Virtual Machine Threat Detection overview

This page provides an overview of Virtual Machine Threat Detection.

Overview

Virtual Machine Threat Detection, a built-in service of Security Command Center Premium, provides threat detection through hypervisor-level instrumentation and persistent disk analysis. VM Threat Detection detects potentially malicious applications, such as cryptocurrency mining software, kernel-mode rootkits, and malware running in compromised cloud environments.

VM Threat Detection is part of Security Command Center Premium's threat detection suite and is designed to complement the existing capabilities of Event Threat Detection and Container Threat Detection.

VM Threat Detection findings are high-severity threats that we recommend you fix immediately. You can view VM Threat Detection findings in Security Command Center.

For organizations enrolled in Security Command Center Premium, VM Threat Detection scans are automatically enabled. If needed, you can disable the service and/or enable the service at the project level. For more information, see Enable or disable VM Threat Detection.

How VM Threat Detection works

VM Threat Detection is a managed service that scans enabled Compute Engine projects and virtual machine (VM) instances to detect potentially malicious applications running in VMs, such as cryptocurrency mining software and kernel-mode rootkits.

The following figure is a simplified illustration showing how VM Threat Detection's analysis engine ingests metadata from VM guest memory and writes findings to Security Command Center.

Simplified data path for Virtual Machine Threat Detection

VM Threat Detection is built into Google Cloud's hypervisor, a secure platform that creates and manages all Compute Engine VMs.

VM Threat Detection periodically performs scans from the hypervisor into the memory of a running guest VM without pausing operation of the guest. It also periodically scans disk clones. Because this service operates from outside the guest VM instance, it doesn't require guest agents or special configuration of the guest operating system, and it's resistant to countermeasures used by sophisticated malware. No CPU cycles are used inside the guest VM, and network connectivity isn't required. Security teams don't need to update signatures or manage the service.

How cryptocurrency mining detection works

Powered by Google Cloud's threat detection rules, VM Threat Detection analyzes information about software running on VMs, including a list of application names, per-process CPU usage, hashes of memory pages, CPU hardware performance counters, and information about executed machine code to determine whether any application matches known cryptocurrency mining signatures. When possible, VM Threat Detection then determines the running process associated with the detected signature matches and includes information about that process in the finding.

How kernel-mode rootkit detection works

VM Threat Detection infers the type of operating system running on the VM and uses that information to determine the kernel code, read-only data regions, and other kernel data structures in memory. VM Threat Detection applies various techniques to determine if those regions are tampered with, by comparing them to precomputed hashes that are expected for the kernel image and verifying the integrity of important kernel data structures.

How malware detection works

VM Threat Detection takes short-lived clones of your VM's persistent disk, without disrupting your workloads, and scans the disk clones. This service analyzes executable files on the VM to determine whether any files match known malware signatures. The generated finding contains information about the file and the malware signatures detected.

Scan frequency

For memory scanning, VM Threat Detection scans each VM instance immediately after the instance is created. In addition, VM Threat Detection scans each VM instance every 30 minutes.

For cryptocurrency mining detection, VM Threat Detection generates one finding per process, per VM, per day. Each finding includes only the threats associated with the process that is identified by the finding. If VM Threat Detection finds threats but can't associate them with any process, then, for each VM, VM Threat Detection groups all of the unassociated threats into a single finding that it issues once per each 24-hour period. For any threats that persist longer than 24 hours, VM Threat Detection generates new findings once every 24 hours.
For kernel-mode rootkit detection, which is in Preview, VM Threat Detection generates one finding per category, per VM, every three days.

For persistent disk scanning, which detects the presence of known malware, VM Threat Detection scans each VM instance at least daily.

If you activate the Premium tier of Security Command Center, VM Threat Detection scans are automatically enabled. If needed, you can disable the service and/or enable the service at the project level. For more information, see Enable or disable VM Threat Detection.

Findings

This section describes the threat findings that VM Threat Detection generates.

Threat findings

VM Threat Detection has the following threat detections.

Cryptocurrency mining threat findings

VM Threat Detection detects the following finding categories through hash matching or YARA rules.

VM Threat Detection cryptocurrency mining threat findings
Category	Module	Description
`Execution: Cryptocurrency Mining Hash Match`	`CRYPTOMINING_HASH`	Matches memory hashes of running programs against known memory hashes of cryptocurrency mining software.
`Execution: Cryptocurrency Mining YARA Rule`	`CRYPTOMINING_YARA`	Matches memory patterns, such as proof-of-work constants, known to be used by cryptocurrency mining software.
`Execution: Cryptocurrency Mining Combined Detection`	`CRYPTOMINING_HASH` `CRYPTOMINING_YARA`	Identifies a threat that was detected by both the `CRYPTOMINING_HASH` and `CRYPTOMINING_YARA` modules. For more information, see Combined detections.

