This document describes a threat finding type in Security Command Center. Threat findings are generated by threat detectors when they detect a potential threat in your cloud resources. For a full list of available threat findings, see Threat findings index.
Overview
Someone created an RBAC ClusterRoleBinding that references the default
system:controller:clusterrole-aggregation-controller ClusterRole. This
default ClusterRole has the escalate verb, which allows subjects to modify
the privileges of their own roles, allowing for privilege escalation. For more
details, see the log message for this alert.
Event Threat Detection is the source of this finding.
How to respond
To respond to this finding, do the following:
- Review any
ClusterRoleBindingthat references thesystem:controller:clusterrole-aggregation-controllerClusterRole. - Review any modifications to the
system:controller:clusterrole-aggregation-controllerClusterRole. - Determine whether there are other signs of malicious activity by the
principal who created the
ClusterRoleBindingin the audit logs in Cloud Logging.
What's next
- Learn how to work with threat findings in Security Command Center.
- Refer to the Threat findings index.
- Learn how to review a finding through the Google Cloud console.
- Learn about the services that generate threat findings.