测试关联威胁

本页面介绍了如何通过模拟威胁来有意触发 Security Command Center 检测器并创建发现结果,从而验证关联威胁是否正常运行。然后,这些威胁发现结果会针对每条规则创建“关联威胁”问题。

如需详细了解关联威胁,请参阅关联威胁概览。如果您想生成可产生关联威胁的发现结果,必须在 Security Command Center 设置中启用相应的威胁检测服务。

设置环境

这些测试程序需要 GKE 集群和配置 Compute Engine 虚拟机的能力。确保您的测试集群采用受支持的 Google Kubernetes Engine (GKE) 版本。如需了解详情,请参阅使用受支持的 GKE 版本

在测试“关联威胁”之前,您需要先选择一个包含相应 GKE 集群的项目,激活 Cloud Shell,然后设置多个环境变量。请按以下步骤进行此操作:

  1. 前往 Google Cloud 控制台

    前往 Google Cloud 控制台

  2. 选择要在其中测试关联威胁的项目。

  3. 点击激活 Cloud Shell

  4. 在 Cloud Shell 中,设置环境变量。

    1. 指定集群所在的可用区:

      export ZONE=CLUSTER_ZONE

    2. 输入集群所在项目的 ID:

      export PROJECT=PROJECT_ID

    3. 指定测试集群的名称:

      export CLUSTER_NAME=CLUSTER_NAME

    4. 获取集群的凭证:

      gcloud container clusters get-credentials $CLUSTER_NAME \
    --zone $ZONE \
    --project $PROJECT

模拟加密货币挖矿攻击

本部分介绍了如何使用 Google Cloud 控制台和 Cloud Shell 模拟加密货币挖矿并创建关联威胁问题。为此,您需要先激活 Cloud Shell,选择一个项目,然后执行测试。

如需通过模拟加密货币挖矿来测试关联威胁,请按以下步骤操作:

  1. 设置环境

  2. 如需触发加密货币关联威胁问题,请创建两个发现结果:Execution: Netcat Remote Code Execution In ContainerMalware: Cryptomining Bad IP。如需触发这两项发现结果,请运行以下命令:

      tag="correlated-threat-test-crypto-$(date -u +%Y-%m-%d-%H-%M-%S-utc)"
  kubectl run \
      --restart=Never \
      --image marketplace.gcr.io/google/ubuntu2404:latest \
      "$tag" -- bash -c \
      "apt-get update ; apt-get install -y curl ; cp /bin/ls /tmp/curl; /tmp/curl --url=stratum+tcp ; for i in {1..5}; do curl 34.66.147.47 > /dev/null; done; sleep infinity"

    关联威胁问题最多可能需要 1 小时才会显示。

  3. 生成关联威胁问题后,请运行以下命令删除用于测试的 Kubernetes Pod,以执行清理操作。

      kubectl delete pod "$tag"

模拟恶意软件攻击

本部分介绍如何使用 Google Cloud 控制台和 Cloud Shell 模拟恶意软件攻击并创建关联威胁问题。为此,请先激活 Cloud Shell,选择一个项目,然后执行测试。

如需通过模拟恶意软件攻击来测试关联威胁,请按以下步骤操作:

  1. 设置您的环境

  2. 若要触发与恶意软件相关的关联威胁问题,您需要创建两个发现结果:Execution: Local Reconnaissance Tool ExecutionExecution: Added Malicious Binary Executed。如需在 GKE 集群中创建 Ubuntu 24.04 Pod 并触发这两项发现结果,请运行以下命令:

      tag="correlated-threat-test-malware-$(date -u +%Y-%m-%d-%H-%M-%S-utc)"
  eicar='X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*'
  kubectl run \
      --restart=Never \
      --image marketplace.gcr.io/google/ubuntu2404:latest \
      "$tag" -- sh -c \
      "cp /bin/ls /tmp/linenum.sh; /tmp/linenum.sh; touch /tmp/test_mal_file; echo -n '$eicar' > /tmp/test_mal_file; chmod 700 /tmp/test_mal_file; /tmp/test_mal_file; sleep infinity"

