Test Correlated Threats

This page describes how you can verify that Correlated Threats is working by emulating threats to intentionally trigger Security Command Center detectors and create findings. These threat findings then create Correlated Threats issues for each rule.

To learn more about Correlated Threats, see Correlated Threats overview. If you want to generate findings that produce Correlated Threats, you must enable the appropriate threat detection services in Security Command Center settings.

Set up your environment

These testing procedures require both a GKE cluster and the ability to provision Compute Engine VMs. Ensure that your test cluster is on a supported version of Google Kubernetes Engine (GKE). For more information, see Using a supported GKE version.

Before you test Correlated Threats, you need to first select a project with the appropriate GKE cluster, activate Cloud Shell, and set several environment variables. To do this, follow these steps:

Go to the Google Cloud console.

Go to the Google Cloud console
Select the project where you want to test the Correlated Threats.
Click Activate Cloud Shell.
In Cloud Shell, set environment variables.
1. Specify the zone where your cluster is located:
```
export ZONE=CLUSTER_ZONE
```
2. Enter the ID of the project where your cluster is located:
```
export PROJECT=PROJECT_ID
```
3. Specify the name of your test cluster:
```
export CLUSTER_NAME=CLUSTER_NAME
```
4. Obtain the credentials for your cluster:
```
gcloud container clusters get-credentials $CLUSTER_NAME \
--zone $ZONE \
--project $PROJECT
```

Emulate a cryptocurrency mining attack

This section describes how to emulate cryptocurrency mining and create a Correlated Threats issue using the Google Cloud console and Cloud Shell. To do this, you first activate Cloud Shell, select a project, and then perform the test.

To test Correlated Threats by emulating cryptocurrency mining, follow these steps:

Set up your environment

To trigger a cryptocurrency Correlated Threats issue, create two findings: Execution: Netcat Remote Code Execution In Container and Malware: Cryptomining Bad IP. To trigger these two findings, run the following command:

  tag="correlated-threat-test-crypto-$(date -u +%Y-%m-%d-%H-%M-%S-utc)"
  kubectl run \
  --restart=Never \
  --image marketplace.gcr.io/google/ubuntu2404:latest \
  "$tag" -- bash -c \
  "apt-get update ; apt-get install -y curl ; cp /bin/ls /tmp/curl; /tmp/curl --url=stratum+tcp ; for i in {1..5}; do curl 34.66.147.47 > /dev/null; done; sleep infinity"

It can take up to an hour for the Correlated Threats issue to appear.

After the Correlated Threats issue is generated, perform cleanup by running the following command to delete the Kubernetes pod used for testing.
```
  kubectl delete pod "$tag"
```

Emulate a malware attack

This section describes how to emulate a malware attack and create a Correlated Threats issue using the Google Cloud console and Cloud Shell. To do this, first activate Cloud Shell, select a project, and then perform the test.

To test Correlated Threats by emulating a malware attack, follow these steps:

Set up your environment.

To trigger a malware Correlated Threats issue, you create two findings: Execution: Local Reconnaissance Tool Execution and Execution: Added Malicious Binary Executed. To create an Ubuntu 24.04 Pod in your GKE cluster and trigger these two findings, run the following command:

  tag="correlated-threat-test-malware-$(date -u +%Y-%m-%d-%H-%M-%S-utc)"
  eicar='X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*'
  kubectl run \
  --restart=Never \
  --image marketplace.gcr.io/google/ubuntu2404:latest \
  "$tag" -- sh -c \
  "cp /bin/ls /tmp/linenum.sh; /tmp/linenum.sh; touch /tmp/test_mal_file; echo -n '$eicar' > /tmp/test_mal_file; chmod 700 /tmp/test_mal_file; /tmp/test_mal_file; sleep infinity"

It can take up to an hour for the Correlated Threats issue to appear.

After the correlated threat issue is generated, perform cleanup by running the following command to delete the Kubernetes pod used for testing.
```
  kubectl delete pod "$tag"
```

Emulate a lateral movement attack

This section describes how to emulate a lateral movement attack and create a Correlated Threats issue using the Google Cloud console and Cloud Shell. To do this, you first activate Cloud Shell, select a project, and then perform the test.

To test Correlated Threats by emulating a lateral movement attack, follow these steps:

Set up your environment.

Create a file named lateral_movement_test.sh with the following content. This script creates multiple Compute Engine VMs and generates the following two findings: Lateral Movement: Modified Boot Disk Attached to Instance and Malware: Bad IP.

  #!/bin/bash
  # emulates a boot disk swap followed by malicious IP to trigger correlated threats.

