RetroSearch Browse

Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from http://cloud.google.com/security-command-center/docs/concepts-event-threat-detection-overview below:

Overview of Event Threat Detection | Security Command Center

Active Scan: Log4j Vulnerable to RCE Unavailable Cloud DNS logs Log4j vulnerability scanners initiated and identified DNS queries for unobfuscated domains. This vulnerability can lead to remote code execution (RCE). Findings are classified as High severity by default. Impact: Deleted Google Cloud Backup and DR host BACKUP_HOSTS_DELETE_HOST Cloud Audit Logs:
Backup and DR Service Admin Activity audit logs A host was deleted from the Backup and DR management console. Applications that are associated with the deleted host might not be protected. Findings are classified as Low severity by default. Impact: Google Cloud Backup and DR expire image BACKUP_EXPIRE_IMAGE Cloud Audit Logs:
Backup and DR Admin Activity audit logs A user requested the deletion of a backup image from the Backup and DR management console. The deletion of a backup image does not prevent future backups. Findings are classified as Medium severity by default. Impact: Google Cloud Backup and DR remove plan BACKUP_REMOVE_PLAN Cloud Audit Logs:
Backup and DR Admin Activity audit logs A backup plan with multiple policies for an application was deleted from Backup and DR. The deletion of a backup plan can prevent future backups. Findings are classified as Medium severity by default. Impact: Google Cloud Backup and DR expire all images BACKUP_EXPIRE_IMAGES_ALL Cloud Audit Logs:
Backup and DR Admin Activity audit logs A user requested the deletion of all backup images for a protected application from the Backup and DR management console. The deletion of backup images does not prevent future backups. Findings are classified as High severity by default. Impact: Google Cloud Backup and DR delete template BACKUP_TEMPLATES_DELETE_TEMPLATE Cloud Audit Logs:
Backup and DR Admin Activity audit logs A predefined backup template, which is used to set up backups for multiple applications, was deleted from the Backup and DR management console. The ability to set up backups in the future might be impacted. Findings are classified as Medium severity by default. Impact: Google Cloud Backup and DR delete policy BACKUP_TEMPLATES_DELETE_POLICY Cloud Audit Logs:
Backup and DR Admin Activity audit logs A Backup and DR policy, which defines how a backup is taken and where it is stored, was deleted from the Backup and DR management console. Future backups that use the policy might fail. Findings are classified as Low severity by default. Impact: Google Cloud Backup and DR delete profile BACKUP_PROFILES_DELETE_PROFILE Cloud Audit Logs:
Backup and DR Admin Activity audit logs A Backup and DR profile, which defines which storage pools should be used to store backups, was deleted from the Backup and DR management console. Future backups that use the profile might fail. Findings are classified as Low severity by default. Impact: Google Cloud Backup and DR remove appliance BACKUP_APPLIANCES_REMOVE_APPLIANCE Cloud Audit Logs:
Backup and DR Admin Activity audit logs A backup appliance was deleted from the Backup and DR management console. Applications that are associated with the deleted backup appliance might not be protected. Findings are classified as Medium severity by default. Impact: Google Cloud Backup and DR delete storage pool BACKUP_STORAGE_POOLS_DELETE Cloud Audit Logs:
Backup and DR Admin Activity audit logs A storage pool, which associates a Cloud Storage bucket with Backup and DR, was removed from the Backup and DR management console. Future backups to this storage target will fail. Findings are classified as Low severity by default. Impact: Google Cloud Backup and DR reduced backup expiration BACKUP_REDUCE_BACKUP_EXPIRATION Cloud Audit Logs:
Backup and DR Admin Activity audit logs The expiration date for a backup protected by Backup and DR was reduced through the Backup and DR management console. Findings are classified as Low severity by default. Impact: Google Cloud Backup and DR reduced backup frequency BACKUP_REDUCE_BACKUP_FREQUENCY Cloud Audit Logs:
Backup and DR Admin Activity audit logs The Backup and DR backup schedule was modified to reduce backup frequency through the Backup and DR management console. Findings are classified as Low severity by default. Impact: Deleted Google Cloud Backup and DR Vault BACKUP_DELETE_VAULT Cloud Audit Logs:
Backup and DR Admin Activity audit logs A backup vault was deleted. Findings are classified as High severity by default. Impact: Deleted Google Cloud Backup and DR Backup BACKUP_DELETE_VAULT_BACKUP Cloud Audit Logs:
Backup and DR Admin Activity audit logs A backup stored in a backup vault was manually deleted. Findings are classified as High severity by default. Impact: Deleted Google Cloud Backup and DR plan association BACKUP_DELETE_BACKUP_PLAN_ASSOCIATION Cloud Audit Logs:
Backup and DR Admin Activity audit logs A backup plan from Backup and DR was removed from a workload. Findings are classified as High severity by default. Brute force SSH BRUTE_FORCE_SSH authlog An actor successfully gained SSH access on a host through brute force techniques. Findings are classified as High severity by default. Cloud IDS: THREAT_IDENTIFIER CLOUD_IDS_THREAT_ACTIVITY Cloud IDS logs

Cloud IDS detected threat events.

Cloud IDS detects layer 7 attacks by analyzing mirrored packets and, when a threat event is detected, sends a threat-class finding to Security Command Center. Finding category names start with "Cloud IDS" followed by the Cloud IDS threat identifier.

The Cloud IDS integration with Event Threat Detection does not include Cloud IDS vulnerability detections. Findings are classified as Low severity by default.

To learn more about Cloud IDS detections, see Cloud IDS Logging information.

Privilege Escalation: External Member Added To Privileged Group EXTERNAL_MEMBER_ADDED_TO_PRIVILEGED_GROUP Google Workspace Logs:
Login Audit
Permissions:
DATA_READ

An external member was added to a privileged Google Group (a group granted sensitive roles or permissions). A finding is generated only if the group doesn't already contain other external members from the same organization as the newly added member. To learn more, see Unsafe Google Group changes.

This finding isn't available for project-level activations. Findings are classified as High or Medium severity, depending on the sensitivity of the roles associated with the group change. For more information, see Sensitive IAM roles and permissions.

