Stay organized with collections
Save and categorize content based on your preferences.
This document describes a threat finding type in Security Command Center. Threat findings are generated by
threat detectors when they detect
a potential threat in your cloud resources. For a full list of available threat findings, see Threat findings index.
Overview
A malicious binary that was not part of the original container image was
executed. Attackers commonly install exploitation tooling and malware after
the initial compromise.
Open the Execution: Added Malicious Binary Executed finding as directed in
Reviewing
findings.
Review the details on the Summary and JSON tabs.
On the Summary tab, review the information in the following sections:
What was detected, especially the following fields:
Program binary: the absolute path of the added binary
Arguments: the arguments provided when invoking the added binary
Containers: the name of the affected container
Containers URI: the name of the container image being deployed
Affected resource, especially the following fields:
Resource full name: the full resource name
of the affected Cloud Run resource
Related links, especially the following fields:
VirusTotal indicator: link to the VirusTotal analysis page
Identify other findings that occurred at a similar time for the affected
container. Related findings might indicate that this activity was malicious,
instead of a failure to follow best practices.
Check the SHA-256 hash value for the binary flagged as malicious on
VirusTotal by clicking the link in
VirusTotal indicator. VirusTotal is an Alphabet-owned service that
provides context on potentially malicious files, URLs, domains, and IP
addresses.
To develop a response plan, combine your
investigation results with the MITRE research and VirusTotal analysis.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[],[],null,["| Premium and Enterprise [service tiers](/security-command-center/docs/service-tiers)\n\nThis document describes a threat finding type in Security Command Center. Threat findings are generated by\n[threat detectors](/security-command-center/docs/concepts-security-sources#threats) when they detect\na potential threat in your cloud resources. For a full list of available threat findings, see [Threat findings index](/security-command-center/docs/threat-findings-index).\n\nOverview\n\nA malicious binary that was not part of the original container image was\nexecuted. Attackers commonly install exploitation tooling and malware after\nthe initial compromise.\n\nDetection service\n\n[Cloud Run Threat Detection](/security-command-center/docs/cloud-run-threat-detection-overview)\n\nHow to respond\n\nTo respond to this finding, do the following:\n\nReview finding details\n\n1. Open the `Execution: Added Malicious Binary Executed` finding as directed in\n [Reviewing\n findings](/security-command-center/docs/how-to-investigate-threats#reviewing_findings).\n Review the details on the **Summary** and **JSON** tabs.\n\n2. On the **Summary** tab, review the information in the following sections:\n\n - **What was detected** , especially the following fields:\n - **Program binary**: the absolute path of the added binary\n - **Arguments**: the arguments provided when invoking the added binary\n - **Containers**: the name of the affected container\n - **Containers URI**: the name of the container image being deployed\n - **Affected resource** , especially the following fields:\n - **Resource full name** : the [full resource name](/apis/design/resource_names) of the affected Cloud Run resource\n - **Related links** , especially the following fields:\n - **VirusTotal indicator**: link to the VirusTotal analysis page\n3. Identify other findings that occurred at a similar time for the affected\n container. Related findings might indicate that this activity was malicious,\n instead of a failure to follow best practices.\n\n4. Review the settings of the affected container.\n\n5. Check the logs for the affected container.\n\nResearch attack and response methods\n\n1. Review MITRE ATT\\&CK framework entries for this finding type: [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105/), [Native API](https://attack.mitre.org/techniques/T1106/).\n2. Check the SHA-256 hash value for the binary flagged as malicious on [VirusTotal](https://www.virustotal.com) by clicking the link in **VirusTotal indicator**. VirusTotal is an Alphabet-owned service that provides context on potentially malicious files, URLs, domains, and IP addresses.\n3. To develop a response plan, combine your investigation results with the MITRE research and VirusTotal analysis.\n\nImplement your response\n\nFor response recommendations, see [Respond to Cloud Run threat\nfindings](/security-command-center/docs/respond-cloud-run-threats).\n\nWhat's next\n\n- Learn [how to work with threat\n findings in Security Command Center](/security-command-center/docs/how-to-investigate-threats).\n- Refer to the [Threat findings index](/security-command-center/docs/threat-findings-index).\n- Learn how to [review a\n finding](/security-command-center/docs/how-to-investigate-threats#reviewing_findings) through the Google Cloud console.\n- Learn about the [services that\n generate threat findings](/security-command-center/docs/concepts-security-sources#threats)."]]
