GKE threat findings

Security Command Center performs runtime and log-based monitoring of Google Kubernetes Engine resources.

Runtime finding types

The following runtime detections are available with Container Threat Detection:

  • Added Binary Executed
  • Added Library Loaded
  • Collection: Pam.d Modification
  • Command and Control: Steganography Tool Detected
  • Credential Access: Access Sensitive Files On Nodes
  • Credential Access: Find Google Cloud Credentials
  • Credential Access: GPG Key Reconnaissance
  • Credential Access: Search Private Keys or Passwords
  • Defense Evasion: Base64 ELF File Command Line
  • Defense Evasion: Base64 Encoded Python Script Executed
  • Defense Evasion: Base64 Encoded Shell Script Executed
  • Defense Evasion: Disable or Modify Linux Audit System
  • Defense Evasion: Launch Code Compiler Tool In Container
  • Defense Evasion: Root Certificate Installed
  • Execution: Added Malicious Binary Executed
  • Execution: Added Malicious Library Loaded
  • Execution: Built in Malicious Binary Executed
  • Execution: Container Escape
  • Execution: Fileless Execution in /memfd:
  • Execution: Ingress Nightmare Vulnerability Exploitation
  • Execution: Kubernetes Attack Tool Execution
  • Execution: Local Reconnaissance Tool Execution
  • Execution: Malicious Python executed
  • Execution: Modified Malicious Binary Executed
  • Execution: Modified Malicious Library Loaded
  • Execution: Netcat Remote Code Execution in Container
  • Execution: Possible Remote Command Execution Detected
  • Execution: Program Run with Disallowed HTTP Proxy Env
  • Execution: Suspicious Cron Modification
  • Execution: Suspicious OpenSSL Shared Object Loaded
  • Exfiltration: Launch Remote File Copy Tools in Container
  • Impact: Detect Malicious Cmdlines
  • Impact: Remove Bulk Data From Disk
  • Impact: Suspicious crypto mining activity using the Stratum Protocol
  • Malicious Script Executed
  • Malicious URL Observed
  • Persistence: Modify ld.so.preload
  • Privilege Escalation: Fileless Execution in /dev/shm
  • Reverse Shell
  • Unexpected Child Shell
  • Execution: Possible Arbitrary Command Execution through CUPS (CVE-2024-47177)
  • Execution: Socat Reverse Shell Detected
  • Privilege Escalation: Abuse of Sudo For Privilege Escalation (CVE-2019-14287)
  • Privilege Escalation: Polkit Local Privilege Escalation Vulnerability (CVE-2021-4034)
  • Privilege Escalation: Sudo Potential Privilege Escalation (CVE-2021-3156)

    • Log-based finding types

    The following log-based detections are available with Event Threat Detection:

  • Credential Access: Failed Attempt to Approve Kubernetes Certificate Signing Request (CSR)
  • Credential Access: Manually Approved Kubernetes Certificate Signing Request (CSR)
  • Credential Access: Secrets Accessed In Kubernetes Namespace
  • Defense Evasion: Anonymous Sessions Granted Cluster Admin Access
  • Defense Evasion: Breakglass Workload Deployment Created
  • Defense Evasion: Breakglass Workload Deployment Updated
  • Defense Evasion: Manually Deleted Certificate Signing Request (CSR)
  • Defense Evasion: Potential Kubernetes Pod Masquerading
  • Defense Evasion: Static Pod Created
  • Discovery: Can get sensitive Kubernetes object check
  • Execution: GKE launch excessively capable container
  • Execution: Kubernetes Pod Created with Potential Reverse Shell Arguments
  • Execution: Suspicious Exec or Attach to a System Pod
  • Execution: Workload triggered in sensitive namespace
  • Impact: GKE kube-dns modification detected
  • Impact: Suspicious Kubernetes Container Names - Cryptocurrency Mining
  • Initial Access: Anonymous GKE Resource Created from the Internet
  • Initial Access: GKE NodePort service created
  • Initial Access: GKE Resource Modified Anonymously from the Internet
  • Initial Access: Successful API call made from a TOR proxy IP
  • Persistence: GKE Webhook Configuration Detected
  • Persistence: Service Account Created in sensitive namespace
  • Privilege Escalation: Changes to sensitive Kubernetes RBAC objects
  • Privilege Escalation: ClusterRole with Privileged Verbs
  • Privilege Escalation: ClusterRoleBinding to Privileged Role
  • Privilege Escalation: Create Kubernetes CSR for master cert
  • Privilege Escalation: Creation of sensitive Kubernetes bindings
  • Privilege Escalation: Effectively Anonymous Users Granted GKE Cluster Access
  • Privilege Escalation: Get Kubernetes CSR with compromised bootstrap credentials
  • Privilege Escalation: Launch of privileged Kubernetes container
  • Privilege Escalation: Suspicious Kubernetes Container Names - Exploitation and Escape
  • Privilege Escalation: Workload Created with a Sensitive Host Path Mount
  • Privilege Escalation: Workload with shareProcessNamespace enabled

    • What's next