Privilege Escalation: Privileged Group Opened To Public PRIVILEGED_GROUP_OPENED_TO_PUBLIC Google Workspace:
Admin Audit
Permissions:
DATA_READ

A privileged Google Group (a group granted sensitive roles or permissions) was changed to be accessible to the general public. To learn more, see Unsafe Google Group changes.

Privilege Escalation: Sensitive Role Granted To Hybrid Group SENSITIVE_ROLE_TO_GROUP_WITH_EXTERNAL_MEMBER Cloud Audit Logs:
IAM Admin Activity audit logs

Sensitive roles were granted to a Google Group with external members. To learn more, see Unsafe Google Group changes.

Findings are classified as High or Medium severity, depending on the sensitivity of the roles associated with the group change. For more information, see Sensitive IAM roles and permissions.

Defense Evasion: Breakglass Workload Deployment Created (Preview) BINARY_AUTHORIZATION_BREAKGLASS_WORKLOAD_CREATE Cloud Audit Logs:
Admin Activity logs Workloads were deployed by using the break-glass flag to override Binary Authorization controls. Findings are classified as Low severity by default. Defense Evasion: Breakglass Workload Deployment Updated (Preview) BINARY_AUTHORIZATION_BREAKGLASS_WORKLOAD_UPDATE Cloud Audit Logs:
Admin Activity logs Workloads were updated by using the break-glass flag to override Binary Authorization controls. Findings are classified as Low severity by default. Defense Evasion: GCS Bucket IP Filtering Modified GCS_BUCKET_IP_FILTERING_MODIFIED Cloud Audit Logs:
Admin Activity logs A user or service account changed the IP filtering configuration for a Cloud Storage bucket. Findings are classified as Low severity by default. Defense Evasion: Modify VPC Service Control DEFENSE_EVASION_MODIFY_VPC_SERVICE_CONTROL Cloud Audit Logs VPC Service Controls audit logs

An existing VPC Service Controls perimeter was changed that would lead to a reduction in the protection offered by that perimeter.

This finding isn't available for project-level activations. Findings are classified as Low severity by default.

Defense Evasion: Project HTTP Policy Block Disabled PROJECT_HTTP_POLICY_BLOCK_DISABLED Cloud Audit Logs:
Admin Activity logs A user or service account successfully triggered an action to disable storage.secureHttpTransport on a project. This also applies when the action is taken at an org-level or folder-level since policies applied at this level are inherited by child projects by default. Findings are classified as Low severity by default. Discovery: Can get sensitive Kubernetes object check GKE_CONTROL_PLANE_CAN_GET_SENSITIVE_OBJECT Cloud Audit Logs:
GKE Data Access logs

A potentially malicious actor attempted to determine what sensitive objects in GKE they can query for, by using the kubectl auth can-i get command. Specifically, the rule detects whether the actor checked for API access on the following objects:

* (all)
cluster-admin ClusterRole
Secret

Findings are classified as Low severity by default.

Discovery: Service Account Self-Investigation SERVICE_ACCOUNT_SELF_INVESTIGATION Cloud Audit Logs:
IAM Data Access audit logs
Permissions:
DATA_READ

An IAM service account credential was used to investigate the roles and permissions associated with that same service account.

Sensitive roles

Findings are classified as High or Medium severity, depending on the sensitivity of the roles granted. For more information, see Sensitive IAM roles and permissions.

Evasion: Access from Anonymizing Proxy ANOMALOUS_ACCESS Cloud Audit Logs:
Admin Activity logs Google Cloud service modifications originated from an IP address associated with the Tor network. Findings are classified as Medium severity by default. Exfiltration: BigQuery Data Exfiltration DATA_EXFILTRATION_BIG_QUERY Cloud Audit Logs: BigQueryAuditMetadata data access logs
Permissions:
DATA_READ

Detects the following scenarios:

Resources owned by the protected organization were saved outside of the organization, including copy or transfer operations.

This scenario is indicated by a subrule of exfil_to_external_table and High severity.
Attempts were made to access BigQuery resources that are protected by VPC Service Controls.

This scenario is indicated by a subrule of vpc_perimeter_violation and Low severity.

Exfiltration: BigQuery Data Extraction DATA_EXFILTRATION_BIG_QUERY_EXTRACTION Cloud Audit Logs: BigQueryAuditMetadata data access logs
Permissions:
DATA_READ

Detects the following scenarios:

A BigQuery resource owned by the protected organization was saved, through extraction operations, to a Cloud Storage bucket outside the organization.
A BigQuery resource owned by the protected organization was saved, through extraction operations, to a publicly accessible Cloud Storage bucket owned by that organization.

For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization.. Findings are classified as Low severity by default.

Exfiltration: BigQuery Data to Google Drive DATA_EXFILTRATION_BIG_QUERY_TO_GOOGLE_DRIVE Cloud Audit Logs: BigQueryAuditMetadata data access logs
Permissions:
DATA_READ A BigQuery resource that is owned by the protected organization was saved, through extraction operations, to a Google Drive folder. Findings are classified as Low severity by default. Exfiltration: Move to Public BigQuery resource DATA_EXFILTRATION_BIG_QUERY_TO_PUBLIC_RESOURCE Cloud Audit Logs: BigQueryAuditMetadata data access logs
Permissions:
DATA_READ

A BigQuery resource was saved to a public resource owned by your organization. Findings are classified as Medium severity by default.

Exfiltration: Cloud SQL Data Exfiltration

CLOUDSQL_EXFIL_EXPORT_TO_EXTERNAL_GCS

  CLOUDSQL_EXFIL_EXPORT_TO_PUBLIC_GCS

Cloud Audit Logs: MySQL data access logs
PostgreSQL data access logs
SQL Server data access logs

Detects the following scenarios:

Live instance data was exported to a Cloud Storage bucket outside of the organization.
Live instance data was exported to a Cloud Storage bucket that is owned by the organization and is publicly accessible.

Exfiltration: Cloud SQL Restore Backup to External Organization CLOUDSQL_EXFIL_RESTORE_BACKUP_TO_EXTERNAL_INSTANCE Cloud Audit Logs: MySQL admin activity logs
PostgreSQL admin activity logs
SQL Server admin activity logs

The backup of a Cloud SQL instance was restored to an instance outside of the organization. Findings are classified as High severity by default.

