Active Scan: Log4j Vulnerable to RCE |
Network |
Event Threat Detection |
Added Binary Executed |
Google Kubernetes Engine |
Container Threat Detection |
Added Library Loaded |
Google Kubernetes Engine |
Container Threat Detection |
Brute force SSH |
Compute Engine |
Event Threat Detection |
Cloud IDS: THREAT_IDENTIFIER |
Network |
Event Threat Detection |
Command and Control: Steganography Tool Detected |
Google Kubernetes Engine |
Container Threat Detection |
Credential Access: CloudDB Failed login from Anonymizing Proxy IP |
Database |
Event Threat Detection |
Credential Access: Failed Attempt to Approve Kubernetes Certificate Signing Request (CSR) |
Google Kubernetes Engine |
Event Threat Detection |
Credential Access: Find Google Cloud Credentials |
Google Kubernetes Engine |
Container Threat Detection |
Credential Access: GPG Key Reconnaissance |
Google Kubernetes Engine |
Container Threat Detection |
Credential Access: Manually Approved Kubernetes Certificate Signing Request (CSR) |
Google Kubernetes Engine |
Event Threat Detection |
Credential Access: Search Private Keys or Passwords |
Google Kubernetes Engine |
Container Threat Detection |
Credential Access: Secrets Accessed In Kubernetes Namespace |
Google Kubernetes Engine |
Event Threat Detection |
Defense Evasion: Base64 ELF File Command Line |
Google Kubernetes Engine |
Container Threat Detection |
Defense Evasion: Base64 Encoded Python Script Executed |
Google Kubernetes Engine |
Container Threat Detection |
Defense Evasion: Base64 Encoded Shell Script Executed |
Google Kubernetes Engine |
Container Threat Detection |
Defense Evasion: Breakglass Workload Deployment Created |
Google Kubernetes Engine |
Event Threat Detection |
Defense Evasion: Breakglass Workload Deployment Updated |
Google Kubernetes Engine |
Event Threat Detection |
Defense Evasion: GCS Bucket IP Filtering Modified |
Cloud Storage |
Event Threat Detection |
Defense Evasion: Launch Code Compiler Tool In Container |
Google Kubernetes Engine |
Container Threat Detection |
Defense Evasion: Manually Deleted Certificate Signing Request (CSR) |
Google Kubernetes Engine |
Event Threat Detection |
Defense Evasion: Modify VPC Service Control |
IAM |
Event Threat Detection |
Defense Evasion: Potential Kubernetes Pod Masquerading |
Google Kubernetes Engine |
Event Threat Detection |
Defense Evasion: Project HTTP Policy Block Disabled |
Cloud Storage |
Event Threat Detection |
Defense Evasion: Rootkit |
Compute Engine |
Virtual Machine Threat Detection |
Defense Evasion: Static Pod Created |
Google Kubernetes Engine |
Event Threat Detection |
Defense Evasion: Unexpected ftrace handler |
Compute Engine |
Virtual Machine Threat Detection |
Defense Evasion: Unexpected interrupt handler |
Compute Engine |
Virtual Machine Threat Detection |
Defense Evasion: Unexpected kernel modules |
Compute Engine |
Virtual Machine Threat Detection |
Defense Evasion: Unexpected kernel read-only data modification |
Compute Engine |
Virtual Machine Threat Detection |
Defense Evasion: Unexpected kprobe handler |
Compute Engine |
Virtual Machine Threat Detection |
Defense Evasion: Unexpected processes in runqueue |
Compute Engine |
Virtual Machine Threat Detection |
Defense Evasion: Unexpected system call handler |
Compute Engine |
Virtual Machine Threat Detection |
Discovery: Can get sensitive Kubernetes object check |
Google Kubernetes Engine |
Event Threat Detection |
Discovery: Service Account Self-Investigation |
IAM |
Event Threat Detection |
Evasion: Access from Anonymizing Proxy |
IAM |
Event Threat Detection |
Execution: Added Malicious Binary Executed |
Google Kubernetes Engine |
Container Threat Detection |
Execution: Added Malicious Library Loaded |
Google Kubernetes Engine |
Container Threat Detection |
Execution: Built in Malicious Binary Executed |
Google Kubernetes Engine |
Container Threat Detection |
Execution: Container Escape |
Google Kubernetes Engine |
Container Threat Detection |
Execution: cryptocurrency mining combined detection |
Compute Engine |
Virtual Machine Threat Detection |
