Resultados de ameaças do GKE

O Security Command Center realiza a monitorização em tempo de execução e baseada em registos dos recursos do Google Kubernetes Engine.

Tipos de descobertas de tempo de execução

As seguintes deteções de tempo de execução estão disponíveis com a Deteção de ameaças de contentores:

• Added Binary Executed
• Added Library Loaded
• Collection: Pam.d Modification
• Command and Control: Piped Encoded Code Execution
• Command and Control: Piped Encoded Download
• Command and Control: Steganography Tool Detected
• Credential Access: Access Sensitive Files On Nodes
• Credential Access: Find Google Cloud Credentials
• Credential Access: GPG Key Reconnaissance
• Credential Access: Search Private Keys or Passwords
• Defense Evasion: Base64 ELF File Command Line
• Defense Evasion: Base64 Encoded Python Script Executed
• Defense Evasion: Base64 Encoded Shell Script Executed
• Defense Evasion: Disable or Modify Linux Audit System
• Defense Evasion: Launch Code Compiler Tool In Container
• Defense Evasion: Root Certificate Installed
• Execution: Added Malicious Binary Executed
• Execution: Added Malicious Library Loaded
• Execution: Built in Malicious Binary Executed
• Execution: Container Escape
• Execution: Fileless Execution in /memfd:
• Execution: Ingress Nightmare Vulnerability Exploitation
• Execution: Kubernetes Attack Tool Execution
• Execution: Local Reconnaissance Tool Execution
• Execution: Malicious Python executed
• Execution: Modified Malicious Binary Executed
• Execution: Modified Malicious Library Loaded
• Execution: Netcat Remote Code Execution in Container
• Execution: Possible Arbitrary Command Execution through CUPS (CVE-2024-47177)
• Execution: Possible Remote Command Execution Detected
• Execution: Program Run with Disallowed HTTP Proxy Env
• Execution: Socat Reverse Shell Detected
• Execution: Suspicious Cron Modification
• Execution: Suspicious OpenSSL Shared Object Loaded
• Exfiltration: Launch Remote File Copy Tools in Container
• Impact: Detect Malicious Cmdlines
• Impact: Remove Bulk Data From Disk
• Impact: Suspicious crypto mining activity using the Stratum Protocol
• Malicious Script Executed
• Malicious URL Observed
• Persistence: Modify ld.so.preload
• Privilege Escalation: Abuse of Sudo For Privilege Escalation (CVE-2019-14287)
• Privilege Escalation: Fileless Execution in /dev/shm
• Privilege Escalation: Polkit Local Privilege Escalation Vulnerability (CVE-2021-4034)
• Privilege Escalation: Sudo Potential Privilege Escalation (CVE-2021-3156)
• Reverse Shell
• Unexpected Child Shell

Tipos de descobertas baseadas em registos

As seguintes deteções baseadas em registos estão disponíveis com a Deteção de ameaças de eventos:

• Credential Access: Failed Attempt to Approve Kubernetes Certificate Signing Request (CSR)
• Credential Access: Manually Approved Kubernetes Certificate Signing Request (CSR)
• Credential Access: Secrets Accessed In Kubernetes Namespace
• Defense Evasion: Anonymous Sessions Granted Cluster Admin Access
• Defense Evasion: Breakglass Workload Deployment Created
• Defense Evasion: Breakglass Workload Deployment Updated
• Defense Evasion: Manually Deleted Certificate Signing Request (CSR)
• Defense Evasion: Potential Kubernetes Pod Masquerading
• Defense Evasion: Static Pod Created
• Discovery: Can get sensitive Kubernetes object check
• Execution: GKE launch excessively capable container
• Execution: Kubernetes Pod Created with Potential Reverse Shell Arguments
• Execution: Suspicious Exec or Attach to a System Pod
• Execution: Workload triggered in sensitive namespace
• Impact: GKE kube-dns modification detected
• Impact: Suspicious Kubernetes Container Names - Cryptocurrency Mining
• Initial Access: Anonymous GKE Resource Created from the Internet
• Initial Access: GKE NodePort service created
• Initial Access: GKE Resource Modified Anonymously from the Internet
• Initial Access: Successful API call made from a TOR proxy IP
• Persistence: GKE Webhook Configuration Detected
• Persistence: Service Account Created in sensitive namespace
• Privilege Escalation: Changes to sensitive Kubernetes RBAC objects
• Privilege Escalation: ClusterRole with Privileged Verbs
• Privilege Escalation: ClusterRoleBinding to Privileged Role
• Privilege Escalation: Create Kubernetes CSR for master cert
• Privilege Escalation: Creation of sensitive Kubernetes bindings
• Privilege Escalation: Effectively Anonymous Users Granted GKE Cluster Access
• Privilege Escalation: Get Kubernetes CSR with compromised bootstrap credentials
• Privilege Escalation: Launch of privileged Kubernetes container
• Privilege Escalation: Suspicious Kubernetes Container Names - Exploitation and Escape
• Privilege Escalation: Workload Created with a Sensitive Host Path Mount
• Privilege Escalation: Workload with shareProcessNamespace enabled

O que se segue?

• Saiba mais sobre a deteção de ameaças de contentores.
• Saiba mais sobre a Deteção de ameaças de eventos.
• Consulte o índice de resultados de ameaças.