Exfiltration: Cloud SQL Over-Privileged Grant CLOUDSQL_EXFIL_USER_GRANTED_ALL_PERMISSIONS Cloud Audit Logs: PostgreSQL data access logs
Note: You must enable the pgAudit extension to use this rule. A Cloud SQL for PostgreSQL user or role was granted all privileges to a database, or to all tables, procedures, or functions in a schema. Findings are classified as Low severity by default. Initial Access: Database Superuser Writes to User Tables CLOUDSQL_SUPERUSER_WRITES_TO_USER_TABLES Cloud Audit Logs: Cloud SQL for PostgreSQL data access logs
Cloud SQL for MySQL data access logs
Note: You must enable the pgAudit extension for PostgreSQL or database auditing for MySQL to use this rule. A Cloud SQL superuser (postgres for PostgreSQL servers or root for MySQL users) wrote to non-system tables. Findings are classified as Low severity by default. Privilege Escalation: AlloyDB Over-Privileged Grant ALLOYDB_USER_GRANTED_ALL_PERMISSIONS Cloud Audit Logs: AlloyDB for PostgreSQL data access logs
Note: You must enable the pgAudit extension to use this rule. An AlloyDB for PostgreSQL user or role was granted all privileges to a database, or to all tables, procedures, or functions in a schema. Findings are classified as Low severity by default. Privilege Escalation: AlloyDB Database Superuser Writes to User Tables ALLOYDB_SUPERUSER_WRITES_TO_USER_TABLES Cloud Audit Logs: AlloyDB for PostgreSQL data access logs
Note: You must enable the pgAudit extension to use this rule. An AlloyDB for PostgreSQL superuser (postgres) wrote to non-system tables. Findings are classified as Low severity by default. Initial Access: Dormant Service Account Action DORMANT_SERVICE_ACCOUNT_USED_IN_ACTION Cloud Audit Logs: Admin Activity logs A dormant user-managed service account triggered an action. In this context, a service account is considered dormant if it has been inactive for more than 180 days. Findings are classified as High severity by default. Privilege Escalation: Dormant Service Account Granted Sensitive Role DORMANT_SERVICE_ACCOUNT_ADDED_IN_IAM_ROLE Cloud Audit Logs: IAM Admin Activity audit logs

A dormant user-managed service account was granted one or more sensitive IAM roles. In this context, a service account is considered dormant if it has been inactive for more than 180 days.

Sensitive roles

Findings are classified as High or Medium severity, depending on the sensitivity of the roles granted. Findings are classified as Medium severity by default. For more information, see Sensitive IAM roles and permissions.

Privilege Escalation: Impersonation Role Granted For Dormant Service Account DORMANT_SERVICE_ACCOUNT_IMPERSONATION_ROLE_GRANTED Cloud Audit Logs: IAM Admin Activity audit logs A principal was granted permissions to impersonate a dormant user-managed service account. In this context, a service account is considered dormant if it has been inactive for more than 180 days. Findings are classified as Medium severity by default. Initial Access: Dormant Service Account Key Created DORMANT_SERVICE_ACCOUNT_KEY_CREATED Cloud Audit Logs: Admin Activity logs A key was created for a dormant user-managed service account. In this context, a service account is considered dormant if it has been inactive for more than 180 days. Findings are classified as High severity by default. Initial Access: Leaked Service Account Key Used LEAKED_SA_KEY_USED Cloud Audit Logs: Admin Activity logs
Data Access logs A leaked service account key was used to authenticate the action. In this context, a leaked service account key is one that was posted on the public internet. Findings are classified as High severity by default. Initial Access: Excessive Permission Denied Actions EXCESSIVE_FAILED_ATTEMPT Cloud Audit Logs: Admin Activity logs A principal repeatedly triggered permission denied errors by attempting changes across multiple methods and services. Findings are classified as Medium severity by default. Persistence: Strong Authentication Disabled ENFORCE_STRONG_AUTHENTICATION Google Workspace:
Admin Audit

2-step verification was disabled for the organization.

This finding isn't available for project-level activations. Findings are classified as Medium severity by default.

Persistence: Two Step Verification Disabled 2SV_DISABLE Google Workspace Logs:
Login Audit
Permissions:
DATA_READ

A user disabled 2-step verification.

This finding isn't available for project-level activations. Findings are classified as Low severity by default.

Initial Access: Account Disabled Hijacked ACCOUNT_DISABLED_HIJACKED Google Workspace Logs:
Login Audit
Permissions:
DATA_READ

A user's account was suspended due to suspicious activity.

This finding isn't available for project-level activations. Findings are classified as Medium severity by default.

Initial Access: Disabled Password Leak ACCOUNT_DISABLED_PASSWORD_LEAK Google Workspace Logs:
Login Audit
Permissions:
DATA_READ

A user's account was disabled because a password leak was detected.

This finding isn't available for project-level activations. Findings are classified as Low severity by default.

Initial Access: Government Based Attack GOV_ATTACK_WARNING Google Workspace Logs:
Login Audit
Permissions:
DATA_READ

Government-backed attackers might have tried to compromise a user account or computer.

This finding isn't available for project-level activations. Findings are classified as High severity by default.

Initial Access: Log4j Compromise Attempt Unavailable Cloud Load Balancing Logs:
Cloud HTTP Load Balancer
Note: You must enable external Application Load Balancer logging to use this rule.

Java Naming and Directory Interface (JNDI) lookups within headers or URL parameters were detected. These lookups might indicate attempts at Log4Shell exploitation. These findings have low severity, because they only indicate a detection or exploit attempt, not a vulnerability or a compromise.

This rule is always on. Findings are classified as Low severity by default.

Initial Access: Suspicious Login Blocked SUSPICIOUS_LOGIN Google Workspace Logs:
Login Audit
Permissions:
DATA_READ

A suspicious login to a user's account was detected and blocked.

This finding isn't available for project-level activations. Findings are classified as Low severity by default.