Execution: Cryptocurrency Mining Hash Match |
Compute Engine |
Virtual Machine Threat Detection |
Execution: Cryptocurrency Mining YARA Rule |
Compute Engine |
Virtual Machine Threat Detection |
Execution: Cryptomining Docker Image |
Cloud Run |
Event Threat Detection |
Execution: Fileless Execution in /memfd: |
Google Kubernetes Engine |
Container Threat Detection |
Execution: GKE launch excessively capable container |
Google Kubernetes Engine |
Event Threat Detection |
Execution: Ingress Nightmare Vulnerability Exploitation |
Google Kubernetes Engine |
Container Threat Detection |
Execution: Kubernetes Attack Tool Execution |
Google Kubernetes Engine |
Container Threat Detection |
Execution: Kubernetes Pod Created with Potential Reverse Shell Arguments |
Google Kubernetes Engine |
Event Threat Detection |
Execution: Local Reconnaissance Tool Execution |
Google Kubernetes Engine |
Container Threat Detection |
Execution: Malicious Python executed |
Google Kubernetes Engine |
Container Threat Detection |
Execution: Modified Malicious Binary Executed |
Google Kubernetes Engine |
Container Threat Detection |
Execution: Modified Malicious Library Loaded |
Google Kubernetes Engine |
Container Threat Detection |
Execution: Netcat Remote Code Execution in Container |
Google Kubernetes Engine |
Container Threat Detection |
Execution: Possible Remote Command Execution Detected |
Google Kubernetes Engine |
Container Threat Detection |
Execution: Program Run with Disallowed HTTP Proxy Env |
Google Kubernetes Engine |
Container Threat Detection |
Execution: Suspicious Exec or Attach to a System Pod |
Google Kubernetes Engine |
Event Threat Detection |
Execution: Suspicious OpenSSL Shared Object Loaded |
Google Kubernetes Engine |
Container Threat Detection |
Execution: Workload triggered in sensitive namespace |
Google Kubernetes Engine |
Event Threat Detection |
Exfiltration: Cloud SQL Data Exfiltration |
Database |
Event Threat Detection |
Exfiltration: Cloud SQL Over-Privileged Grant |
Database |
Event Threat Detection |
Exfiltration: Cloud SQL Restore Backup to External Organization |
Database |
Event Threat Detection |
Exfiltration: BigQuery Data Exfiltration |
BigQuery |
Event Threat Detection |
Exfiltration: BigQuery Data Extraction |
BigQuery |
Event Threat Detection |
Exfiltration: BigQuery Data to Google Drive |
BigQuery |
Event Threat Detection |
Exfiltration: Launch Remote File Copy Tools in Container |
Google Kubernetes Engine |
Container Threat Detection |
Impact: Cryptomining Commands |
Cloud Run |
Event Threat Detection |
Impact: Deleted Google Cloud Backup and DR Backup |
Backup and DR |
Event Threat Detection |
Impact: Deleted Google Cloud Backup and DR host |
Backup and DR |
Event Threat Detection |
Impact: Deleted Google Cloud Backup and DR plan association |
Backup and DR |
Event Threat Detection |
Impact: Deleted Google Cloud Backup and DR Vault |
Backup and DR |
Event Threat Detection |
Impact: Detect Malicious Cmdlines |
Google Kubernetes Engine |
Container Threat Detection |
Impact: GKE kube-dns modification detected |
Google Kubernetes Engine |
Event Threat Detection |
Impact: Google Cloud Backup and DR delete policy |
Backup and DR |
Event Threat Detection |
Impact: Google Cloud Backup and DR delete profile |
Backup and DR |
Event Threat Detection |
Impact: Google Cloud Backup and DR delete storage pool |
Backup and DR |
Event Threat Detection |
Impact: Google Cloud Backup and DR delete template |
Backup and DR |
Event Threat Detection |
Impact: Google Cloud Backup and DR expire all images |
Backup and DR |
Event Threat Detection |
Impact: Google Cloud Backup and DR expire image |
Backup and DR |
Event Threat Detection |
Impact: Google Cloud Backup and DR reduced backup expiration |
Backup and DR |
Event Threat Detection |
Impact: Google Cloud Backup and DR reduced backup frequency |
Backup and DR |
Event Threat Detection |
Impact: Google Cloud Backup and DR remove appliance |
Backup and DR |
Event Threat Detection |
Impact: Google Cloud Backup and DR remove plan |
Backup and DR |
