Stay organized with collectionsSave and categorize content based on your preferences.
This document describes a threat finding type in Security Command Center. Threat findings are generated bythreat detectorswhen they detect
a potential threat in your cloud resources. For a full list of available threat findings, seeThreat findings index.
Overview
A root certificate was installed on the node. Adversaries may install a root certificate to avoid security alerts when establishing connections to their malicious web servers. Attackers could carry out man-in-the-middle attacks, intercepting sensitive data exchanged between the victim and the adversary's servers, without triggering any warnings. This is a file monitoring detector and hasspecific GKE version requirements. This detector is disabled by default. For instructions on how to enable it, seeTesting Container Threat Detection.
Open theDefense Evasion: Root Certificate Installedfinding as directed inReviewing findings.
Review the details in theSummaryandJSONtabs.
Identify other findings that occurred at a similar time for this resource.
Related findings might indicate that this activity was malicious, instead of
a failure to follow best practices.
Review the settings of the affected resource.
Check the logs for the affected resource.
Research attack and response methods
Review the MITRE ATT&CK framework entry for this finding type:Defense Evasion.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["| Premium and Enterprise [service tiers](/security-command-center/docs/service-tiers)\n\nThis document describes a threat finding type in Security Command Center. Threat findings are generated by\n[threat detectors](/security-command-center/docs/concepts-security-sources#threats) when they detect\na potential threat in your cloud resources. For a full list of available threat findings, see [Threat findings index](/security-command-center/docs/threat-findings-index).\n\nOverview\n\nA root certificate was installed on the node. Adversaries may install a root certificate to avoid security alerts when establishing connections to their malicious web servers. Attackers could carry out man-in-the-middle attacks, intercepting sensitive data exchanged between the victim and the adversary's servers, without triggering any warnings. This is a file monitoring detector and has [specific GKE version requirements](/security-command-center/docs/how-to-use-container-threat-detection#gke-version). This detector is disabled by default. For instructions on how to enable it, see [Testing Container Threat Detection](/security-command-center/docs/how-to-test-container-threat-detection).\n\nDetection service\n\n[Container Threat Detection](/security-command-center/docs/concepts-container-threat-detection-overview)\n\nHow to respond\n\nTo respond to this finding, do the following:\n\nReview finding details\n\n1. Open the `Defense Evasion: Root Certificate Installed` finding as directed in\n [Reviewing findings](/security-command-center/docs/how-to-investigate-threats#reviewing_findings).\n Review the details in the **Summary** and **JSON** tabs.\n\n2. Identify other findings that occurred at a similar time for this resource.\n Related findings might indicate that this activity was malicious, instead of\n a failure to follow best practices.\n\n3. Review the settings of the affected resource.\n\n4. Check the logs for the affected resource.\n\nResearch attack and response methods\n\nReview the MITRE ATT\\&CK framework entry for this finding type:\n[Defense Evasion](https://attack.mitre.org/tactics/TA0005/).\n\nWhat's next\n\n- Learn [how to work with threat\n findings in Security Command Center](/security-command-center/docs/how-to-investigate-threats).\n- Refer to the [Threat findings index](/security-command-center/docs/threat-findings-index).\n- Learn how to [review a\n finding](/security-command-center/docs/how-to-investigate-threats#reviewing_findings) through the Google Cloud console.\n- Learn about the [services that\n generate threat findings](/security-command-center/docs/concepts-security-sources#threats)."]]