Kernel-mode rootkit threat findings

VM Threat Detection analyzes kernel integrity at run time to detect common evasion techniques that are used by malware.

The KERNEL_MEMORY_TAMPERING module detects threats by doing a hash comparison on the kernel code and kernel read-only data memory of a virtual machine.

The KERNEL_INTEGRITY_TAMPERING module detects threats by checking the integrity of important kernel data structures.

VM Threat Detection kernel-mode rootkit threat findings
Category	Module	Description
Kernel memory tampering
`Defense Evasion: Unexpected kernel code modification`^Preview	`KERNEL_MEMORY_TAMPERING`	Unexpected modifications of kernel code memory are present.
`Defense Evasion: Unexpected kernel read-only data modification`^Preview	`KERNEL_MEMORY_TAMPERING`	Unexpected modifications of kernel read-only data memory are present.
Kernel integrity tampering
`Defense Evasion: Unexpected ftrace handler`^Preview	`KERNEL_INTEGRITY_TAMPERING`	`ftrace` points are present with callbacks pointing to regions that are not in the expected kernel or module code range.
`Defense Evasion: Unexpected interrupt handler`^Preview	`KERNEL_INTEGRITY_TAMPERING`	Interrupt handlers that aren't in the expected kernel or module code regions are present.
`Defense Evasion: Unexpected kernel modules`^Preview	`KERNEL_INTEGRITY_TAMPERING`	Kernel code pages that are not in the expected kernel or module code regions are present.
`Defense Evasion: Unexpected kprobe handler`^Preview	`KERNEL_INTEGRITY_TAMPERING`	`kprobe` points are present with callbacks pointing to regions that are not in the expected kernel or module code range.
`Defense Evasion: Unexpected processes in runqueue`^Preview	`KERNEL_INTEGRITY_TAMPERING`	Unexpected processes in the scheduler run queue are present. Such processes are in the run queue, but not in the process task list.
`Defense Evasion: Unexpected system call handler`^Preview	`KERNEL_INTEGRITY_TAMPERING`	System call handlers that aren't in the expected kernel or module code regions are present.
Rootkit
`Defense Evasion: Rootkit`^Preview	`KERNEL_MEMORY_TAMPERING` `KERNEL_INTEGRITY_TAMPERING`	A combination of signals matching a known kernel-mode rootkit is present. To receive findings of this category, make sure both modules are enabled.

Malware threat findings

VM Threat Detection detects the following finding categories by scanning a VM's persistent disk for known malware.

VM Threat Detection malware threat findings
Category	Module	Description
`Malware: Malicious file on disk (YARA)`	`MALWARE_DISK_SCAN_YARA`	Matches signatures that are used by known malware.

Limitations

VM Threat Detection supports Compute Engine VM instances, with the following limitations:

Limited support for Windows VMs:
- For cryptocurrency mining detection, VM Threat Detection primarily focuses on Linux binaries and has limited coverage of cryptocurrency miners that run on Windows.
- For kernel-mode rootkit detection, which is in Preview, VM Threat Detection supports only Linux operating systems.
No support for Compute Engine VMs that use Confidential VM. Confidential VM instances use cryptography to protect the contents of memory as it moves in and out of the CPU. Thus, VM Threat Detection can't scan them.
Disk scanning limitations:
- Persistent disks that are encrypted with customer-supplied encryption keys (CSEK) or customer-managed encryption keys (CMEK) are not supported.
- Only vfat, ext2, and ext4 partitions are scanned.
VM Threat Detection requires the Security Center Service Agent to be able to list the VMs in the projects and clone the disks to Google-owned projects. Some security and policy configurations—like VPC Service Controls perimeters and organization policy constraints—can interfere with such operations. In this case, VM Threat Detection scanning might not work.
VM Threat Detection relies on the capabilities of Google Cloud's hypervisor and Compute Engine. Thus, VM Threat Detection can't run in on-premises environments or in other public cloud environments.

Privacy and security

VM Threat Detection accesses the disk clones and memory of a running VM for analysis. The service analyzes only what is necessary to detect threats.

Contents of the VM memory and disk clones are used as inputs in the VM Threat Detection risk analysis pipeline. The data is encrypted in transit and processed by automated systems. During processing, data is safeguarded by Google Cloud's security control systems.

For monitoring and debugging purposes, VM Threat Detection stores basic diagnostic and statistical information about projects the service protects.

VM Threat Detection scans VM memory contents and disk clones in their respective regions. However, the resulting findings and metadata (such as project and organization numbers) might be stored outside those regions.

What's next

Learn how to use VM Threat Detection.
Learn how to investigate VM Threat Detection findings.