Cloud Run Threat Detection overview

A binary that meets the following conditions was executed:

• Identified as malicious based on threat intelligence
• Not part of the original container image

If an added malicious binary is executed, it's a strong sign that an attacker has control of the workload and they are executing malicious software.

A library that meets the following conditions was loaded:

• Identified as malicious based on threat intelligence
• Not part of the original container image

If an added malicious library is loaded, it's a strong sign that an attacker has control of the workload and they are executing malicious software.

A binary that meets the following conditions was executed:

• Identified as malicious based on threat intelligence
• Included in the original container image

If a built-in malicious binary is executed, it's a sign that the attacker is deploying malicious containers. They may have gained control of a legitimate image repository or container build pipeline and injected a malicious binary into the container image.

A process was executed within the container that attempted to break out of the container's isolation, using known escape techniques or binaries. This type of attack can give the attacker access to the host system. These processes are identified as potential threats based on intelligence data.

If a container escape attempt is detected, it might indicate that an attacker is exploiting vulnerabilities to break out of the container. As a result, the attacker might gain unauthorized access to the host system or broader infrastructure, compromising the entire environment.

A Kubernetes-specific attack tool was executed within the environment, which can indicate that an attacker is targeting Kubernetes cluster components. These attack tools are identified as potential threats based on intelligence data.

If an attack tool is executed within the Kubernetes environment, it can suggest that an attacker has gained access to the cluster and is using the tool to exploit Kubernetes-specific vulnerabilities or configurations.

A local reconnaissance tool not typically associated with the container or environment was executed, suggesting an attempt to gather internal system information. These reconnaissance tools are identified as potential threats based on intelligence data.

If a reconnaissance tool is executed, it suggests that the attacker may be trying to map out the infrastructure, identify vulnerabilities, or collect data on system configurations to plan their next steps.

A machine learning model identified the specified Python code as malicious. Attackers can use Python to transfer tools or other files from an external system into a compromised environment and execute commands without binaries.

The detector uses NLP techniques to evaluate the content of executed Python code. Because this approach is not based on signatures, detectors can identify known and novel Python code.

A binary that meets the following conditions was executed:

• Identified as malicious based on threat intelligence
• Included in the original container image
• Modified from the original container image during the runtime

If a modified malicious binary is executed, it's a strong sign that an attacker has control of the workload and they are executing malicious software.

A library that meets the following conditions was loaded:

• Identified as malicious based on threat intelligence
• Included in the original container image
• Modified from the original container image during the runtime

If a modified malicious library is loaded, it's a strong sign that an attacker has control of the workload and they are executing malicious software.

A machine learning model identified the specified Bash code as malicious. Attackers can use Bash to transfer tools or other files from an external system into a compromised environment and execute commands without binaries.

The detector uses NLP techniques to evaluate the content of executed Bash code. Because this approach is not based on signatures, detectors can identify known and novel malicious Bash code.

Cloud Run Threat Detection observed a malicious URL in the argument list of a running process.

The detector checks URLs that are observed in the argument list of running processes against the lists of unsafe web resources that are maintained by the Google Safe Browsing service. If a URL is incorrectly classified as a phishing site or malware, report it at Reporting Incorrect Data .

A process started with stream redirection to a remote connected socket. The detector looks for stdin bound to a remote socket.

With a reverse shell, an attacker can communicate from a compromised workload to an attacker-controlled machine. The attacker can then command and control the workload—for example, as part of a botnet.

A process that does not normally invoke shells spawned a shell process.

The detector monitors all process executions. When a shell is invoked, the detector generates a finding if the parent process is known to not typically invoke shells.