    关联威胁问题最多可能需要 1 小时才会显示。

  3. 生成关联威胁问题后,运行以下命令删除用于测试的 Kubernetes Pod,以执行清理操作。

      kubectl delete pod "$tag"

模拟对 GKE 的横向移动攻击

本部分介绍了如何使用Google Cloud 控制台和 Cloud Shell 模拟对 GKE 的横向移动攻击并创建关联威胁问题。为此,您需要先激活 Cloud Shell,选择一个项目,然后执行测试。

如需通过模拟横向移动攻击来测试关联威胁,请按照以下步骤操作:

  1. 设置您的环境

  2. 若要触发横向移动关联威胁问题,您需要创建以下两个发现结果:Privilege Escalation: Launch of privileged Kubernetes containerExecution: Container Escape。如需在 GKE 集群中创建 Ubuntu Pod 并触发这两项发现结果,请运行以下命令:

      tag="correlated-threat-test-podlatmove-$(date -u +%Y-%m-%d-%H-%M-%S-utc)"
  kubectl run \
      --restart=Never \
      --image ubuntu "$tag" \
      --privileged \
      -- bash -c \
         "cp /bin/ls /tmp/botb-linux-amd64; sleep 60; /tmp/botb-linux-amd64 -autopwn; sleep infinity"

    关联威胁问题最多可能需要 1 小时才会显示。

  3. 生成关联威胁问题后,运行以下命令删除用于测试的 Kubernetes Pod,以执行清理操作。

      kubectl delete pod "$tag"

模拟对 Compute Engine 的横向移动攻击

本部分介绍了如何使用Google Cloud 控制台和 Cloud Shell 模拟对 Compute Engine 的横向移动攻击并创建关联威胁问题。为此,您需要先激活 Cloud Shell,选择一个项目,然后执行测试。

如需通过模拟横向移动攻击来测试关联威胁,请按以下步骤操作:

  1. 设置您的环境

  2. 创建名为 lateral_movement_test.sh 且包含以下内容的文件。此脚本会创建多个 Compute Engine 虚拟机,并生成以下两项发现结果:Lateral Movement: Modified Boot Disk Attached to InstanceMalware: Bad IP

      #!/bin/bash
  # emulates a boot disk swap followed by malicious IP to trigger correlated threats.

  # Default values
  IMAGE_FAMILY="debian-12"
  IMAGE_PROJECT="debian-cloud"
  TIMESTAMP=$(date +%s)
  TARGET_INSTANCE_NAME="target-vm-${TIMESTAMP}"
  WORKER_INSTANCE_NAME="worker-vm-${TIMESTAMP}"
  PROJECT_ID=""
  ZONE=""

  # --- Usage function ---
  usage() {
  echo "Usage: $0 --project_id <PROJECT_ID> --zone <ZONE> [OPTIONS]"
  echo "emulates a boot disk swap followed by malicious IP to trigger correlated threats."
  echo
  echo "Required arguments:"
  echo "  --project_id <PROJECT_ID>  Your Google Cloud Project ID"
  echo "  --zone <ZONE>              The Google Cloud zone to create resources in (e.g., us-central1-a)"
  echo
  echo "Optional arguments:"
  echo "  --help                   Display this help message"
  }

  # --- Parse arguments ---
  while [[ $# -gt 0 ]]; do
  case "$1" in
     --project_id)
        PROJECT_ID="$2"
        shift 2
        ;;
     --zone)
        ZONE="$2"
        shift 2
        ;;
     --help)
        usage
        exit 0
        ;;
     *)
        echo "Unknown option: $1"
        usage
        exit 1
        ;;
  esac
  done

  # --- Validate required arguments ---
  if [[ -z "${PROJECT_ID}" ]]; then
  echo "Error: --project_id is required."
  usage
  exit 1
  fi

  if [[ -z "${ZONE}" ]]; then
  echo "Error: --zone is required."
  usage
  exit 1
  fi