Event Threat Detection |
Impact: Remove Bulk Data From Disk |
Google Kubernetes Engine |
Container Threat Detection |
Impact: Suspicious crypto mining activity using the Stratum Protocol |
Google Kubernetes Engine |
Container Threat Detection |
Impact: Suspicious Kubernetes Container Names - Cryptocurrency Mining |
Google Kubernetes Engine |
Event Threat Detection |
Persistence: Strong Authentication Disabled |
Google Workspace |
Event Threat Detection |
Initial Access: Account Disabled Hijacked |
Google Workspace |
Event Threat Detection |
Initial Access: Anonymous GKE Resource Created from the Internet |
Google Kubernetes Engine |
Event Threat Detection |
Initial Access: CloudDB Successful login from Anonymizing Proxy IP |
Database |
Event Threat Detection |
Initial Access: Database Superuser Writes to User Tables |
Database |
Event Threat Detection |
Initial Access: Disabled Password Leak |
Google Workspace |
Event Threat Detection |
Initial Access: Dormant Service Account Action |
IAM |
Event Threat Detection |
Initial Access: Dormant Service Account Activity in AI Service |
AI |
Event Threat Detection |
Initial Access: Dormant Service Account Key Created |
IAM |
Event Threat Detection |
Initial Access: Excessive Permission Denied Actions |
IAM |
Event Threat Detection |
Initial Access: GKE NodePort service created |
Google Kubernetes Engine |
Event Threat Detection |
Initial Access: GKE Resource Modified Anonymously from the Internet |
Google Kubernetes Engine |
Event Threat Detection |
Initial Access: Government Based Attack |
Google Workspace |
Event Threat Detection |
Initial Access: Log4j Compromise Attempt |
Network |
Event Threat Detection |
Initial Access: Successful API call made from a TOR proxy IP |
Google Kubernetes Engine |
Event Threat Detection |
Initial Access: Suspicious Login Blocked |
Google Workspace |
Event Threat Detection |
Lateral Movement: Modified Boot Disk Attached to Instance |
Compute Engine |
Event Threat Detection |
Log4j Malware: Bad Domain |
Network |
Event Threat Detection |
Log4j Malware: Bad IP |
Network |
Event Threat Detection |
Malicious Script Executed |
Google Kubernetes Engine |
Container Threat Detection |
Malicious URL Observed |
Google Kubernetes Engine |
Container Threat Detection |
Malware: bad domain |
Network |
Event Threat Detection |
Malware: bad IP |
Network |
Event Threat Detection |
Malware: Cryptomining Bad Domain |
Network |
Event Threat Detection |
Malware: Cryptomining Bad IP |
Network |
Event Threat Detection |
Malware: Malicious file on disk |
Amazon EC2 |
Virtual Machine Threat Detection |
Malware: Malicious file on disk (YARA) |
Compute Engine |
Virtual Machine Threat Detection |
Persistence: IAM Anomalous Grant |
IAM |
Event Threat Detection |
Persistence: GCE Admin Added SSH Key |
Compute Engine |
Event Threat Detection |
Persistence: GCE Admin Added Startup Script |
Compute Engine |
Event Threat Detection |
Persistence: GKE Webhook Configuration Detected |
Google Kubernetes Engine |
Event Threat Detection |
Persistence: New AI API Method |
AI |
Event Threat Detection |
Persistence: New API Method |
IAM |
Event Threat Detection |
Persistence: New Geography |
IAM |
Event Threat Detection |
Persistence: New Geography for AI Service |
AI |
Event Threat Detection |
Persistence: New User Agent |
IAM |
Event Threat Detection |
Persistence: Service Account Created in sensitive namespace |
Google Kubernetes Engine |
Event Threat Detection |
Persistence: SSO Enablement Toggle |
Google Workspace |
Event Threat Detection |
Persistence: SSO Settings Changed |
Google Workspace |
Event Threat Detection |
Persistence: Two Step Verification Disabled |
Google Workspace |
Event Threat Detection |
Persistence: Unmanaged Account Granted Sensitive Role |
IAM |
Event Threat Detection |
Privilege Escalation: AlloyDB Database Superuser Writes to User Tables |
Database |
Event Threat Detection |
Privilege Escalation: AlloyDB Over-Privileged Grant |
Database |
Event Threat Detection |
Privilege Escalation: Anomalous Impersonation of Service Account for Admin Activity |
IAM |
