GCP API calls indicating GCP image creation
Description
AlphaSOC detected the creation of a new Google Compute Engine image. Attackers may create custom images containing backdoors or malicious software to establish persistence. These images can be used to deploy compromised instances that appear legitimate, facilitating long-term access to the cloud environment.
Impact
Backdoored images can spread malware or provide persistent access across multiple instances launched from the image. Attackers may use custom images to deploy cryptocurrency miners, establish command-and-control infrastructure, or maintain footholds for future attacks. Images may also be shared across projects, expanding the attack surface.
Severity
| Severity | Condition |
|---|---|
Low | GCP image creation by user for first time |
Investigation and Remediation
Review the source of the image creation, including the base image or disk snapshot used. Verify the identity of the user who created the image and confirm the action was authorized. Examine any instances launched from this image for suspicious activity. If the image is unauthorized, delete it and investigate instances that may have been launched from it.
Known False Positives
- Legitimate infrastructure provisioning and image management
- Golden image creation for standardized deployments
- Backup or disaster recovery image snapshots