  # The boot disk name defaults to the instance name
  BOOT_DISK_NAME=$TARGET_INSTANCE_NAME

  set -e

  echo "Starting script with the following settings:"
  echo "PROJECT_ID: ${PROJECT_ID}"
  echo "ZONE: ${ZONE}"
  echo "TARGET_INSTANCE_NAME: ${TARGET_INSTANCE_NAME}"
  echo "WORKER_INSTANCE_NAME: ${WORKER_INSTANCE_NAME}"
  echo "BOOT_DISK_NAME: ${BOOT_DISK_NAME}"
  echo "IMAGE_FAMILY: ${IMAGE_FAMILY}"
  echo "IMAGE_PROJECT: ${IMAGE_PROJECT}"
  echo "--------------------------------------------------"

  gcloud config set project "${PROJECT_ID}"
  gcloud config set compute/zone "${ZONE}"

  # Function to run gcloud commands with --quiet
  run_gcloud() {
  echo "Running: gcloud $@"
  gcloud "$@" --quiet
  }

  echo "Step 1: Create target VM: ${TARGET_INSTANCE_NAME}"
  run_gcloud compute instances create "${TARGET_INSTANCE_NAME}" \
  --image-family="${IMAGE_FAMILY}" \
  --image-project="${IMAGE_PROJECT}" \
  --no-address

  echo "Step 2: Create worker VM: ${WORKER_INSTANCE_NAME}"
  run_gcloud compute instances create "${WORKER_INSTANCE_NAME}" \
  --image-family="${IMAGE_FAMILY}" \
  --image-project="${IMAGE_PROJECT}" \
  --no-address

  echo "Step 3: Stop target VM: ${TARGET_INSTANCE_NAME}"
  run_gcloud compute instances stop "${TARGET_INSTANCE_NAME}"

  echo "Step 4: Detach boot disk from target VM"
  run_gcloud compute instances detach-disk "${TARGET_INSTANCE_NAME}" --disk="${BOOT_DISK_NAME}"

  echo "Step 5: Attach disk to worker VM: ${WORKER_INSTANCE_NAME}"
  run_gcloud compute instances attach-disk "${WORKER_INSTANCE_NAME}" --disk="${BOOT_DISK_NAME}"

  echo " << At this point, the disk is attached to the worker VM >>"
  echo " << Malicious modifications could theoretically be made here >>"

  echo "Step 6: Detach disk from worker VM"
  run_gcloud compute instances detach-disk "${WORKER_INSTANCE_NAME}" --disk="${BOOT_DISK_NAME}"

  echo "Step 7: Re-attach disk to target VM as boot disk"
  run_gcloud compute instances attach-disk "${TARGET_INSTANCE_NAME}" --disk="${BOOT_DISK_NAME}" --boot

  echo "Step 8: Start target VM"
  run_gcloud compute instances start "${TARGET_INSTANCE_NAME}"

  echo -n "Step 9: Wait for instance SSH to be available"
  until gcloud compute ssh "${TARGET_INSTANCE_NAME}" --command="true" 2>/dev/null
  do
     echo -n "."
     sleep 2
  done
  echo

  echo "Step 10: Trigger bad IP findings"
  run_gcloud compute ssh "${TARGET_INSTANCE_NAME}" --command="for i in {1..5}; do curl 34.66.147.47 > /dev/null 2>/dev/null; done;"

  echo "Step 11: Delete worker VM: ${WORKER_INSTANCE_NAME}"
  run_gcloud compute instances delete "${WORKER_INSTANCE_NAME}"

  echo "--- Testing Complete ---"
  echo "The script has completed executing the patterns to trigger a correlated"
  echo "threats issue.  Check the Security Command Center Issues page to view the issue."
  echo "Check Security Command Center for findings."
  echo
  echo "After observing the correlated threat issue in Security Command Center"
  echo "use this command to delete ${TARGET_INSTANCE_NAME}."
  echo "  gcloud compute instances delete "${TARGET_INSTANCE_NAME}""
  echo ${TARGET_INSTANCE_NAME} > ./.lateral_movement_test_name

  3. 让该脚本可执行:

      chmod +x lateral_movement_test.sh

  4. 如需生成发现结果,请运行脚本:

      ./lateral_movement_test.sh --project_id $PROJECT --zone $ZONE

    关联威胁问题最多可能需要 1 小时才会显示。

  5. 生成问题后,使用测试脚本输出中提供的命令执行清理。

      gcloud compute instances delete $(cat .lateral_movement_test_name)

后续步骤