本頁說明如何模擬威脅,刻意觸發 Security Command Center 偵測器並建立調查結果,藉此驗證關聯威脅功能是否正常運作。這些威脅發現結果隨後會為每項規則建立相關威脅問題。
如要進一步瞭解關聯威脅,請參閱「關聯威脅總覽」。如要產生會產生關聯威脅的發現項目,您必須在Security Command Center 設定中啟用適當的威脅偵測服務。
設定環境
這些測試程序需要 GKE 叢集,以及佈建 Compute Engine VM 的能力。請確認測試叢集使用支援的 Google Kubernetes Engine (GKE) 版本。詳情請參閱「使用支援的 GKE 版本」。
測試關聯威脅前,請先選取含有適當 GKE 叢集的專案、啟用 Cloud Shell,並設定數個環境變數。詳細步驟如下:
選取要測試關聯威脅的專案。
按一下「啟用 Cloud Shell」
。在 Cloud Shell 中設定環境變數。
指定叢集所在的區域:
export ZONE=CLUSTER_ZONE輸入叢集所在專案的 ID:
export PROJECT=PROJECT_ID指定測試叢集的名稱:
export CLUSTER_NAME=CLUSTER_NAME取得叢集憑證:
gcloud container clusters get-credentials $CLUSTER_NAME \ --zone $ZONE \ --project $PROJECT
模擬加密貨幣挖礦攻擊
本節說明如何使用 Google Cloud 控制台和 Cloud Shell 模擬加密貨幣挖礦,並建立相關威脅問題。如要執行這項操作,請先啟動 Cloud Shell、選取專案,然後執行測試。
如要透過模擬加密貨幣挖礦來測試關聯威脅,請按照下列步驟操作:
如要觸發加密貨幣關聯威脅問題,請建立兩項發現:
Execution: Netcat Remote Code Execution In Container和Malware: Cryptomining Bad IP。如要觸發這兩項發現項目,請執行下列指令:tag="correlated-threat-test-crypto-$(date -u +%Y-%m-%d-%H-%M-%S-utc)" kubectl run \ --restart=Never \ --image marketplace.gcr.io/google/ubuntu2404:latest \ "$tag" -- bash -c \ "apt-get update ; apt-get install -y curl ; cp /bin/ls /tmp/curl; /tmp/curl --url=stratum+tcp ; for i in {1..5}; do curl 34.66.147.47 > /dev/null; done; sleep infinity"「相關威脅」問題最多可能需要一小時才會顯示。
產生關聯威脅問題後,請執行下列指令刪除用於測試的 Kubernetes Pod,藉此進行清理。
kubectl delete pod "$tag"
模擬惡意軟體攻擊
本節說明如何使用 Google Cloud 控制台和 Cloud Shell 模擬惡意軟體攻擊,並建立關聯威脅問題。如要執行這項操作,請先啟用 Cloud Shell、選取專案,然後執行測試。
如要透過模擬惡意軟體攻擊測試關聯威脅,請按照下列步驟操作:
設定環境。
如要觸發惡意軟體關聯威脅問題,請建立兩項發現:
Execution: Local Reconnaissance Tool Execution和Execution: Added Malicious Binary Executed。如要在 GKE 叢集中建立 Ubuntu 24.04 Pod,並觸發這兩項發現項目,請執行下列指令:tag="correlated-threat-test-malware-$(date -u +%Y-%m-%d-%H-%M-%S-utc)" eicar='X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' kubectl run \ --restart=Never \ --image marketplace.gcr.io/google/ubuntu2404:latest \ "$tag" -- sh -c \ "cp /bin/ls /tmp/linenum.sh; /tmp/linenum.sh; touch /tmp/test_mal_file; echo -n '$eicar' > /tmp/test_mal_file; chmod 700 /tmp/test_mal_file; /tmp/test_mal_file; sleep infinity"「相關威脅」問題最多可能需要一小時才會顯示。
產生相關威脅問題後,請執行下列指令,刪除用於測試的 Kubernetes Pod,進行清理作業。
kubectl delete pod "$tag"
在 GKE 上模擬橫向移動攻擊
本節說明如何使用Google Cloud 控制台和 Cloud Shell,在 GKE 上模擬側向移動攻擊,並建立關聯威脅問題。如要執行這項操作,請先啟動 Cloud Shell、選取專案,然後執行測試。
如要透過模擬側向移動攻擊來測試關聯威脅,請按照下列步驟操作:
設定環境。
如要觸發側向移動關聯威脅問題,請建立兩項發現:
