Résultats de détection des menaces visant GKE

Security Command Center effectue une surveillance de l'exécution et basée sur les journaux des ressources Google Kubernetes Engine.

Types de résultats d'exécution

Les détections d'exécution suivantes sont disponibles avec Container Threat Detection :

  • Added Binary Executed
  • Added Library Loaded
  • Collection: Pam.d Modification
  • Command and Control: Steganography Tool Detected
  • Credential Access: Access Sensitive Files On Nodes
  • Credential Access: Find Google Cloud Credentials
  • Credential Access: GPG Key Reconnaissance
  • Credential Access: Search Private Keys or Passwords
  • Defense Evasion: Base64 ELF File Command Line
  • Defense Evasion: Base64 Encoded Python Script Executed
  • Defense Evasion: Base64 Encoded Shell Script Executed
  • Defense Evasion: Disable or Modify Linux Audit System
  • Defense Evasion: Launch Code Compiler Tool In Container
  • Defense Evasion: Root Certificate Installed
  • Execution: Added Malicious Binary Executed
  • Execution: Added Malicious Library Loaded
  • Execution: Built in Malicious Binary Executed
  • Execution: Container Escape
  • Execution: Fileless Execution in /memfd:
  • Execution: Ingress Nightmare Vulnerability Exploitation
  • Execution: Kubernetes Attack Tool Execution
  • Execution: Local Reconnaissance Tool Execution
  • Execution: Malicious Python executed
  • Execution: Modified Malicious Binary Executed
  • Execution: Modified Malicious Library Loaded
  • Execution: Netcat Remote Code Execution in Container
  • Execution: Possible Remote Command Execution Detected
  • Execution: Program Run with Disallowed HTTP Proxy Env
  • Execution: Suspicious Cron Modification
  • Execution: Suspicious OpenSSL Shared Object Loaded
  • Exfiltration: Launch Remote File Copy Tools in Container
  • Impact: Detect Malicious Cmdlines
  • Impact: Remove Bulk Data From Disk
  • Impact: Suspicious crypto mining activity using the Stratum Protocol
  • Malicious Script Executed
  • Malicious URL Observed
  • Persistence: Modify ld.so.preload
  • Privilege Escalation: Fileless Execution in /dev/shm
  • Reverse Shell
  • Unexpected Child Shell
  • Execution: Possible Arbitrary Command Execution through CUPS (CVE-2024-47177)
  • Execution: Socat Reverse Shell Detected
  • Privilege Escalation: Abuse of Sudo For Privilege Escalation (CVE-2019-14287)
  • Privilege Escalation: Polkit Local Privilege Escalation Vulnerability (CVE-2021-4034)
  • Privilege Escalation: Sudo Potential Privilege Escalation (CVE-2021-3156)

    • Types de résultats basés sur les journaux

    Les détections basées sur les journaux suivantes sont disponibles avec Event Threat Detection :

  • Credential Access: Failed Attempt to Approve Kubernetes Certificate Signing Request (CSR)
  • Credential Access: Manually Approved Kubernetes Certificate Signing Request (CSR)
  • Credential Access: Secrets Accessed In Kubernetes Namespace
  • Defense Evasion: Anonymous Sessions Granted Cluster Admin Access
  • Defense Evasion: Breakglass Workload Deployment Created
  • Defense Evasion: Breakglass Workload Deployment Updated
  • Defense Evasion: Manually Deleted Certificate Signing Request (CSR)
  • Defense Evasion: Potential Kubernetes Pod Masquerading
  • Defense Evasion: Static Pod Created
  • Discovery: Can get sensitive Kubernetes object check
  • Execution: GKE launch excessively capable container
  • Execution: Kubernetes Pod Created with Potential Reverse Shell Arguments
  • Execution: Suspicious Exec or Attach to a System Pod
  • Execution: Workload triggered in sensitive namespace
  • Impact: GKE kube-dns modification detected
  • Impact: Suspicious Kubernetes Container Names - Cryptocurrency Mining
  • Initial Access: Anonymous GKE Resource Created from the Internet
  • Initial Access: GKE NodePort service created
  • Initial Access: GKE Resource Modified Anonymously from the Internet
  • Initial Access: Successful API call made from a TOR proxy IP
  • Persistence: GKE Webhook Configuration Detected
  • Persistence: Service Account Created in sensitive namespace
  • Privilege Escalation: Changes to sensitive Kubernetes RBAC objects
  • Privilege Escalation: ClusterRole with Privileged Verbs
  • Privilege Escalation: ClusterRoleBinding to Privileged Role
  • Privilege Escalation: Create Kubernetes CSR for master cert
  • Privilege Escalation: Creation of sensitive Kubernetes bindings
  • Privilege Escalation: Effectively Anonymous Users Granted GKE Cluster Access
  • Privilege Escalation: Get Kubernetes CSR with compromised bootstrap credentials
  • Privilege Escalation: Launch of privileged Kubernetes container
  • Privilege Escalation: Suspicious Kubernetes Container Names - Exploitation and Escape
  • Privilege Escalation: Workload Created with a Sensitive Host Path Mount
  • Privilege Escalation: Workload with shareProcessNamespace enabled

    • Étapes suivantes