Event Threat Detection |
Privilege Escalation: Anomalous Impersonation of Service Account for AI Admin Activity |
AI |
Event Threat Detection |
Privilege Escalation: Anomalous Multistep Service Account Delegation for Admin Activity |
IAM |
Event Threat Detection |
Privilege Escalation: Anomalous Multistep Service Account Delegation for AI Admin Activity |
AI |
Event Threat Detection |
Privilege Escalation: Anomalous Multistep Service Account Delegation for AI Data Access |
AI |
Event Threat Detection |
Privilege Escalation: Anomalous Multistep Service Account Delegation for Data Access |
IAM |
Event Threat Detection |
Privilege Escalation: Anomalous Service Account Impersonator for Admin Activity |
IAM |
Event Threat Detection |
Privilege Escalation: Anomalous Service Account Impersonator for AI Admin Activity |
AI |
Event Threat Detection |
Privilege Escalation: Anomalous Service Account Impersonator for AI Data Access |
AI |
Event Threat Detection |
Privilege Escalation: Anomalous Service Account Impersonator for Data Access |
IAM |
Event Threat Detection |
Privilege Escalation: Changes to sensitive Kubernetes RBAC objects |
Google Kubernetes Engine |
Event Threat Detection |
Privilege Escalation: ClusterRole with Privileged Verbs |
Google Kubernetes Engine |
Event Threat Detection |
Privilege Escalation: ClusterRoleBinding to Privileged Role |
Google Kubernetes Engine |
Event Threat Detection |
Privilege Escalation: Create Kubernetes CSR for master cert |
Google Kubernetes Engine |
Event Threat Detection |
Privilege Escalation: Creation of sensitive Kubernetes bindings |
Google Kubernetes Engine |
Event Threat Detection |
Privilege Escalation: Default Compute Engine Service Account SetIAMPolicy |
Cloud Run |
Event Threat Detection |
Privilege Escalation: Dormant Service Account Granted Sensitive Role |
IAM |
Event Threat Detection |
Privilege Escalation: Effectively Anonymous Users Granted GKE Cluster Access |
Google Kubernetes Engine |
Event Threat Detection |
Privilege Escalation: External Member Added To Privileged Group |
IAM |
Event Threat Detection |
Privilege Escalation: Fileless Execution in /dev/shm |
Google Kubernetes Engine |
Container Threat Detection |
Privilege Escalation: Get Kubernetes CSR with compromised bootstrap credentials |
Google Kubernetes Engine |
Event Threat Detection |
Privilege Escalation: Impersonation Role Granted For Dormant Service Account |
IAM |
Event Threat Detection |
Privilege Escalation: Launch of privileged Kubernetes container |
Google Kubernetes Engine |
Event Threat Detection |
Privilege Escalation: Privileged Group Opened To Public |
IAM |
Event Threat Detection |
Privilege Escalation: Sensitive Role Granted To Hybrid Group |
IAM |
Event Threat Detection |
Privilege Escalation: Suspicious Kubernetes Container Names - Exploitation and Escape |
Google Kubernetes Engine |
Event Threat Detection |
Privilege Escalation: Workload Created with a Sensitive Host Path Mount |
Google Kubernetes Engine |
Event Threat Detection |
Privilege Escalation: Workload with shareProcessNamespace enabled |
Google Kubernetes Engine |
Event Threat Detection |
Reverse Shell |
Google Kubernetes Engine |
Container Threat Detection |
Unexpected Child Shell |
Google Kubernetes Engine |
Container Threat Detection |
Initial Access: Leaked Service Account Key Used |
IAM |
Event Threat Detection |
Account has leaked credentials |
IAM |
Anomaly Detection |
Execution: Possible Arbitrary Command Execution through CUPS (CVE-2024-47177) |
Google Kubernetes Engine |
Container Threat Detection |
Execution: Socat Reverse Shell Detected |
Google Kubernetes Engine |
Container Threat Detection |
Privilege Escalation: Abuse of Sudo For Privilege Escalation (CVE-2019-14287) |
Google Kubernetes Engine |
Container Threat Detection |
Privilege Escalation: Polkit Local Privilege Escalation Vulnerability (CVE-2021-4034) |
Google Kubernetes Engine |
Container Threat Detection |
Privilege Escalation: Sudo Potential Privilege Escalation (CVE-2021-3156) |
Google Kubernetes Engine |
Container Threat Detection |
