Active Scan: Log4j Vulnerable to RCE |
網路 |
Event Threat Detection |
Added Binary Executed |
Google Kubernetes Engine |
Container Threat Detection |
Added Library Loaded |
Google Kubernetes Engine |
Container Threat Detection |
Brute force SSH |
Compute Engine |
Event Threat Detection |
Cloud IDS: THREAT_IDENTIFIER |
網路 |
Event Threat Detection |
Collection: Pam.d Modification |
Google Kubernetes Engine |
Container Threat Detection |
Command and Control: DNS Tunneling |
網路 |
Event Threat Detection |
Command and Control: Steganography Tool Detected |
Google Kubernetes Engine |
Container Threat Detection |
Credential Access: Access Sensitive Files On Nodes |
Google Kubernetes Engine |
Container Threat Detection |
Credential Access: CloudDB Failed login from Anonymizing Proxy IP |
資料庫 |
Event Threat Detection |
Credential Access: Failed Attempt to Approve Kubernetes Certificate Signing Request (CSR) |
Google Kubernetes Engine |
Event Threat Detection |
Credential Access: Find Google Cloud Credentials |
Google Kubernetes Engine |
Container Threat Detection |
Credential Access: GPG Key Reconnaissance |
Google Kubernetes Engine |
Container Threat Detection |
Credential Access: Manually Approved Kubernetes Certificate Signing Request (CSR) |
Google Kubernetes Engine |
Event Threat Detection |
Credential Access: Search Private Keys or Passwords |
Google Kubernetes Engine |
Container Threat Detection |
Credential Access: Secrets Accessed In Kubernetes Namespace |
Google Kubernetes Engine |
Event Threat Detection |
Defense Evasion: Anonymous Sessions Granted Cluster Admin Access |
Google Kubernetes Engine |
Event Threat Detection |
Defense Evasion: Base64 ELF File Command Line |
Google Kubernetes Engine |
Container Threat Detection |
Defense Evasion: Base64 Encoded Python Script Executed |
Google Kubernetes Engine |
Container Threat Detection |
Defense Evasion: Base64 Encoded Shell Script Executed |
Google Kubernetes Engine |
Container Threat Detection |
Defense Evasion: Breakglass Workload Deployment Created |
Google Kubernetes Engine |
Event Threat Detection |
Defense Evasion: Breakglass Workload Deployment Updated |
Google Kubernetes Engine |
Event Threat Detection |
Defense Evasion: Disable or Modify Linux Audit System |
Google Kubernetes Engine |
Container Threat Detection |
Defense Evasion: GCS Bucket IP Filtering Modified |
Cloud Storage |
Event Threat Detection |
Defense Evasion: Launch Code Compiler Tool In Container |
Google Kubernetes Engine |
Container Threat Detection |
Defense Evasion: Manually Deleted Certificate Signing Request (CSR) |
Google Kubernetes Engine |
Event Threat Detection |
Defense Evasion: Modify VPC Service Control |
IAM |
Event Threat Detection |
Defense Evasion: Organization-Level Service Account Token Creator Role Added |
IAM |
Event Threat Detection |
Defense Evasion: Potential Kubernetes Pod Masquerading |
Google Kubernetes Engine |
Event Threat Detection |
Defense Evasion: Project HTTP Policy Block Disabled |
Cloud Storage |
Event Threat Detection |
Defense Evasion: Project-Level Service Account Token Creator Role Added |
IAM |
Event Threat Detection |
Defense Evasion: Root Certificate Installed |
Google Kubernetes Engine |
Container Threat Detection |
Defense Evasion: Rootkit |
Compute Engine |
虛擬機器威脅偵測 |
Defense Evasion: Static Pod Created |
Google Kubernetes Engine |
Event Threat Detection |
Defense Evasion: Unexpected ftrace handler |
Compute Engine |
虛擬機器威脅偵測 |
Defense Evasion: Unexpected interrupt handler |
Compute Engine |
虛擬機器威脅偵測 |
Defense Evasion: Unexpected kernel modules |
Compute Engine |
虛擬機器威脅偵測 |
Defense Evasion: Unexpected kernel read-only data modification |
Compute Engine |
虛擬機器威脅偵測 |
Defense Evasion: Unexpected kprobe handler |
Compute Engine |
虛擬機器威脅偵測 |
Defense Evasion: Unexpected processes in runqueue |
Compute Engine |
虛擬機器威脅偵測 |
Defense Evasion: Unexpected system call handler |
Compute Engine |
虛擬機器威脅偵測 |
Defense Evasion: VPC Route Masquerade Attempt |
網路 |