Log4j Malware: Bad Domain LOG4J_BAD_DOMAIN Cloud DNS logs Log4j exploit traffic was detected based on a connection to, or a lookup of, a known domain used in Log4j attacks. Findings are classified as Low severity by default. Log4j Malware: Bad IP LOG4J_BAD_IP VPC flow logs
Firewall Rules logs
Cloud NAT logs Log4j exploit traffic was detected based on a connection to a known IP address used in Log4j attacks. Findings are classified as Low severity by default. Malware: bad domain MALWARE_BAD_DOMAIN Cloud DNS logs Malware was detected based on a connection to, or a lookup of, a known bad domain. Findings are classified as Low severity by default. Malware: bad IP MALWARE_BAD_IP VPC flow logs
Firewall Rules logs
Cloud NAT logs Malware was detected based on a connection to a known bad IP address. Findings are classified as Low severity by default. Malware: Cryptomining Bad Domain CRYPTOMINING_POOL_DOMAIN Cloud DNS logs Cryptomining was detected based on a connection to, or a lookup of, a known mining domain. Findings are classified as Low severity by default. Malware: Cryptomining Bad IP CRYPTOMINING_POOL_IP VPC flow logs
Firewall Rules logs
Cloud NAT logs Cryptomining was detected based on a connection to a known mining IP address. Findings are classified as Low severity by default. Persistence: GCE Admin Added SSH Key GCE_ADMIN_ADD_SSH_KEY Cloud Audit Logs:
Compute Engine Admin Activity audit logs The Compute Engine instance metadata SSH key value was modified on an established instance (older than 1 week). Findings are classified as Low severity by default. Persistence: GCE Admin Added Startup Script GCE_ADMIN_ADD_STARTUP_SCRIPT Cloud Audit Logs:
Compute Engine Admin Activity audit logs The Compute Engine instance metadata startup script value was modified on an established instance (older than 1 week). Findings are classified as Low severity by default. Persistence: IAM Anomalous Grant IAM_ANOMALOUS_GRANT Cloud Audit Logs:
IAM Admin Activity audit logs

This finding includes subrules that provide more specific information about each instance of this finding.

The following list shows all possible subrules:

external_service_account_added_to_policy, external_member_added_to_policy: Privileges were granted to IAM users and service accounts that are not members of your organization or, if Security Command Center is activated at the project level only, your project.

Note: If Security Command Center is activated at the organization level at any tier, then this detector uses an organization's existing IAM policies as context. If Security Command Center activation is only at the project level, then the detector uses only the project's IAM policies as context.

If a sensitive IAM grant to an external member occurs, and there are less than three existing IAM policies that are similar to it, this detector generates a finding.

Sensitive roles

Findings are classified as High or Medium severity, depending on the sensitivity of the roles granted. Findings are classified as High severity by default. For more information, see Sensitive IAM roles and permissions.
external_member_invited_to_policy: An external member was invited as the owner of the project through the InsertProjectOwnershipInvite API.
custom_role_given_sensitive_permissions: The setIAMPolicy permission was added to a custom role.
service_account_granted_sensitive_role_to_member: Privileged roles were granted to members through a service account. This subrule is triggered by a subset of sensitive roles that include only basic IAM roles and certain data storage roles. For more information, see Sensitive IAM roles and permissions.
policy_modified_by_default_compute_service_account: A default Compute Engine service account was used to modify project IAM settings.

Persistence: Unmanaged Account Granted Sensitive Role (Preview) UNMANAGED_ACCOUNT_ADDED_IN_IAM_ROLE Cloud Audit Logs:
IAM Admin Activity audit logs A sensitive role was granted to an unmanaged account. Findings are classified as High severity by default. Persistence: New API Method
ANOMALOUS_BEHAVIOR_NEW_API_METHOD Cloud Audit Logs:
Admin Activity logs IAM service accounts used anomalous access to Google Cloud services. Findings are classified as Low severity by default. Persistence: New Geography IAM_ANOMALOUS_BEHAVIOR_IP_GEOLOCATION Cloud Audit Logs:
Admin Activity logs

IAM user and service accounts accessed Google Cloud from anomalous locations, based on the geolocation of the requesting IP addresses.

This finding isn't available for project-level activations and they are classified as Low severity by default.

Persistence: New User Agent IAM_ANOMALOUS_BEHAVIOR_USER_AGENT Cloud Audit Logs:
Admin Activity logs

IAM service accounts accessed Google Cloud from anomalous or suspicious user agents.

This finding isn't available for project-level activations. Findings are classified as Low severity by default.

Persistence: SSO Enablement Toggle TOGGLE_SSO_ENABLED Google Workspace:
Admin Audit

The Enable SSO (single sign-on) setting on the admin account was disabled.

This finding isn't available for project-level activations. Findings are classified as High severity by default.

Persistence: SSO Settings Changed CHANGE_SSO_SETTINGS Google Workspace:
Admin Audit

The SSO settings for the admin account were changed.

This finding isn't available for project-level activations. Findings are classified as High severity by default.

