Cloud Run Threat Detection overview
Stay organized with collections Save and categorize content based on your preferences.

Cloud Run Threat Detection is a built-in service of Security Command Center that continuously monitors the state of supported Cloud Run resources to detect the most common runtime attacks. If Cloud Run Threat Detection detects an attack, it generates a finding in Security Command Center in near real-time.

Cloud Run Threat Detection runtime detectors monitor Cloud Run resources for suspicious binaries and libraries and use natural language processing (NLP) to detect malicious Bash and Python code.

In addition, control plane detectors are available through Event Threat Detection. These detectors monitor the Cloud Logging stream of your organization or projects to detect potential attacks to the control plane of your Cloud Run resources.

Supported resources

Cloud Run Threat Detection monitors the following resources:

Supported execution environments

The supported execution environments differ for runtime detectors and control plane detectors.

Supported execution environments for runtime detectors

Cloud Run Threat Detection runtime detectors support only Cloud Run resources that run on the second generation execution environment. Consider the following before enabling Cloud Run Threat Detection:

When you enable Cloud Run Threat Detection, you can't create a Cloud Run service or service revision that runs on the first generation execution environment. The Cloud Run service must use the second generation execution environment. We recommend that you test your workloads on the second generation execution environment before enabling Cloud Run Threat Detection.
To enable runtime threat detection for a service, deploy a revision that sets the execution environment of the service to either the second generation or the default execution environment.

Supported execution environments for control plane detectors

The control plane detectors support both first and second generation execution environments.

How Cloud Run Threat Detection runtime threat detection works

When you enable Cloud Run Threat Detection, it collects telemetry from the supported Cloud Run resources to analyze processes, scripts, and libraries that might indicate a runtime attack. The following is the execution path when events are detected:

Cloud Run Threat Detection uses a watcher process to collect container and event information for the complete duration of a Cloud Run workload. It can take up to 20 seconds for the watcher process to start.
Cloud Run Threat Detection analyzes the collected event information to determine whether an event is indicative of an incident. It uses NLP to analyze Bash and Python scripts for malicious code.
- If Cloud Run Threat Detection identifies an incident, it reports the incident as a finding in Security Command Center.
- If Cloud Run Threat Detection doesn't identify an incident, no information is stored.
- All data collected is ephemeral and isn't persistently stored.

For information about how to review Cloud Run Threat Detection findings in the Google Cloud console, see Review findings.

Known issues

Instances of your Cloud Run services or jobs that live longer than seven days stop sending telemetry information.
If the watcher process prematurely stops in a running instance of your Cloud Run service or job, the watcher process doesn't restart. The instance stops sending telemetry information to Cloud Run Threat Detection. Cloud Run Threat Detection logs are absent from the instance logs. There is no indicator that a watcher process has stopped.

Detectors

This section lists the runtime and control plane detectors that are available. We regularly add new detectors as new cloud threats emerge.

Runtime detectors

Cloud Run Threat Detection includes the following runtime detectors:

Display name	API name	Description
Execution: Added Malicious Binary Executed	`CLOUD_RUN_ADDED_MALICIOUS_BINARY_EXECUTED`	A binary that meets the following conditions was executed: Identified as malicious based on threat intelligence Not part of the original container image If an added malicious binary is executed, it's a strong sign that an attacker has control of the workload and they are executing malicious software.
Execution: Added Malicious Library Loaded	`CLOUD_RUN_ADDED_MALICIOUS_LIBRARY_LOADED`	A library that meets the following conditions was loaded: Identified as malicious based on threat intelligence Not part of the original container image If an added malicious library is loaded, it's a strong sign that an attacker has control of the workload and they are executing malicious software.
Execution: Built in Malicious Binary Executed	`CLOUD_RUN_BUILT_IN_MALICIOUS_BINARY_EXECUTED`	A binary that meets the following conditions was executed: Identified as malicious based on threat intelligence Included in the original container image If a built-in malicious binary is executed, it's a sign that the attacker is deploying malicious containers. They may have gained control of a legitimate image repository or container build pipeline and injected a malicious binary into the container image.
Execution: Container Escape	`CLOUD_RUN_CONTAINER_ESCAPE`	A process was executed within the container that attempted to break out of the container's isolation, using known escape techniques or binaries. This type of attack can give the attacker access to the host system. These processes are identified as potential threats based on intelligence data. If a container escape attempt is detected, it might indicate that an attacker is exploiting vulnerabilities to break out of the container. As a result, the attacker might gain unauthorized access to the host system or broader infrastructure, compromising the entire environment.
Execution: Kubernetes Attack Tool Execution	`CLOUD_RUN_KUBERNETES_ATTACK_TOOL_EXECUTION`	A Kubernetes-specific attack tool was executed within the environment, which can indicate that an attacker is targeting Kubernetes cluster components. These attack tools are identified as potential threats based on intelligence data. If an attack tool is executed within the Kubernetes environment, it can suggest that an attacker has gained access to the cluster and is using the tool to exploit Kubernetes-specific vulnerabilities or configurations.
Execution: Local Reconnaissance Tool Execution	`CLOUD_RUN_LOCAL_RECONNAISSANCE_TOOL_EXECUTION`	A local reconnaissance tool not typically associated with the container or environment was executed, suggesting an attempt to gather internal system information. These reconnaissance tools are identified as potential threats based on intelligence data. If a reconnaissance tool is executed, it suggests that the attacker may be trying to map out the infrastructure, identify vulnerabilities, or collect data on system configurations to plan their next steps.
Execution: Malicious Python executed (Preview)	`CLOUD_RUN_MALICIOUS_PYTHON_EXECUTED`	A machine learning model identified the specified Python code as malicious. Attackers can use Python to transfer tools or other files from an external system into a compromised environment and execute commands without binaries. The detector uses NLP techniques to evaluate the content of executed Python code. Because this approach is not based on signatures, detectors can identify known and novel Python code. Note: If you enable data residency for the Saudi Arabia location, then this detector can't be enabled in the `me-central2` region and doesn't generate findings in that region.
Execution: Modified Malicious Binary Executed	`CLOUD_RUN_MODIFIED_MALICIOUS_BINARY_EXECUTED`	A binary that meets the following conditions was executed: Identified as malicious based on threat intelligence Included in the original container image Modified from the original container image during the runtime If a modified malicious binary is executed, it's a strong sign that an attacker has control of the workload and they are executing malicious software.
Execution: Modified Malicious Library Loaded	`CLOUD_RUN_MODIFIED_MALICIOUS_LIBRARY_LOADED`	A library that meets the following conditions was loaded: Identified as malicious based on threat intelligence Included in the original container image Modified from the original container image during the runtime If a modified malicious library is loaded, it's a strong sign that an attacker has control of the workload and they are executing malicious software.
Malicious Script Executed	`CLOUD_RUN_MALICIOUS_SCRIPT_EXECUTED`	A machine learning model identified the specified Bash code as malicious. Attackers can use Bash to transfer tools or other files from an external system into a compromised environment and execute commands without binaries. The detector uses NLP techniques to evaluate the content of executed Bash code. Because this approach is not based on signatures, detectors can identify known and novel malicious Bash code. Note: If you enable data residency for the Saudi Arabia location, then this detector can't be enabled in the `me-central2` region and doesn't generate findings in that region.
Malicious URL Observed	`CLOUD_RUN_MALICIOUS_URL_OBSERVED`	Cloud Run Threat Detection observed a malicious URL in the argument list of a running process. The detector checks URLs that are observed in the argument list of running processes against the lists of unsafe web resources that are maintained by the Google Safe Browsing service. If a URL is incorrectly classified as a phishing site or malware, report it at Reporting Incorrect Data.
Reverse Shell	`CLOUD_RUN_REVERSE_SHELL`	A process started with stream redirection to a remote connected socket. The detector looks for `stdin` bound to a remote socket. With a reverse shell, an attacker can communicate from a compromised workload to an attacker-controlled machine. The attacker can then command and control the workload—for example, as part of a botnet.
Unexpected Child Shell	`CLOUD_RUN_UNEXPECTED_CHILD_SHELL`	A process that does not normally invoke shells spawned a shell process. The detector monitors all process executions. When a shell is invoked, the detector generates a finding if the parent process is known to not typically invoke shells.

Control plane detectors

The following control plane detectors are available through Event Threat Detection. These detectors are enabled by default. You manage these detectors the same way you do other Event Threat Detection detectors. For more information, see Use Event Threat Detection.

Display name	API name	Log source types	Description
Impact: Cryptomining Commands (Preview)	`CLOUD_RUN_JOBS_CRYPTOMINING_COMMANDS`	Cloud Audit Logs: IAM System Event audit logs	Specific cryptomining commands were attached to a Cloud Run job during execution.
Execution: Cryptomining Docker Image (Preview)	`CLOUD_RUN_CRYPTOMINING_DOCKER_IMAGES`	Cloud Audit Logs: IAM System Event audit logs	Specific known bad docker images were attached to a new or existing Cloud Run service or job.
Privilege Escalation: Default Compute Engine Service Account SetIAMPolicy (Preview)	`CLOUD_RUN_SERVICES_SET_IAM_POLICY`	Cloud Audit Logs: Admin Activity logs	The default Compute Engine service account was used to set the IAM policy for a Cloud Run service. This is a potential post exploit action when a Compute Engine token is compromised from a serverless service.

For deprecated and shut down rules, see Deprecations.

What's next

Learn how to use Cloud Run Threat Detection.
Learn how to use Event Threat Detection.