This document describes a threat finding type in Security Command Center. Threat findings are generated by threat detectors when they detect a potential threat in your cloud resources. For a full list of available threat findings, see Threat findings index .
Overview
A root certificate was installed on the node. Adversaries may install a root certificate to avoid security alerts when establishing connections to their malicious web servers. Attackers could carry out man-in-the-middle attacks, intercepting sensitive data exchanged between the victim and the adversary's servers, without triggering any warnings. This is a file monitoring detector and has specific GKE version requirements . This detector is disabled by default. For instructions on how to enable it, see Testing Container Threat Detection .
Container Threat Detection is the source of this finding.
How to respond
To respond to this finding, do the following:
Review finding details
-
Open the
Defense Evasion: Root Certificate Installedfinding as directed in Reviewing findings . Review the details in the Summaryand JSONtabs. -
Identify other findings that occurred at a similar time for this resource. Related findings might indicate that this activity was malicious, instead of a failure to follow best practices.
-
Review the settings of the affected resource.
-
Check the logs for the affected resource.
Research attack and response methods
Review the MITRE ATT&CK framework entry for this finding type: Defense Evasion .
What's next
- Learn how to work with threat findings in Security Command Center .
- Refer to the Threat findings index .
- Learn how to review a finding through the Google Cloud console.
- Learn about the services that generate threat findings .