Privilege Escalation: Anomalous Impersonation of Service Account for Admin Activity ANOMALOUS_SA_DELEGATION_IMPERSONATION_OF_SA_ADMIN_ACTIVITY Cloud Audit Logs:
Admin Activity logs A potentially anomalous impersonated service account was used for an administrative activity. Findings are classified as Medium severity by default. Privilege Escalation: Anomalous Multistep Service Account Delegation for Admin Activity ANOMALOUS_SA_DELEGATION_MULTISTEP_ADMIN_ACTIVITY Cloud Audit Logs:
Admin Activity logs An anomalous multistep delegated request was found for an administrative activity. Findings are classified as Medium severity by default. Privilege Escalation: Anomalous Multistep Service Account Delegation for Data Access ANOMALOUS_SA_DELEGATION_MULTISTEP_DATA_ACCESS Cloud Audit Logs:
Data Access logs An anomalous multistep delegated request was found for a data access activity. Findings are classified as Medium severity by default. Privilege Escalation: Anomalous Service Account Impersonator for Admin Activity ANOMALOUS_SA_DELEGATION_IMPERSONATOR_ADMIN_ACTIVITY Cloud Audit Logs:
Admin Activity logs A potentially anomalous caller or impersonator in a delegation chain was used for an administrative activity. Findings are classified as Medium severity by default. Privilege Escalation: Anomalous Service Account Impersonator for Data Access ANOMALOUS_SA_DELEGATION_IMPERSONATOR_DATA_ACCESS Cloud Audit Logs:
Data Access logs A potentially anomalous caller or impersonator in a delegation chain was used for a data access activity. Findings are classified as Medium severity by default. Privilege Escalation: Changes to sensitive Kubernetes RBAC objects GKE_CONTROL_PLANE_EDIT_SENSITIVE_RBAC_OBJECT Cloud Audit Logs:
GKE Admin Activity logs To escalate privilege, a potentially malicious actor attempted to modify a ClusterRole, RoleBinding, or ClusterRoleBinding role-based access control (RBAC) object of the sensitive cluster-admin role by using a PUT or PATCH request. Findings are classified as Low severity by default. Privilege Escalation: Create Kubernetes CSR for master cert GKE_CONTROL_PLANE_CSR_FOR_MASTER_CERT Cloud Audit Logs:
GKE Admin Activity logs A potentially malicious actor created a Kubernetes master certificate signing request (CSR), which gives them cluster-admin access. Findings are classified as High severity by default. Privilege Escalation: Creation of sensitive Kubernetes bindings GKE_CONTROL_PLANE_CREATE_SENSITIVE_BINDING Cloud Audit Logs:
IAM Admin Activity audit logs To escalate privilege, a potentially malicious actor attempted to create a new RoleBinding or ClusterRoleBinding object for the cluster-admin role. Findings are classified as Low severity by default. Privilege Escalation: Get Kubernetes CSR with compromised bootstrap credentials GKE_CONTROL_PLANE_GET_CSR_WITH_COMPROMISED_BOOTSTRAP_CREDENTIALS Cloud Audit Logs:
GKE Data Access logs A potentially malicious actor queried for a certificate signing request (CSR), with the kubectl command, using compromised bootstrap credentials. Findings are classified as High severity by default. Privilege Escalation: Launch of privileged Kubernetes container GKE_CONTROL_PLANE_LAUNCH_PRIVILEGED_CONTAINER Cloud Audit Logs:
GKE Admin Activity logs

A potentially malicious actor created a Pod that contains privileged containers or containers with privilege escalation capabilities.

A privileged container has the privileged field set to true. A container with privilege escalation capabilities has the allowPrivilegeEscalation field set to true. For more information, see the SecurityContext v1 core API reference in the Kubernetes documentation. Findings are classified as Low severity by default.

Persistence: Service Account Key Created SERVICE_ACCOUNT_KEY_CREATION Cloud Audit Logs:
IAM Admin Activity audit logs A service account key was created. Service account keys are long-lived credentials that increase the risk of unauthorized access to Google Cloud resources. Findings are classified as Low severity by default. Privilege Escalation: Global Shutdown Script Added GLOBAL_SHUTDOWN_SCRIPT_ADDED Cloud Audit Logs:
IAM Admin Activity audit logs A global shutdown script was added to a project. Findings are classified as Low severity by default. Persistence: Global Startup Script Added GLOBAL_STARTUP_SCRIPT_ADDED Cloud Audit Logs:
IAM Admin Activity audit logs A global startup script was added to a project. Findings are classified as Low severity by default. Defense Evasion: Organization-Level Service Account Token Creator Role Added ORG_LEVEL_SERVICE_ACCOUNT_TOKEN_CREATOR_ROLE_ADDED Cloud Audit Logs:
IAM Admin Activity audit logs The Service Account Token Creator IAM role was granted at the organization level. Findings are classified as Low severity by default. Defense Evasion: Project-Level Service Account Token Creator Role Added PROJECT_LEVEL_SERVICE_ACCOUNT_TOKEN_CREATOR_ROLE_ADDED Cloud Audit Logs:
IAM Admin Activity audit logs The Service Account Token Creator IAM role was granted at the project level. Findings are classified as Low severity by default. Lateral Movement: OS Patch Execution From Service Account OS_PATCH_EXECUTION_FROM_SERVICE_ACCOUNT Cloud Audit Logs.
IAM Admin Activity audit logs A service account used the Compute Engine Patch feature to update the operating system of any currently running Compute Engine instance. Findings are classified as Low severity by default. Lateral Movement: Modified Boot Disk Attached to Instance (Preview) MODIFY_BOOT_DISK_ATTACH_TO_INSTANCE Cloud Audit Logs:
Compute Engine audit logs A boot disk was detached from one Compute Engine instance and attached to another, which could indicate a malicious attempt to compromise the system using a modified boot disk. Findings are classified as Low severity by default. Credential Access: Secrets Accessed In Kubernetes Namespace SECRETS_ACCESSED_IN_KUBERNETES_NAMESPACE Cloud Audit Logs:
GKE Data Access logs Secrets or service account tokens were accessed by a service account in the current Kubernetes namespace. Findings are classified as Low severity by default. Resource Development: Offensive Security Distro Activity OFFENSIVE_SECURITY_DISTRO_ACTIVITY Cloud Audit Logs:
IAM Admin Activity audit logs A Google Cloud resource was successfully manipulated through known penetration testing or offensive security distros. Findings are classified as Low severity by default. Privilege Escalation: New Service Account is Owner or Editor SERVICE_ACCOUNT_EDITOR_OWNER Cloud Audit Logs:
IAM Admin Activity audit logs A new service account was created with Editor or Owner roles for a project. Findings are classified as Low severity by default. Discovery: Information Gathering Tool Used INFORMATION_GATHERING_TOOL_USED Cloud Audit Logs:
IAM Admin Activity audit logs ScoutSuite usage was detected. ScoutSuite is a cloud security auditing tool that is known to be used by threat actors. Findings are classified as Low severity by default. Privilege Escalation: Suspicious Token Generation SUSPICIOUS_TOKEN_GENERATION_IMPLICIT_DELEGATION Cloud Audit Logs:
IAM Admin Activity audit logs The iam.serviceAccounts.implicitDelegation permission was misused to generate access tokens from a more privileged service account. Findings are classified as Low severity by default. Privilege Escalation: Suspicious Token Generation SUSPICIOUS_TOKEN_GENERATION_SIGN_JWT Cloud Audit Logs:
IAM Admin Activity audit logs A service account used the serviceAccounts.signJwt method to generate an access token for another service account. Findings are classified as Low severity by default. Privilege Escalation: Suspicious Token Generation SUSPICIOUS_TOKEN_GENERATION_CROSS_PROJECT_OPENID Cloud Audit Logs:
IAM Admin Activity audit logs

The iam.serviceAccounts.getOpenIdToken IAM permission was used across projects.