Event Threat Detection |
Discovery: Can get sensitive Kubernetes object check |
Google Kubernetes Engine |
Event Threat Detection |
Discovery: Information Gathering Tool Used |
IAM |
Event Threat Detection |
Discovery: Service Account Self-Investigation |
IAM |
Event Threat Detection |
Discovery: Unauthorized Service Account API Call |
IAM |
Event Threat Detection |
Evasion: Access from Anonymizing Proxy |
IAM |
Event Threat Detection |
Execution: Added Malicious Binary Executed |
Google Kubernetes Engine |
Container Threat Detection |
Execution: Added Malicious Library Loaded |
Google Kubernetes Engine |
Container Threat Detection |
Execution: Built in Malicious Binary Executed |
Google Kubernetes Engine |
Container Threat Detection |
Execution: Container Escape |
Google Kubernetes Engine |
Container Threat Detection |
Execution: cryptocurrency mining combined detection |
Compute Engine |
虛擬機器威脅偵測 |
Execution: Cryptocurrency Mining Hash Match |
Compute Engine |
虛擬機器威脅偵測 |
Execution: Cryptocurrency Mining YARA Rule |
Compute Engine |
虛擬機器威脅偵測 |
Execution: Cryptomining Docker Image |
Cloud Run |
Event Threat Detection |
Execution: Fileless Execution in /memfd: |
Google Kubernetes Engine |
Container Threat Detection |
Execution: GKE launch excessively capable container |
Google Kubernetes Engine |
Event Threat Detection |
Execution: Ingress Nightmare Vulnerability Exploitation |
Google Kubernetes Engine |
Container Threat Detection |
Execution: Kubernetes Attack Tool Execution |
Google Kubernetes Engine |
Container Threat Detection |
Execution: Kubernetes Pod Created with Potential Reverse Shell Arguments |
Google Kubernetes Engine |
Event Threat Detection |
Execution: Local Reconnaissance Tool Execution |
Google Kubernetes Engine |
Container Threat Detection |
Execution: Malicious Python executed |
Google Kubernetes Engine |
Container Threat Detection |
Execution: Modified Malicious Binary Executed |
Google Kubernetes Engine |
Container Threat Detection |
Execution: Modified Malicious Library Loaded |
Google Kubernetes Engine |
Container Threat Detection |
Execution: Netcat Remote Code Execution in Container |
Google Kubernetes Engine |
Container Threat Detection |
Execution: Possible Remote Command Execution Detected |
Google Kubernetes Engine |
Container Threat Detection |
Execution: Program Run with Disallowed HTTP Proxy Env |
Google Kubernetes Engine |
Container Threat Detection |
Execution: Suspicious Cron Modification |
Google Kubernetes Engine |
Container Threat Detection |
Execution: Suspicious Exec or Attach to a System Pod |
Google Kubernetes Engine |
Event Threat Detection |
Execution: Suspicious OpenSSL Shared Object Loaded |
Google Kubernetes Engine |
Container Threat Detection |
Execution: Workload triggered in sensitive namespace |
Google Kubernetes Engine |
Event Threat Detection |
Exfiltration: Cloud SQL Data Exfiltration |
資料庫 |
Event Threat Detection |
Exfiltration: Cloud SQL Over-Privileged Grant |
資料庫 |
Event Threat Detection |
Exfiltration: Cloud SQL Restore Backup to External Organization |
資料庫 |
Event Threat Detection |
Exfiltration: BigQuery Data Exfiltration |
BigQuery |
Event Threat Detection |
Exfiltration: BigQuery Data Extraction |
BigQuery |
Event Threat Detection |
Exfiltration: BigQuery Data to Google Drive |
BigQuery |
Event Threat Detection |
Exfiltration: Launch Remote File Copy Tools in Container |
Google Kubernetes Engine |
Container Threat Detection |
Exfiltration: Move to Public BigQuery resource |
BigQuery |
Event Threat Detection |
Impact: Billing Disabled |
IAM |
Event Threat Detection |
Impact: Billing Disabled |
IAM |
Event Threat Detection |
Impact: Cryptomining Commands |
Cloud Run |
Event Threat Detection |
Impact: Deleted Google Cloud Backup and DR Backup |
備份和災難復原 |
Event Threat Detection |
Impact: Deleted Google Cloud Backup and DR host |
備份和災難復原 |
Event Threat Detection |
Impact: Deleted Google Cloud Backup and DR plan association |
備份和災難復原 |
Event Threat Detection |
