Cloud Run Threat Detection overview

A program was executed that is identified as a steganography tool commonly found in Unix-like environments, indicating a potential attempt to conceal communication or data transfer.

Attackers might utilize steganographic techniques to embed malicious command and control (C2) instructions or exfiltrated data within seemingly benign digital files, aiming to evade standard security monitoring and detection. Identifying the use of such tools is crucial for uncovering hidden malicious activity.

A command was executed to search for Google Cloud private keys, passwords, or other sensitive credentials within the container environment.

An attacker could use stolen Google Cloud credentials to gain illegitimate access to sensitive data or resources within the targeted Google Cloud environment.

A command was executed to search for GPG security keys.

An attacker could use stolen GPG security keys to gain unauthorized access to encrypted communications or files.

A command was executed to search for private keys, passwords, or other sensitive credentials within the container environment, indicating a potential attempt to harvest authentication data.

Attackers often search for credential files to gain unauthorized access to systems, escalate privileges, or move laterally within the environment. Detecting such activity is critical to preventing security breaches.

A process was executed that contains an argument that is an ELF (Executable and Linkable Format) file.

If an encoded ELF file execution is detected, it's a signal that an attacker is trying to encode binary data for transfer to ASCII-only command lines. Attackers can use this technique to evade detection and run malicious code embedded in an ELF file.

A process was executed that contains an argument that is a base64- encoded python script.

If an encoded python script execution is detected, it's a signal that an attacker is trying to encode binary data for transfer to ASCII-only command lines. Attackers can use this technique to evade detection and run malicious code embedded in a python script.

A process was executed that contains an argument that is a base64- encoded shell script.

If an encoded shell script execution is detected, it's a signal that an attacker is trying to encode binary data for transfer to ASCII-only command lines. Attackers can use this technique to evade detection and run malicious code embedded in a shell script.

A process was initiated to launch a code compiler tool within the container environment, indicating a potential attempt to build or modify executable code in an isolated context.

Attackers might use code compilers within containers to develop malicious payloads, inject code into existing binaries, or create tools to bypass security controls, all while operating in a less scrutinized environment to evade detection on the host system.

A binary that meets the following conditions was executed:

• Identified as malicious based on threat intelligence
• Not part of the original container image

If an added malicious binary is executed, it's a strong sign that an attacker has control of the workload and they're executing malicious software.

A library that meets the following conditions was loaded:

• Identified as malicious based on threat intelligence
• Not part of the original container image

If an added malicious library is loaded, it's a strong sign that an attacker has control of the workload and they're executing malicious software.

A binary that meets the following conditions was executed:

• Identified as malicious based on threat intelligence
• Included in the original container image

If a built-in malicious binary is executed, it's a sign that the attacker is deploying malicious containers. They may have gained control of a legitimate image repository or container build pipeline and injected a malicious binary into the container image.

A process was executed within the container that attempted to break out of the container's isolation, using known escape techniques or binaries. This type of attack can give the attacker access to the host system. These processes are identified as potential threats based on intelligence data.

If a container escape attempt is detected, it might indicate that an attacker is exploiting vulnerabilities to break out of the container. As a result, the attacker might gain unauthorized access to the host system or broader infrastructure, compromising the entire environment.

A process was executed using an in-memory file descriptor.

If a process is launched from an in-memory file, it might indicate that an attacker is trying to bypass other methods of detection in order to execute malicious code.

A Kubernetes-specific attack tool was executed within the environment, which can indicate that an attacker is targeting Kubernetes cluster components. These attack tools are identified as potential threats based on intelligence data.

If an attack tool is executed within the Kubernetes environment, it can suggest that an attacker has gained access to the cluster and is using the tool to exploit Kubernetes-specific vulnerabilities or configurations.

A local reconnaissance tool not typically associated with the container or environment was executed, suggesting an attempt to gather internal system information. These reconnaissance tools are identified as potential threats based on intelligence data.

If a reconnaissance tool is executed, it suggests that the attacker may be trying to map out the infrastructure, identify vulnerabilities, or collect data on system configurations to plan their next steps.

A machine learning model identified the specified Python code as malicious. Attackers can use Python to transfer tools or other files from an external system into a compromised environment and execute commands without binaries.

The detector uses NLP techniques to evaluate the content of executed Python code. Because this approach isn't based on signatures, detectors can identify known and novel Python code.

A binary that meets the following conditions was executed:

• Identified as malicious based on threat intelligence
• Included in the original container image
• Modified from the original container image during the runtime

If a modified malicious binary is executed, it's a strong sign that an attacker has control of the workload and they're executing malicious software.

A library that meets the following conditions was loaded:

• Identified as malicious based on threat intelligence
• Included in the original container image
• Modified from the original container image during the runtime

If a modified malicious library is loaded, it's a strong sign that an attacker has control of the workload and they're executing malicious software.

Netcat, a versatile networking utility, was executed within the container environment, potentially indicating an attempt to establish unauthorized remote access or exfiltrate data.

The use of Netcat in a containerized environment may signal an attacker's effort to create a reverse shell, enable lateral movement, or execute arbitrary commands, which could compromise system integrity.

