Preview
This feature is subject to the "Pre-GA Offerings Terms" in the General Service Terms section of the Service Specific Terms . Pre-GA features are available "as is" and might have limited support. For more information, see the launch stage descriptions .
This document describes a threat finding type in Security Command Center. Threat findings are generated by threat detectors when they detect a potential threat in your cloud resources. For a full list of available threat findings, see Threat findings index .
Overview
A process started with stream redirection to a remote connected socket. Spawning a network-connected shell can allow an attacker to perform arbitrary actions after a limited initial compromise.
Agent Engine Threat Detection is the source of this finding.
How to respond
To respond to this finding, do the following:
Review finding details
-
Open the
Reverse Shellfinding as directed in Reviewing findings . Review the details on the Summaryand JSONtabs. -
On the Summarytab, review the information in the following sections:
- What was detected, especially the following fields:
- Program binary: the absolute path of the process started with stream redirection to a remote socket
- Arguments: the arguments provided when the process binary was invoked
- Affected resource, especially the following fields:
- Resource full name: the full resource name
of the affected AI agent
(a
ReasoningEngineresource) - Project full name: the affected Google Cloud project
- Resource full name: the full resource name
of the affected AI agent
(a
- Related links, especially the following fields:
- VirusTotal indicator: link to the VirusTotal analysis page
- What was detected, especially the following fields:
-
On the JSONtab, note the following fields:
-
resource:-
project_display_name: the name of the project that contains the asset.
-
-
sourceProperties:-
Reverse_Shell_Stdin_Redirection_Dst_Ip: the remote IP address of the connection -
Reverse_Shell_Stdin_Redirection_Dst_Port: the remote port -
Reverse_Shell_Stdin_Redirection_Src_Ip: the local IP address of the connection -
Reverse_Shell_Stdin_Redirection_Src_Port: the local port
-
-
-
Look for related findings that occurred at a similar time for the affected AI agent. Such findings might indicate that this activity was malicious, instead of a failure to follow best practices.
-
Review the settings of the affected AI agent.
-
Check the logs for the affected AI agent.
Research attack and response methods
- Review the MITRE ATT&CK framework entries for this finding type: Command and Scripting Interpreter and Ingress Tool Transfer .
- Check the SHA-256 hash value for the binary flagged as malicious on VirusTotal by clicking the link in VirusTotal indicator . VirusTotal is an Alphabet-owned service that provides context on potentially malicious files, URLs, domains, and IP addresses.
- To develop a response plan, combine your investigation results with the MITRE research and VirusTotal analysis.
Implement your response
For response recommendations, see Respond to AI threat findings .
What's next
- Learn how to work with threat findings in Security Command Center .
- Refer to the Threat findings index .
- Learn how to review a finding through the Google Cloud console.
- Learn about the services that generate threat findings .