Impact: Deleted Google Cloud Backup and DR Vault |
備份和災難復原 |
Event Threat Detection |
Impact: Detect Malicious Cmdlines |
Google Kubernetes Engine |
Container Threat Detection |
Impact: GKE kube-dns modification detected |
Google Kubernetes Engine |
Event Threat Detection |
Impact: Google Cloud Backup and DR delete policy |
備份和災難復原 |
Event Threat Detection |
Impact: Google Cloud Backup and DR delete profile |
備份和災難復原 |
Event Threat Detection |
Impact: Google Cloud Backup and DR delete storage pool |
備份和災難復原 |
Event Threat Detection |
Impact: Google Cloud Backup and DR delete template |
備份和災難復原 |
Event Threat Detection |
Impact: Google Cloud Backup and DR expire all images |
備份和災難復原 |
Event Threat Detection |
Impact: Google Cloud Backup and DR expire image |
備份和災難復原 |
Event Threat Detection |
Impact: Google Cloud Backup and DR reduced backup expiration |
備份和災難復原 |
Event Threat Detection |
Impact: Google Cloud Backup and DR reduced backup frequency |
備份和災難復原 |
Event Threat Detection |
Impact: Google Cloud Backup and DR remove appliance |
備份和災難復原 |
Event Threat Detection |
Impact: Google Cloud Backup and DR remove plan |
備份和災難復原 |
Event Threat Detection |
Impact: Managed Instance Group Autoscaling Set To Maximum |
Compute Engine |
Event Threat Detection |
Impact: Remove Bulk Data From Disk |
Google Kubernetes Engine |
Container Threat Detection |
Impact: Service API Disabled |
IAM |
Event Threat Detection |
Impact: Suspicious crypto mining activity using the Stratum Protocol |
Google Kubernetes Engine |
Container Threat Detection |
Impact: Suspicious Kubernetes Container Names - Cryptocurrency Mining |
Google Kubernetes Engine |
Event Threat Detection |
Impact: VPC Firewall High Priority Block |
網路 |
Event Threat Detection |
Impact: VPC Firewall Mass Rule Deletion |
網路 |
Event Threat Detection |
Persistence: Strong Authentication Disabled |
Google Workspace |
Event Threat Detection |
Initial Access: Account Disabled Hijacked |
Google Workspace |
Event Threat Detection |
Initial Access: Anonymous GKE Resource Created from the Internet |
Google Kubernetes Engine |
Event Threat Detection |
Initial Access: CloudDB Successful login from Anonymizing Proxy IP |
資料庫 |
Event Threat Detection |
Initial Access: Database Superuser Writes to User Tables |
資料庫 |
Event Threat Detection |
Initial Access: Disabled Password Leak |
Google Workspace |
Event Threat Detection |
Initial Access: Dormant Service Account Action |
IAM |
Event Threat Detection |
Initial Access: Dormant Service Account Activity in AI Service |
AI |
Event Threat Detection |
Initial Access: Dormant Service Account Key Created |
IAM |
Event Threat Detection |
Initial Access: Excessive Permission Denied Actions |
IAM |
Event Threat Detection |
Initial Access: GKE NodePort service created |
Google Kubernetes Engine |
Event Threat Detection |
Initial Access: GKE Resource Modified Anonymously from the Internet |
Google Kubernetes Engine |
Event Threat Detection |
Initial Access: Government Based Attack |
Google Workspace |
Event Threat Detection |
Initial Access: Log4j Compromise Attempt |
網路 |
Event Threat Detection |
Initial Access: Successful API call made from a TOR proxy IP |
Google Kubernetes Engine |
Event Threat Detection |
Initial Access: Suspicious Login Blocked |
Google Workspace |
Event Threat Detection |
Lateral Movement: Modified Boot Disk Attached to Instance |
Compute Engine |
Event Threat Detection |
Lateral Movement: OS Patch Execution From Service Account |
Compute Engine |
Event Threat Detection |
Log4j Malware: Bad Domain |
網路 |
Event Threat Detection |
Log4j Malware: Bad IP |
網路 |
Event Threat Detection |
Malicious Script Executed |
Google Kubernetes Engine |
Container Threat Detection |
Malicious URL Observed |
Google Kubernetes Engine |
Container Threat Detection |
Malware: bad domain |
網路 |
Event Threat Detection |
Malware: bad IP |
網路 |
Event Threat Detection |
Malware: Cryptomining Bad Domain |
網路 |
Event Threat Detection |
Malware: Cryptomining Bad IP |