Privilege Escalation: Launch of privileged Kubernetes container和Execution: Container Escape。如要在 GKE 叢集中建立 Ubuntu Pod,並觸發這兩項發現項目,請執行下列指令:tag="correlated-threat-test-podlatmove-$(date -u +%Y-%m-%d-%H-%M-%S-utc)" kubectl run \ --restart=Never \ --image ubuntu "$tag" \ --privileged \ -- bash -c \ "cp /bin/ls /tmp/botb-linux-amd64; sleep 60; /tmp/botb-linux-amd64 -autopwn; sleep infinity"「相關威脅」問題最多可能需要一小時才會顯示。
產生關聯威脅問題後,請執行下列指令,刪除用於測試的 Kubernetes Pod,藉此進行清理。
kubectl delete pod "$tag"
在 Compute Engine 上模擬橫向移動攻擊
本節說明如何使用Google Cloud 控制台和 Cloud Shell,在 Compute Engine 上模擬側向移動攻擊,並建立相關威脅問題。如要執行這項操作,請先啟動 Cloud Shell,選取專案,然後執行測試。
如要模擬側向移動攻擊來測試關聯威脅,請按照下列步驟操作:
設定環境。
建立名為
lateral_movement_test.sh的檔案,並在其中加入下列內容。 這項指令碼會建立多個 Compute Engine VM,並產生下列兩項發現項目:Lateral Movement: Modified Boot Disk Attached to Instance和Malware: Bad IP。#!/bin/bash # emulates a boot disk swap followed by malicious IP to trigger correlated threats. # Default values IMAGE_FAMILY="debian-12" IMAGE_PROJECT="debian-cloud" TIMESTAMP=$(date +%s) TARGET_INSTANCE_NAME="target-vm-${TIMESTAMP}" WORKER_INSTANCE_NAME="worker-vm-${TIMESTAMP}" PROJECT_ID="" ZONE="" # --- Usage function --- usage() { echo "Usage: $0 --project_id <PROJECT_ID> --zone <ZONE> [OPTIONS]" echo "emulates a boot disk swap followed by malicious IP to trigger correlated threats." echo echo "Required arguments:" echo " --project_id <PROJECT_ID> Your Google Cloud Project ID" echo " --zone <ZONE> The Google Cloud zone to create resources in (e.g., us-central1-a)" echo echo "Optional arguments:" echo " --help Display this help message" } # --- Parse arguments --- while [[ $# -gt 0 ]]; do case "$1" in --project_id) PROJECT_ID="$2" shift 2 ;; --zone) ZONE="$2" shift 2 ;; --help) usage exit 0 ;; *) echo "Unknown option: $1" usage exit 1 ;; esac done # --- Validate required arguments --- if [[ -z "${PROJECT_ID}" ]]; then echo "Error: --project_id is required." usage exit 1 fi if [[ -z "${ZONE}" ]]; then echo "Error: --zone is required." usage exit 1 fi # The boot disk name defaults to the instance name BOOT_DISK_NAME=$TARGET_INSTANCE_NAME set -e echo "Starting script with the following settings:" echo "PROJECT_ID: ${PROJECT_ID}" echo "ZONE: ${ZONE}" echo "TARGET_INSTANCE_NAME: ${TARGET_INSTANCE_NAME}" echo "WORKER_INSTANCE_NAME: ${WORKER_INSTANCE_NAME}" echo "BOOT_DISK_NAME: ${BOOT_DISK_NAME}" echo "IMAGE_FAMILY: ${IMAGE_FAMILY}" echo "IMAGE_PROJECT: ${IMAGE_PROJECT}" echo "--------------------------------------------------" gcloud config set project "${PROJECT_ID}" gcloud config set compute/zone "${ZONE}" # Function to run gcloud commands with --quiet run_gcloud() { echo "Running: gcloud $@" gcloud "$@" --quiet } echo "Step 1: Create target VM: ${TARGET_INSTANCE_NAME}" run_gcloud compute instances create "${TARGET_INSTANCE_NAME}" \ --image-family="${IMAGE_FAMILY}" \ --image-project="${IMAGE_PROJECT}" \ --no-address echo "Step 2: Create worker VM: ${WORKER_INSTANCE_NAME}" run_gcloud compute instances create "${WORKER_INSTANCE_NAME}" \ --image-family="${IMAGE_FAMILY}" \ --image-project="${IMAGE_PROJECT}" \ --no-address echo "Step 3: Stop target VM: ${TARGET_INSTANCE_NAME}" run_gcloud compute instances stop "${TARGET_INSTANCE_NAME}" echo "Step 4: Detach boot disk from target VM" run_gcloud compute instances detach-disk "${TARGET_INSTANCE_NAME}" --disk="${BOOT_DISK_NAME}" echo "Step 5: Attach disk to worker VM: ${WORKER_INSTANCE_NAME}" run_gcloud compute instances attach-disk "${WORKER_INSTANCE_NAME}" --disk="${BOOT_DISK_NAME}" echo " << At this point, the disk is attached to the worker VM >>" echo " << Malicious modifications could theoretically be made here >>" echo "Step 6: Detach disk from worker VM" run_gcloud compute instances detach-disk "${WORKER_INSTANCE_NAME}" --disk="${BOOT_DISK_NAME}" echo "Step 7: Re-attach disk to target VM as boot disk" run_gcloud compute instances attach-disk "${TARGET_INSTANCE_NAME}" --disk="${BOOT_DISK_NAME}" --boot echo "Step 8: Start target VM" run_gcloud compute instances start "${TARGET_INSTANCE_NAME}" echo -n "Step 9: Wait for instance SSH to be available" until gcloud compute ssh "${TARGET_INSTANCE_NAME}" --command="true" 2>/dev/null do echo -n "." sleep 2 done echo echo "Step 10: Trigger bad IP findings" run_gcloud compute ssh "${TARGET_INSTANCE_NAME}" --command="for i in {1..5}; do curl 34.66.147.47 > /dev/null 2>/dev/null; done;" echo "Step 11: Delete worker VM: ${WORKER_INSTANCE_NAME}" run_gcloud compute instances delete "${WORKER_INSTANCE_NAME}" echo "--- Testing Complete ---" echo "The script has completed executing the patterns to trigger a correlated" echo "threats issue. Check the Security Command Center Issues page to view the issue." echo "Check Security Command Center for findings." echo echo "After observing the correlated threat issue in Security Command Center" echo "use this command to delete ${TARGET_INSTANCE_NAME}." echo " gcloud compute instances delete "${TARGET_INSTANCE_NAME}"" echo ${TARGET_INSTANCE_NAME} > ./.lateral_movement_test_name將指令碼設定為可執行:
chmod +x lateral_movement_test.sh如要產生調查結果,請執行指令碼:
./lateral_movement_test.sh --project_id $PROJECT --zone $ZONE「相關威脅」問題最多可能需要一小時才會顯示。
產生問題後,請使用測試指令碼輸出內容中提供的指令執行清除作業。
gcloud compute instances delete $(cat .lateral_movement_test_name)