This finding isn't available for project-level activations. Findings are classified as Low severity by default.

Privilege Escalation: Suspicious Token Generation SUSPICIOUS_TOKEN_GENERATION_CROSS_PROJECT_ACCESS_TOKEN Cloud Audit Logs:
IAM Admin Activity audit logs

The iam.serviceAccounts.getAccessToken IAM permission was used across projects.

This finding isn't available for project-level activations. Findings are classified as Low severity by default.

Privilege Escalation: Suspicious Cross-Project Permission Use SUSPICIOUS_CROSS_PROJECT_PERMISSION_DATAFUSION Cloud Audit Logs:
IAM Admin Activity audit logs

The datafusion.instances.create IAM permission was used across projects.

This finding isn't available for project-level activations. Findings are classified as Low severity by default.

Command and Control: DNS Tunneling DNS_TUNNELING_IODINE_HANDSHAKE Cloud DNS logs The handshake of the DNS tunneling tool Iodine was detected. Findings are classified as Low severity by default. Defense Evasion: VPC Route Masquerade Attempt VPC_ROUTE_MASQUERADE Cloud Audit Logs:
IAM Admin Activity audit logs VPC routes masquerading as Google Cloud default routes were manually created, allowing egress traffic to external IP addresses. Findings are classified as High severity by default. Impact: Billing Disabled BILLING_DISABLED_SINGLE_PROJECT Cloud Audit Logs:
IAM Admin Activity audit logs Billing was disabled for a project. Findings are classified as Low severity by default. Impact: Billing Disabled BILLING_DISABLED_MULTIPLE_PROJECTS Cloud Audit Logs:
IAM Admin Activity audit logs Billing was disabled for multiple projects in an organization within a short time period. Findings are classified as Low severity by default. Impact: VPC Firewall High Priority Block VPC_FIREWALL_HIGH_PRIORITY_BLOCK Cloud Audit Logs:
IAM Admin Activity audit logs A VPC firewall rule that blocks all egress traffic was added at priority 0. Findings are classified as Low severity by default. Impact: VPC Firewall Mass Rule Deletion^{Temporarily unavailable} VPC_FIREWALL_MASS_RULE_DELETION Cloud Audit Logs:
IAM Admin Activity audit logs

VPC firewall rules were mass deleted by non-service accounts.

This rule is temporarily unavailable. To monitor updates to your firewall rules, use the Cloud audit logs. Findings are classified as Low severity by default.

Impact: Service API Disabled SERVICE_API_DISABLED Cloud Audit Logs:
IAM Admin Activity audit logs A Google Cloud service API was disabled in a production environment. Findings are classified as Low severity by default. Impact: Managed Instance Group Autoscaling Set To Maximum MIG_AUTOSCALING_SET_TO_MAX Cloud Audit Logs:
IAM Admin Activity audit logs A managed instance group was configured for maximum autoscaling. Findings are classified as Low severity by default. Discovery: Unauthorized Service Account API Call UNAUTHORIZED_SERVICE_ACCOUNT_API_CALL Cloud Audit Logs:
IAM Admin Activity audit logs A service account made an unauthorized cross-project API call. Findings are classified as Low severity by default. Defense Evasion: Anonymous Sessions Granted Cluster Admin Access ANONYMOUS_SESSIONS_GRANTED_CLUSTER_ADMIN Cloud Audit Logs:
GKE Admin Activity logs A role-based access control (RBAC) ClusterRoleBinding object was created, adding the root-cluster-admin-binding behavior to anonymous users. Findings are classified as Low severity by default. Persistence: New Geography for AI Service AI_IAM_ANOMALOUS_BEHAVIOR_IP_GEOLOCATION Cloud Audit Logs:
Admin Activity logs

IAM user and service accounts accessed Google Cloud AI services from anomalous locations, based on the geolocation of the requesting IP addresses.

This finding isn't available for project-level activations and they are classified as Low severity by default.

Privilege Escalation: Anomalous Multistep Service Account Delegation for AI Admin Activity AI_ANOMALOUS_SA_DELEGATION_MULTISTEP_ADMIN_ACTIVITY Cloud Audit Logs:
Admin Activity logs An anomalous multistep delegated request was found for an administrative activity of an AI service. Findings are classified as Medium severity by default. Privilege Escalation: Anomalous Multistep Service Account Delegation for AI Data Access AI_ANOMALOUS_SA_DELEGATION_MULTISTEP_DATA_ACCESS Cloud Audit Logs:
Data Access logs An anomalous multistep delegated request was found for a data access activity of an AI service. Findings are classified as Medium severity by default. Privilege Escalation: Anomalous Service Account Impersonator for AI Admin Activity AI_ANOMALOUS_SA_DELEGATION_IMPERSONATOR_ADMIN_ACTIVITY Cloud Audit Logs:
Admin Activity logs A potentially anomalous caller or impersonator in a delegation chain was used for an administrative activity of an AI service. Findings are classified as Medium severity by default. Privilege Escalation: Anomalous Service Account Impersonator for AI Data Access AI_ANOMALOUS_SA_DELEGATION_IMPERSONATOR_DATA_ACCESS Cloud Audit Logs:
Data Access logs A potentially anomalous caller or impersonator in a delegation chain was used for a data access activity of an AI service. Findings are classified as Medium severity by default. Privilege Escalation: Anomalous Impersonation of Service Account for AI Admin Activity AI_ANOMALOUS_SA_DELEGATION_IMPERSONATION_OF_SA_ADMIN_ACTIVITY Cloud Audit Logs:
Admin Activity logs A potentially anomalous impersonated service account was used for an administrative activity of an AI service. Findings are classified as Medium severity by default. Persistence: New AI API Method
AI_ANOMALOUS_BEHAVIOR_NEW_API_METHOD Cloud Audit Logs:
Admin Activity logs IAM service accounts used anomalous access to Google Cloud AI services. Findings are classified as Low severity by default. Initial Access: Dormant Service Account Activity in AI Service AI_DORMANT_SERVICE_ACCOUNT_USED_IN_ACTION Cloud Audit Logs: Admin Activity logs A dormant user-managed service account triggered an action in AI services. In this context, a service account is considered dormant if it has been inactive for more than 180 days. Findings are classified as High severity by default. Initial Access: Anonymous GKE Resource Created from the Internet (Preview) GKE_RESOURCE_CREATED_ANONYMOUSLY_FROM_INTERNET Cloud Audit Logs:
GKE Admin Activity logs. A resource was created by an effectively anonymous internet user. Findings are classified as High severity by default. Initial Access: GKE Resource Modified Anonymously from the Internet (Preview) GKE_RESOURCE_MODIFIED_ANONYMOUSLY_FROM_INTERNET Cloud Audit Logs:
GKE Admin Activity logs A resource was manipulated by an effectively anonymous internet user. Findings are classified as High severity by default. Privilege Escalation: Effectively Anonymous Users Granted GKE Cluster Access GKE_ANONYMOUS_USERS_GRANTED_ACCESS Cloud Audit Logs:
GKE Admin Activity logs