網路 |
Event Threat Detection |
Malware: Malicious file on disk |
Amazon EC2 |
虛擬機器威脅偵測 |
Malware: Malicious file on disk (YARA) |
Compute Engine |
虛擬機器威脅偵測 |
Persistence: IAM Anomalous Grant |
IAM |
Event Threat Detection |
Persistence: GCE Admin Added SSH Key |
Compute Engine |
Event Threat Detection |
Persistence: GCE Admin Added Startup Script |
Compute Engine |
Event Threat Detection |
Persistence: GKE Webhook Configuration Detected |
Google Kubernetes Engine |
Event Threat Detection |
Persistence: Global Startup Script Added |
Compute Engine |
Event Threat Detection |
Persistence: Modify ld.so.preload |
Google Kubernetes Engine |
Container Threat Detection |
Persistence: New AI API Method |
AI |
Event Threat Detection |
Persistence: New API Method |
IAM |
Event Threat Detection |
Persistence: New Geography |
IAM |
Event Threat Detection |
Persistence: New Geography for AI Service |
AI |
Event Threat Detection |
Persistence: New User Agent |
IAM |
Event Threat Detection |
Persistence: Service Account Created in sensitive namespace |
Google Kubernetes Engine |
Event Threat Detection |
Persistence: Service Account Key Created |
IAM |
Event Threat Detection |
Persistence: SSO Enablement Toggle |
Google Workspace |
Event Threat Detection |
Persistence: SSO Settings Changed |
Google Workspace |
Event Threat Detection |
Persistence: Two Step Verification Disabled |
Google Workspace |
Event Threat Detection |
Persistence: Unmanaged Account Granted Sensitive Role |
IAM |
Event Threat Detection |
Privilege Escalation: AlloyDB Database Superuser Writes to User Tables |
資料庫 |
Event Threat Detection |
Privilege Escalation: AlloyDB Over-Privileged Grant |
資料庫 |
Event Threat Detection |
Privilege Escalation: Anomalous Impersonation of Service Account for Admin Activity |
IAM |
Event Threat Detection |
Privilege Escalation: Anomalous Impersonation of Service Account for AI Admin Activity |
AI |
Event Threat Detection |
Privilege Escalation: Anomalous Multistep Service Account Delegation for Admin Activity |
IAM |
Event Threat Detection |
Privilege Escalation: Anomalous Multistep Service Account Delegation for AI Admin Activity |
AI |
Event Threat Detection |
Privilege Escalation: Anomalous Multistep Service Account Delegation for AI Data Access |
AI |
Event Threat Detection |
Privilege Escalation: Anomalous Multistep Service Account Delegation for Data Access |
IAM |
Event Threat Detection |
Privilege Escalation: Anomalous Service Account Impersonator for Admin Activity |
IAM |
Event Threat Detection |
Privilege Escalation: Anomalous Service Account Impersonator for AI Admin Activity |
AI |
Event Threat Detection |
Privilege Escalation: Anomalous Service Account Impersonator for AI Data Access |
AI |
Event Threat Detection |
Privilege Escalation: Anomalous Service Account Impersonator for Data Access |
IAM |
Event Threat Detection |
Privilege Escalation: Changes to sensitive Kubernetes RBAC objects |
Google Kubernetes Engine |
Event Threat Detection |
Privilege Escalation: ClusterRole with Privileged Verbs |
Google Kubernetes Engine |
Event Threat Detection |
Privilege Escalation: ClusterRoleBinding to Privileged Role |
Google Kubernetes Engine |
Event Threat Detection |
Privilege Escalation: Create Kubernetes CSR for master cert |
Google Kubernetes Engine |
Event Threat Detection |
Privilege Escalation: Creation of sensitive Kubernetes bindings |
Google Kubernetes Engine |
Event Threat Detection |
Privilege Escalation: Default Compute Engine Service Account SetIAMPolicy |
Cloud Run |
Event Threat Detection |
Privilege Escalation: Dormant Service Account Granted Sensitive Role |
IAM |
Event Threat Detection |
Privilege Escalation: Effectively Anonymous Users Granted GKE Cluster Access |
Google Kubernetes Engine |
Event Threat Detection |
Privilege Escalation: External Member Added To Privileged Group |
IAM |
Event Threat Detection |
Privilege Escalation: Fileless Execution in /dev/shm |
Google Kubernetes Engine |