  # Default values
  IMAGE_FAMILY="debian-12"
  IMAGE_PROJECT="debian-cloud"
  TIMESTAMP=$(date +%s)
  TARGET_INSTANCE_NAME="target-vm-${TIMESTAMP}"
  WORKER_INSTANCE_NAME="worker-vm-${TIMESTAMP}"
  PROJECT_ID=""
  ZONE=""

  # --- Usage function ---
  usage() {
  echo "Usage: $0 --project_id <PROJECT_ID> --zone <ZONE> [OPTIONS]"
  echo "emulates a boot disk swap followed by malicious IP to trigger correlated threats."
  echo
  echo "Required arguments:"
  echo "  --project_id <PROJECT_ID>  Your Google Cloud Project ID"
  echo "  --zone <ZONE>              The Google Cloud zone to create resources in (e.g., us-central1-a)"
  echo
  echo "Optional arguments:"
  echo "  --help                   Display this help message"
  }

  # --- Parse arguments ---
  while [[ $# -gt 0 ]]; do
  case "$1" in
     --project_id)
        PROJECT_ID="$2"
        shift 2
        ;;
     --zone)
        ZONE="$2"
        shift 2
        ;;
     --help)
        usage
        exit 0
        ;;
     *)
        echo "Unknown option: $1"
        usage
        exit 1
        ;;
  esac
  done

  # --- Validate required arguments ---
  if [[ -z "${PROJECT_ID}" ]]; then
  echo "Error: --project_id is required."
  usage
  exit 1
  fi

  if [[ -z "${ZONE}" ]]; then
  echo "Error: --zone is required."
  usage
  exit 1
  fi

  # The boot disk name defaults to the instance name
  BOOT_DISK_NAME=$TARGET_INSTANCE_NAME

  set -e

  echo "Starting script with the following settings:"
  echo "PROJECT_ID: ${PROJECT_ID}"
  echo "ZONE: ${ZONE}"
  echo "TARGET_INSTANCE_NAME: ${TARGET_INSTANCE_NAME}"
  echo "WORKER_INSTANCE_NAME: ${WORKER_INSTANCE_NAME}"
  echo "BOOT_DISK_NAME: ${BOOT_DISK_NAME}"
  echo "IMAGE_FAMILY: ${IMAGE_FAMILY}"
  echo "IMAGE_PROJECT: ${IMAGE_PROJECT}"
  echo "--------------------------------------------------"

  gcloud config set project "${PROJECT_ID}"
  gcloud config set compute/zone "${ZONE}"

  # Function to run gcloud commands with --quiet
  run_gcloud() {
  echo "Running: gcloud $@"
  gcloud "$@" --quiet
  }

  echo "Step 1: Create target VM: ${TARGET_INSTANCE_NAME}"
  run_gcloud compute instances create "${TARGET_INSTANCE_NAME}" \
  --image-family="${IMAGE_FAMILY}" \
  --image-project="${IMAGE_PROJECT}" \
  --no-address

  echo "Step 2: Create worker VM: ${WORKER_INSTANCE_NAME}"
  run_gcloud compute instances create "${WORKER_INSTANCE_NAME}" \
  --image-family="${IMAGE_FAMILY}" \
  --image-project="${IMAGE_PROJECT}" \
  --no-address

  echo "Step 3: Stop target VM: ${TARGET_INSTANCE_NAME}"
  run_gcloud compute instances stop "${TARGET_INSTANCE_NAME}"

  echo "Step 4: Detach boot disk from target VM"
  run_gcloud compute instances detach-disk "${TARGET_INSTANCE_NAME}" --disk="${BOOT_DISK_NAME}"

  echo "Step 5: Attach disk to worker VM: ${WORKER_INSTANCE_NAME}"
  run_gcloud compute instances attach-disk "${WORKER_INSTANCE_NAME}" --disk="${BOOT_DISK_NAME}"

  echo " << At this point, the disk is attached to the worker VM >>"
  echo " << Malicious modifications could theoretically be made here >>"

  echo "Step 6: Detach disk from worker VM"
  run_gcloud compute instances detach-disk "${WORKER_INSTANCE_NAME}" --disk="${BOOT_DISK_NAME}"

  echo "Step 7: Re-attach disk to target VM as boot disk"
  run_gcloud compute instances attach-disk "${TARGET_INSTANCE_NAME}" --disk="${BOOT_DISK_NAME}" --boot

  echo "Step 8: Start target VM"
  run_gcloud compute instances start "${TARGET_INSTANCE_NAME}"

  echo -n "Step 9: Wait for instance SSH to be available"
  until gcloud compute ssh "${TARGET_INSTANCE_NAME}" --command="true" 2>/dev/null
  do
     echo -n "."
     sleep 2
  done
  echo

  echo "Step 10: Trigger bad IP findings"
  run_gcloud compute ssh "${TARGET_INSTANCE_NAME}" --command="for i in {1..5}; do curl 34.66.147.47 > /dev/null 2>/dev/null; done;"

  echo "Step 11: Delete worker VM: ${WORKER_INSTANCE_NAME}"
  run_gcloud compute instances delete "${WORKER_INSTANCE_NAME}"

  echo "--- Testing Complete ---"
  echo "The script has completed executing the patterns to trigger a correlated"
  echo "threats issue.  Check the Security Command Center Issues page to view the issue."
  echo "Check Security Command Center for findings."
  echo
  echo "After observing the correlated threat issue in Security Command Center"
  echo "use this command to delete ${TARGET_INSTANCE_NAME}."
  echo "  gcloud compute instances delete "${TARGET_INSTANCE_NAME}""
  echo ${TARGET_INSTANCE_NAME} > ./.lateral_movement_test_name

Make the script executable:
```
  chmod +x lateral_movement_test.sh
```
To generate findings, run the script:
```
  ./lateral_movement_test.sh --project_id $PROJECT --zone $ZONE
```
It can take up to an hour for the Correlated Threats issue to appear.
After the issue is generated, perform cleanup using the command provided in the output of the test script.
```
  gcloud compute instances delete $(cat .lateral_movement_test_name)
```

What's next

Learn how Correlated Threats works.