Someone created an RBAC binding that references one of the following users or groups:

system:anonymous
system:unauthenticated
system:authenticated

These users and groups are effectively anonymous and should be avoided when creating role bindings or cluster role bindings to any RBAC roles. Review the binding to ensure that it is necessary. If the binding isn't necessary, remove it. Findings are classified as Medium severity by default.

Execution: Suspicious Exec or Attach to a System Pod (Preview) GKE_SUSPICIOUS_EXEC_ATTACH Cloud Audit Logs:
GKE Admin Activity logs Someone used the exec or attach commands to get a shell or execute a command on a container running in the kube-system namespace. These methods are sometimes used for legitimate debugging purposes. However, the kube-system namespace is intended for system objects created by Kubernetes, and unexpected command execution or shell creation should be reviewed. Findings are classified as Medium severity by default. Privilege Escalation: Workload Created with a Sensitive Host Path Mount (Preview) GKE_SENSITIVE_HOSTPATH Cloud Audit Logs:
GKE Admin Activity logs Someone created a workload that contains a hostPath volume mount to a sensitive path on the host node's file system. Access to these paths on the host filesystem can be used to access privileged or sensitive information on the node and for container escapes. If possible, don't allow any hostPath volumes in your cluster. Findings are classified as Low severity by default. Privilege Escalation: Workload with shareProcessNamespace enabled (Preview) GKE_SHAREPROCESSNAMESPACE_POD Cloud Audit Logs:
GKE Admin Activity logs Someone deployed a workload with the shareProcessNamespace option set to true, allowing all containers to share the same Linux process namespace. This could allow an untrusted or compromised container to escalate privileges by accessing and controlling environment variables, memory, and other sensitive data from processes running in other containers. Findings are classified as Low severity by default. Privilege Escalation: ClusterRole with Privileged Verbs (Preview) GKE_CLUSTERROLE_PRIVILEGED_VERBS Cloud Audit Logs:
GKE Admin Activity logs Someone created an RBAC ClusterRole that contains the bind, escalate, or impersonate verbs. A subject that's bound to a role with these verbs can impersonate other users with higher privileges, bind to additional Roles or ClusterRoles that contain additional permissions, or modify their own ClusterRole permissions. This might lead to those subjects gaining cluster-admin privileges. Findings are classified as Low severity by default. Privilege Escalation: ClusterRoleBinding to Privileged Role GKE_CRB_CLUSTERROLE_AGGREGATION_CONTROLLER Cloud Audit Logs:
GKE Admin Activity logs Someone created an RBAC ClusterRoleBinding that references the default system:controller:clusterrole-aggregation-controller ClusterRole. This default ClusterRole has the escalate verb, which allows subjects to modify the privileges of their own roles, allowing for privilege escalation. Findings are classified as Low severity by default. Defense Evasion: Manually Deleted Certificate Signing Request (CSR) GKE_MANUALLY_DELETED_CSR Cloud Audit Logs:
GKE Admin Activity logs Someone manually deleted a certificate signing request (CSR). CSRs are automatically removed by a garbage collection controller, but malicious actors might manually delete them to evade detection. If the deleted CSR was for an approved and issued certificate, the potentially malicious actor now has an additional authentication method to access the cluster. The permissions associated with the certificate vary depending on which subject they included, but can be highly privileged. Kubernetes does not support certificate revocation. Findings are classified as Low severity by default. Credential Access: Failed Attempt to Approve Kubernetes Certificate Signing Request (CSR) GKE_APPROVE_CSR_FORBIDDEN Cloud Audit Logs:
GKE Admin Activity logs Someone attempted to manually approve a certificate signing request (CSR) but the action failed. Creating a certificate for cluster authentication is a common method for attackers to create persistent access to a compromised cluster. The permissions associated with the certificate vary depending on which subject they included, but can be highly privileged. Findings are classified as Low severity by default. Credential Access: Manually Approved Kubernetes Certificate Signing Request (CSR) (Preview) GKE_CSR_APPROVED Cloud Audit Logs:
GKE Admin Activity logs Someone manually approved a certificate signing request (CSR). Creating a certificate for cluster authentication is a common method for attackers to create persistent access to a compromised cluster. The permissions associated with the certificate vary depending on which subject they included, but can be highly privileged. Findings are classified as Low severity by default. Execution: Kubernetes Pod Created with Potential Reverse Shell Arguments GKE_REVERSE_SHELL_POD Cloud Audit Logs:
GKE Admin Activity logs Someone created a Pod that contains commands or arguments that are commonly associated with a reverse shell. Attackers use reverse shells to expand or maintain their initial access to a cluster and to execute arbitrary commands. Findings are classified as Medium severity by default. Defense Evasion: Potential Kubernetes Pod Masquerading GKE_POD_MASQUERADING Cloud Audit Logs:
GKE Admin Activity logs Someone deployed a Pod with a naming convention that is similar to the default workloads that GKE creates for regular cluster operation. This technique is called masquerading. Findings are classified as Medium severity by default. Privilege Escalation: Suspicious Kubernetes Container Names - Exploitation and Escape (Preview) GKE_SUSPICIOUS_EXPLOIT_POD Cloud Audit Logs:
GKE Admin Activity logs Someone deployed a Pod with a naming convention that is similar to common tools used for container escapes or to execute other attacks on the cluster. Findings are classified as Medium severity by default. Persistence: Service Account Created in sensitive namespace GKE_SERVICE_ACCOUNT_CREATION_SENSITIVE_NAMESPACE Cloud Audit Logs:
GKE Admin Activity logs Someone created a service account in a sensitive namespace. The kube-system and kube-public namespaces are critical for GKE cluster operations, and unauthorized service accounts could compromise cluster stability and security. Findings are classified as Low severity by default. Impact: Suspicious Kubernetes Container Names - Cryptocurrency Mining GKE_SUSPICIOUS_CRYPTOMINING_POD Cloud Audit Logs:
GKE Admin Activity logs Someone deployed a Pod with a naming convention that is similar to common cryptocurrency coin miners. This may be an attempt by an attacker who has achieved initial access to the cluster to use the cluster's resources for cryptocurrency mining. Findings are classified as High severity by default. Execution: Workload triggered in sensitive namespace GKE_SENSITIVE_NAMESPACE_WORKLOAD_TRIGGERED Cloud Audit Logs:
GKE Admin Activity logs Someone deployed a workload (for example, a Pod or Deployment) in the kube-system or kube-public namespaces. These namespaces are critical for GKE cluster operations, and unauthorized workloads could compromise cluster stability or security. Findings are classified as Low severity by default. Execution: GKE launch excessively capable container (Preview) GKE_EXCESSIVELY_CAPABLE_CONTAINER_CREATED Cloud Audit Logs:
GKE Admin Activity logs Someone created a container with one or more of the following capabilities in a cluster with an elevated security context:

CAP_SYS_MODULE
CAP_SYS_RAWIO
CAP_SYS_PTRACE
CAP_SYS_BOOT
CAP_DAC_READ_SEARCH
CAP_NET_ADMIN
CAP_BPF

These capabilities can be used to escape from containers. Use caution when provisioning these capabilities. Findings are classified as Low severity by default. Persistence: GKE Webhook Configuration Detected GKE_WEBHOOK_CONFIG_CREATED Cloud Audit Logs:
GKE Admin Activity logs A webhook configuration was detected in your GKE cluster. Webhooks can intercept and modify Kubernetes API requests, potentially allowing attackers to persist within your cluster or manipulate resources. Findings are classified as Low severity by default. Defense Evasion: Static Pod Created GKE_STATIC_POD_CREATED Cloud Audit Logs:
GKE Admin Activity logs Someone created a static Pod in your GKE cluster. Static Pods run directly on the node and bypass the Kubernetes API server, which makes them more difficult to monitor and control. Attackers can use static Pods to evade detection or maintain persistence. Findings are classified as Low severity by default. Initial Access: Successful API call made from a TOR proxy IP GKE_TOR_PROXY_IP_REQUEST Cloud Audit Logs:
GKE Admin Activity logs A successful API call was made to your GKE cluster from an IP address associated with the Tor network. Tor provides anonymity, which attackers often exploit to hide their identity. Findings are classified as High severity by default. Initial Access: GKE NodePort service created GKE_NODEPORT_SERVICE_CREATED Cloud Audit Logs:
GKE Admin Activity logs Someone created a NodePort service. NodePort services expose Pods directly on a node's IP address and static port, which make the Pods accessible from outside the cluster. This can introduce a significant security risk because it could allow an attacker to exploit vulnerabilities in the exposed service to gain access to the cluster or sensitive data. Findings are classified as Medium severity by default. Impact: GKE kube-dns modification detected (Preview) GKE_KUBE_DNS_MODIFICATION Cloud Audit Logs:
GKE Admin Activity logs Someone modified the kube-dns configuration in your GKE cluster. GKE kube-dns is a critical component of your cluster's networking, and its misconfiguration could lead to a security breach. Findings are classified as Medium severity by default. Impact: Cryptomining Commands CLOUD_RUN_JOBS_CRYPTOMINING_COMMANDS Cloud Audit Logs:
IAM System Event audit logs Specific cryptomining commands were attached to a Cloud Run job during execution. Findings are classified as High severity by default. Execution: Cryptomining Docker Image CLOUD_RUN_CRYPTOMINING_DOCKER_IMAGES Cloud Audit Logs:
IAM System Event audit logs Specific known bad docker images were attached to a new or existing Cloud Run service or job. Findings are classified as High severity by default. Privilege Escalation: Default Compute Engine Service Account SetIAMPolicy CLOUD_RUN_SERVICES_SET_IAM_POLICY Cloud Audit Logs:
Admin Activity logs The default Compute Engine service account was used to set the IAM policy for a Cloud Run service. This is a potential post exploit action when a Compute Engine token is compromised from a serverless service. Findings are classified as Low severity by default. Initial Access: CloudDB Successful login from Anonymizing Proxy IP CLOUD_DB_LOGIN_SUCCEEDED_ANON_IP Cloud Audit Logs: AlloyDB for PostgreSQL data access logs
Cloud SQL for PostgreSQL data access logs
Cloud SQL for MySQL data access logs
Note: You must enable IP logging in PostgreSQL to use this rule for AlloyDB and Postgres. A successful login was detected in your database instance from a known anonymizing IP address. This could indicate an attacker gaining initial access to your instance. Findings are classified as High severity by default. Credential Access: CloudDB Failed login from Anonymizing Proxy IP CLOUD_DB_LOGIN_FAILED_ANON_IP Cloud Audit Logs: AlloyDB for PostgreSQL data access logs
Cloud SQL for PostgreSQL data access logs
Cloud SQL for MySQL data access logs
Note: You must enable IP logging in PostgreSQL to use this rule for AlloyDB and Postgres. A failed login was detected in your database instance from a known anonymizing IP address. This could indicate an attacker attempting unauthorized access to your instance. Findings are classified as Medium severity by default.

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4