This rule detects the foomatic-rip process executing common shell programs, which may indicate that an attacker has exploited CVE-2024-47177. The foomatic-rip is part of the OpenPrinting CUPS, an open source printing service that is a part of many Linux distributions. Most container images have this printing service disabled or removed. If this detection exists, please evaluate that this is intended behavior or disable the service immediately.

A process was detected spawning common UNIX commands through a network socket connection, indicating a potential attempt to establish unauthorized remote command execution capabilities.

Attackers frequently utilize techniques that mimic reverse shells to gain interactive control over a compromised system, allowing them to execute arbitrary commands remotely and bypass standard network security measures like firewall restrictions. Detecting command execution over a socket is a strong indicator of malicious remote access.

A program was executed with an HTTP proxy environment variable that is disallowed. This can indicate an attempt to bypass security controls, redirect traffic for malicious purposes, or exfiltrate data through unauthorized channels.

Attackers may configure disallowed HTTP proxies to intercept sensitive information, route traffic through malicious servers, or establish covert communication channels. Detecting the execution of programs with these environment variables is crucial for maintaining network security and preventing data breaches.

The socat command has been used to create a reverse shell.

This rule detects the execution socat to create a reverse shell by redirecting stdin, stdout, and stderr file descriptors. This is a common technique used by attackers to gain remote access to a compromised system.

OpenSSL has been executed to load a custom shared object.

Attackers may load custom libraries and replace existing libraries used by OpenSSL in order to run malicious code. Its use in production is uncommon and should warrant an immediate investigation.

A remote file copy tool execution was detected within the container, indicating potential data exfiltration, lateral movement, or the deployment of malicious payloads.

Attackers often use these tools to transfer sensitive data outside of the container, move laterally within the network to compromise other systems, or introduce malware for further malicious activities. Detecting the use of remote file copy tools is crucial for preventing data breaches, unauthorized access, and further compromise of the container and potentially the host system.

A command was executed with arguments known to be potentially destructive, such as attempts to delete critical system files or modify password-related configurations.

Attackers may issue malicious command lines to cause system instability, prevent recovery by deleting essential files, or gain unauthorized access by manipulating user credentials. Detecting these specific command patterns is critical to preventing significant system impact.

A process was detected performing bulk data deletion operations, which might indicate an attempt to erase evidence, disrupt services, or execute a data-wiping attack within the container environment.

Attackers may remove large volumes of data to cover their tracks, sabotage operations, or prepare for ransomware deployment. Detecting such activity helps in identifying potential threats before critical data loss occurs.

A process was detected communicating over the Stratum protocol, which is commonly used by cryptocurrency mining software. This activity suggests potential unauthorized mining operations within the container environment.

Attackers often deploy cryptocurrency miners to exploit system resources for financial gain, leading to degraded performance, increased operational costs, and potential security risks. Detecting such activity helps mitigate resource abuse and unauthorized access.

A machine learning model identified the specified Bash code as malicious. Attackers can use Bash to transfer tools or other files from an external system into a compromised environment and execute commands without binaries.

The detector uses NLP techniques to evaluate the content of executed Bash code. Because this approach isn't based on signatures, detectors can identify known and novel malicious Bash code.

Cloud Run Threat Detection observed a malicious URL in the argument list of a running process.

The detector checks URLs that are observed in the argument list of running processes against the lists of unsafe web resources that are maintained by the Google Safe Browsing service. If a URL is incorrectly classified as a phishing site or malware, report it at Reporting Incorrect Data.

sudo has been executed with arguments that attempt to elevate privileges.

This detection notifies an attempt of the exploitation of CVE-2019-14287, which allows privilege escalation through abusing the sudo command. sudo versions prior to v1.8.28 had an exploit that could elevate a non-root user's privileges to that of a root user.

A process has been executed from a path within /dev/shm.

Executing a file from /dev/shm, an attacker could execute malicious code from this directory to evade detection by security tools, allowing them to carry out privilege escalation or process injection attacks.

A non-root user has executed pkexec with environment variables that attempt to escalate privileges.

This rule detects an attempt to exploit a privilege escalation vulnerability (CVE-2021-4034) in Polkit's pkexec. By running specially crafted code, a non-root user can use this flaw to gain root privileges on a compromised system.

A non-root user has executed sudo or sudoedit with a pattern of arguments that attempt to escalate privileges.

Detects an attempt to exploit a vulnerability affecting sudo versions 1.9.5p2 and earlier. Executing sudo or sudoedit with certain arguments, including one that ends with a single backslash character, as an unprivileged user can elevate the user's privileges to that of a root user.

A process started with stream redirection to a remote connected socket. The detector looks for stdin bound to a remote socket.

With a reverse shell, an attacker can communicate from a compromised workload to an attacker-controlled machine. The attacker can then command and control the workload—for example, as part of a botnet.

A process that does not normally invoke shells spawned a shell process.

The detector monitors all process executions. When a shell is invoked, the detector generates a finding if the parent process is known to not typically invoke shells.