of the project containing malware.\n- Investigate the potentially compromised instance and remove any discovered malware. To assist with detection and removal, use an endpoint detection and response solution.\n- If necessary, [stop the compromised\n instance](/compute/docs/instances/stop-start-instance) and replace it with a new instance.\n- Block the malicious IP addresses by [updating firewall\n rules](/vpc/docs/using-firewalls) or by using Cloud Armor. You can enable Cloud Armor on the Security Command Center [Integrated\n Services](https://console.cloud.google.com/security/command-center/config/integrated-services) page. Depending on the data volume, Cloud Armor costs can be significant. See the [Cloud Armor pricing guide](/armor/pricing) for more information.\n\nWhat's next\n\n- Learn [how to work with threat\n findings in Security Command Center](/security-command-center/docs/how-to-investigate-threats).\n- Refer to the [Threat findings index](/security-command-center/docs/threat-findings-index).\n- Learn how to [review a\n finding](/security-command-center/docs/how-to-investigate-threats#reviewing_findings) through the Google Cloud console.\n- Learn about the [services that\n generate threat findings](/security-command-center/docs/concepts-security-sources#threats)."]]
