Create GCE Instances in Multiple Zones

Platform: GCP

Mappings

• MITRE ATT&CK
  • Impact

Description

Creates GCE instances across multiple zones, simulating an attacker hijacking compute resources for cryptomining across multiple availability zones.

Warm-up:

• None

Detonation:

• Create 6 e2-micro GCE instances in parallel across 6 different zones in multiple regions

⚠️ Warning: This technique creates real GCE instances. Make sure to revert the technique after detonation to clean up created resources and avoid unnecessary costs.

References:

• https://www.mandiant.com/resources/blog/detecting-cryptomining-cloud
• https://cloud.google.com/blog/topics/threat-intelligence/detecting-cryptomining-using-vpc-flow-logs

Instructions

Detonate with Stratus Red Team

stratus detonate gcp.impact.create-instances-in-multiple-zones

Detection

Identify when GCE instances are created across an unusually high number of zones by monitoring for v1.compute.instances.insert or beta.compute.instances.insert events in GCP Admin Activity audit logs.

An attacker performing resource hijacking (e.g., cryptomining) typically creates instances across many zones to maximize resource availability and evade per-zone quotas.

Detection criteria:

• Monitor compute.instances.insert events grouped by caller identity
• Count the number of distinct zones in which instances are created within a short time window (e.g., 5 minutes)
• Alert when the number of distinct zones exceeds a threshold (e.g., more than 5 zones)
• Exclude legitimate automation such as Managed Instance Groups (user agent containing GCE Managed Instance Group)