Container Threat Detection |
Privilege Escalation: Get Kubernetes CSR with compromised bootstrap credentials |
Google Kubernetes Engine |
Event Threat Detection |
Privilege Escalation: Global Shutdown Script Added |
Compute Engine |
Event Threat Detection |
Privilege Escalation: Impersonation Role Granted For Dormant Service Account |
IAM |
Event Threat Detection |
Privilege Escalation: Launch of privileged Kubernetes container |
Google Kubernetes Engine |
Event Threat Detection |
Privilege Escalation: New Service Account is Owner or Editor |
IAM |
Event Threat Detection |
Privilege Escalation: Privileged Group Opened To Public |
IAM |
Event Threat Detection |
Privilege Escalation: Sensitive Role Granted To Hybrid Group |
IAM |
Event Threat Detection |
Privilege Escalation: Suspicious Cross-Project Permission Use |
IAM |
Event Threat Detection |
Privilege Escalation: Suspicious Kubernetes Container Names - Exploitation and Escape |
Google Kubernetes Engine |
Event Threat Detection |
Privilege Escalation: Suspicious Token Generation |
IAM |
Event Threat Detection |
Privilege Escalation: Suspicious Token Generation |
IAM |
Event Threat Detection |
Privilege Escalation: Suspicious Token Generation |
IAM |
Event Threat Detection |
Privilege Escalation: Suspicious Token Generation |
IAM |
Event Threat Detection |
Privilege Escalation: Workload Created with a Sensitive Host Path Mount |
Google Kubernetes Engine |
Event Threat Detection |
Privilege Escalation: Workload with shareProcessNamespace enabled |
Google Kubernetes Engine |
Event Threat Detection |
Resource Development: Offensive Security Distro Activity |
IAM |
Event Threat Detection |
Reverse Shell |
Google Kubernetes Engine |
Container Threat Detection |
Unexpected Child Shell |
Google Kubernetes Engine |
Container Threat Detection |
Initial Access: Leaked Service Account Key Used |
IAM |
Event Threat Detection |
Account has leaked credentials |
IAM |
異常偵測 |
Defense Evasion: Organization Policy Changed |
IAM |
Sensitive Actions Service |
Defense Evasion: Remove Billing Admin |
IAM |
Sensitive Actions Service |
Impact: GPU Instance Created |
Compute Engine |
Sensitive Actions Service |
Impact: Many Instances Created |
Compute Engine |
Sensitive Actions Service |
Impact: Many Instances Deleted |
Compute Engine |
Sensitive Actions Service |
Persistence: Add Sensitive Role |
IAM |
Sensitive Actions Service |
Persistence: Project SSH Key Added |
IAM |
Sensitive Actions Service |
Execution: Added Malicious Binary Executed |
Cloud Run |
Cloud Run 威脅偵測 |
Execution: Added Malicious Library Loaded |
Cloud Run |
Cloud Run 威脅偵測 |
Execution: Built in Malicious Binary Executed |
Cloud Run |
Cloud Run 威脅偵測 |
Execution: Container Escape |
Cloud Run |
Cloud Run 威脅偵測 |
Execution: Kubernetes Attack Tool Execution |
Cloud Run |
Cloud Run 威脅偵測 |
Execution: Local Reconnaissance Tool Execution |
Cloud Run |
Cloud Run 威脅偵測 |
Execution: Malicious Python executed |
Cloud Run |
Cloud Run 威脅偵測 |
Execution: Modified Malicious Binary Executed |
Cloud Run |
Cloud Run 威脅偵測 |
Execution: Modified Malicious Library Loaded |
Cloud Run |
Cloud Run 威脅偵測 |
Malicious Script Executed |
Cloud Run |
Cloud Run 威脅偵測 |
Malicious URL Observed |
Cloud Run |
Cloud Run 威脅偵測 |
Reverse Shell |
Cloud Run |
Cloud Run 威脅偵測 |
Unexpected Child Shell |
Cloud Run |
Cloud Run 威脅偵測 |
Execution: Possible Arbitrary Command Execution through CUPS (CVE-2024-47177) |
Google Kubernetes Engine |
Container Threat Detection |
Execution: Socat Reverse Shell Detected |
Google Kubernetes Engine |
Container Threat Detection |
Privilege Escalation: Abuse of Sudo For Privilege Escalation (CVE-2019-14287) |
Google Kubernetes Engine |
Container Threat Detection |
Privilege Escalation: Polkit Local Privilege Escalation Vulnerability (CVE-2021-4034) |
Google Kubernetes Engine |
Container Threat Detection |
Privilege Escalation: Sudo Potential Privilege Escalation (CVE-2021-3156) |
Google Kubernetes Engine |
Container Threat Detection |
