Stay organized with collectionsSave and categorize content based on your preferences.
This document describes a threat finding type in Security Command Center. Threat findings are generated bythreat detectorswhen they detect
a potential threat in your cloud resources. For a full list of available threat findings, seeThreat findings index.
Overview
A process started with stream redirection to a remote connected socket. Spawning
a network-connected shell can allow an attacker to perform arbitrary actions
after a limited initial compromise.
Open theReverse Shellfinding as directed inReviewing
findings.
Review the details on theSummaryandJSONtabs.
On theSummarytab, review the information in the following sections:
What was detected, especially the following fields:
Program binary: the absolute path of the process started with
stream redirection to a remote socket
Arguments: the arguments provided when the process binary was invoked
Affected resource, especially the following fields:
Resource full name: thefull resource nameof the affected Cloud Run resource
Project full name: the affected Google Cloud project
Related links, especially the following fields:
VirusTotal indicator: link to the VirusTotal analysis page
On theJSONtab, note the following fields:
resource:
project_display_name: the name of the project that contains
the asset.
sourceProperties:
Reverse_Shell_Stdin_Redirection_Dst_Ip: the remote IP address of the
connection
Reverse_Shell_Stdin_Redirection_Dst_Port: the remote port
Reverse_Shell_Stdin_Redirection_Src_Ip: the local IP address of the
connection
Reverse_Shell_Stdin_Redirection_Src_Port: the local port
Container_Image_Uri: the name of the container image being executed.
Look for related findings that occurred at a similar time for the affected
container. Such findings might indicate that this activity was malicious,
instead of a failure to follow best practices.
Check the SHA-256 hash value for the binary flagged as malicious onVirusTotalby clicking the link inVirusTotal indicator. VirusTotal is an Alphabet-owned service that
provides context on potentially malicious files, URLs, domains, and IP
addresses.
To develop a response plan, combine your
investigation results with the MITRE research and VirusTotal analysis.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["| Premium and Enterprise [service tiers](/security-command-center/docs/service-tiers)\n\nThis document describes a threat finding type in Security Command Center. Threat findings are generated by\n[threat detectors](/security-command-center/docs/concepts-security-sources#threats) when they detect\na potential threat in your cloud resources. For a full list of available threat findings, see [Threat findings index](/security-command-center/docs/threat-findings-index).\n\nOverview\n\nA process started with stream redirection to a remote connected socket. Spawning\na network-connected shell can allow an attacker to perform arbitrary actions\nafter a limited initial compromise.\n\n[Cloud Run Threat Detection](/security-command-center/docs/cloud-run-threat-detection-overview) is the source\nof this finding.\n\nHow to respond\n\nTo respond to this finding, do the following:\n\nReview finding details\n\n1. Open the `Reverse Shell` finding as directed in [Reviewing\n findings](/security-command-center/docs/how-to-investigate-threats#reviewing_findings).\n Review the details on the **Summary** and **JSON** tabs.\n\n2. On the **Summary** tab, review the information in the following sections:\n\n - **What was detected** , especially the following fields:\n - **Program binary**: the absolute path of the process started with stream redirection to a remote socket\n - **Arguments**: the arguments provided when the process binary was invoked\n - **Affected resource** , especially the following fields:\n - **Resource full name** : the [full resource name](/apis/design/resource_names) of the affected Cloud Run resource\n - **Project full name**: the affected Google Cloud project\n - **Related links** , especially the following fields:\n - **VirusTotal indicator**: link to the VirusTotal analysis page\n3. On the **JSON** tab, note the following fields:\n\n - `resource`:\n - `project_display_name`: the name of the project that contains the asset.\n - `sourceProperties`:\n - `Reverse_Shell_Stdin_Redirection_Dst_Ip`: the remote IP address of the connection\n - `Reverse_Shell_Stdin_Redirection_Dst_Port`: the remote port\n - `Reverse_Shell_Stdin_Redirection_Src_Ip`: the local IP address of the connection\n - `Reverse_Shell_Stdin_Redirection_Src_Port`: the local port\n - `Container_Image_Uri`: the name of the container image being executed.\n4. Look for related findings that occurred at a similar time for the affected\n container. Such findings might indicate that this activity was malicious,\n instead of a failure to follow best practices.\n\n5. Review the settings of the affected container.\n\n6. Check the logs for the affected container.\n\nResearch attack and response methods\n\n1. Review the MITRE ATT\\&CK framework entries for this finding type: [Command and\n Scripting Interpreter](https://attack.mitre.org/techniques/T1059/) and [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105/).\n2. Check the SHA-256 hash value for the binary flagged as malicious on [VirusTotal](https://www.virustotal.com) by clicking the link in **VirusTotal indicator**. VirusTotal is an Alphabet-owned service that provides context on potentially malicious files, URLs, domains, and IP addresses.\n3. To develop a response plan, combine your investigation results with the MITRE research and VirusTotal analysis.\n\nImplement your response\n\nFor response recommendations, see [Respond to Cloud Run threat\nfindings](/security-command-center/docs/respond-cloud-run-threats).\n\nWhat's next\n\n- Learn [how to work with threat\n findings in Security Command Center](/security-command-center/docs/how-to-investigate-threats).\n- Refer to the [Threat findings index](/security-command-center/docs/threat-findings-index).\n- Learn how to [review a\n finding](/security-command-center/docs/how-to-investigate-threats#reviewing_findings) through the Google Cloud console.\n- Learn about the [services that\n generate threat findings](/security-command-center/docs/concepts-security-sources#threats)."]]
