Virtual Machine Threat Detection overview

This page provides an overview of Virtual Machine Threat Detection.

Overview

Virtual Machine Threat Detection, a built-in service of Security Command Center Premium, provides threat detection through hypervisor-level instrumentation and persistent disk analysis. VM Threat Detection detects potentially malicious applications, such as cryptocurrency mining software, kernel-mode rootkits, and malware running in compromised cloud environments.

VM Threat Detection is part of Security Command Center Premium's threat detection suite and is designed to complement the existing capabilities of Event Threat Detection and Container Threat Detection.

VM Threat Detection findings are high-severity threats that we recommend you fix immediately. You can view VM Threat Detection findings in Security Command Center.

For organizations enrolled in Security Command Center Premium, VM Threat Detection scans are automatically enabled. If needed, you can disable the service and/or enable the service at the project level. For more information, see Enable or disable VM Threat Detection.

How VM Threat Detection works

VM Threat Detection is a managed service that scans enabled Compute Engine projects and virtual machine (VM) instances to detect potentially malicious applications running in VMs, such as cryptocurrency mining software and kernel-mode rootkits.

The following figure is a simplified illustration showing how VM Threat Detection's analysis engine ingests metadata from VM guest memory and writes findings to Security Command Center.

Simplified data path for Virtual Machine Threat Detection
Simplified data path for Virtual Machine Threat Detection

VM Threat Detection is built into Google Cloud's hypervisor, a secure platform that creates and manages all Compute Engine VMs.

VM Threat Detection periodically performs scans from the hypervisor into the memory of a running guest VM without pausing operation of the guest. It also periodically scans disk clones. Because this service operates from outside the guest VM instance, it doesn't require guest agents or special configuration of the guest operating system, and it's resistant to countermeasures used by sophisticated malware. No CPU cycles are used inside the guest VM, and network connectivity isn't required. Security teams don't need to update signatures or manage the service.

How cryptocurrency mining detection works

Powered by Google Cloud's threat detection rules, VM Threat Detection analyzes information about software running on VMs, including a list of application names, per-process CPU usage, hashes of memory pages, CPU hardware performance counters, and information about executed machine code to determine whether any application matches known cryptocurrency mining signatures. When possible, VM Threat Detection then determines the running process associated with the detected signature matches and includes information about that process in the finding.

How kernel-mode rootkit detection works

VM Threat Detection infers the type of operating system running on the VM and uses that information to determine the kernel code, read-only data regions, and other kernel data structures in memory. VM Threat Detection applies various techniques to determine if those regions are tampered with, by comparing them to precomputed hashes that are expected for the kernel image and verifying the integrity of important kernel data structures.

How malware detection works

VM Threat Detection takes short-lived clones of your VM's persistent disk, without disrupting your workloads, and scans the disk clones. This service analyzes executable files on the VM to determine whether any files match known malware signatures. The generated finding contains information about the file and the malware signatures detected.

Scan frequency

For memory scanning, VM Threat Detection scans each VM instance immediately after the instance is created. In addition, VM Threat Detection scans each VM instance every 30 minutes.

  • For cryptocurrency mining detection, VM Threat Detection generates one finding per process, per VM, per day. Each finding includes only the threats associated with the process that is identified by the finding. If VM Threat Detection finds threats but can't associate them with any process, then, for each VM, VM Threat Detection groups all of the unassociated threats into a single finding that it issues once per each 24-hour period. For any threats that persist longer than 24 hours, VM Threat Detection generates new findings once every 24 hours.
  • For kernel-mode rootkit detection, which is in Preview, VM Threat Detection generates one finding per category, per VM, every three days.

For persistent disk scanning, which detects the presence of known malware, VM Threat Detection scans each VM instance at least daily.

If you activate the Premium tier of Security Command Center, VM Threat Detection scans are automatically enabled. If needed, you can disable the service and/or enable the service at the project level. For more information, see Enable or disable VM Threat Detection.

Findings

This section describes the threat and observation findings that VM Threat Detection generates.

Threat findings

VM Threat Detection has the following threat detections.

Cryptocurrency mining threat findings

VM Threat Detection detects the following finding categories through hash matching or YARA rules.

VM Threat Detection cryptocurrency mining threat findings
Category Module Description
Execution: Cryptocurrency Mining Hash Match CRYPTOMINING_HASH Matches memory hashes of running programs against known memory hashes of cryptocurrency mining software.
Execution: Cryptocurrency Mining YARA Rule CRYPTOMINING_YARA Matches memory patterns, such as proof-of-work constants, known to be used by cryptocurrency mining software.
Execution: Cryptocurrency Mining Combined Detection
  • CRYPTOMINING_HASH
  • CRYPTOMINING_YARA
Identifies a threat that was detected by both the CRYPTOMINING_HASH and CRYPTOMINING_YARA modules. For more information, see Combined detections.

Kernel-mode rootkit threat findings

VM Threat Detection analyzes kernel integrity at run time to detect common evasion techniques that are used by malware.

The KERNEL_MEMORY_TAMPERING module detects threats by doing a hash comparison on the kernel code and kernel read-only data memory of a virtual machine.

The KERNEL_INTEGRITY_TAMPERING module detects threats by checking the integrity of important kernel data structures.

VM Threat Detection kernel-mode rootkit threat findings
Category Module Description
Kernel memory tampering
Defense Evasion: Unexpected kernel code modificationPreview KERNEL_MEMORY_TAMPERING Unexpected modifications of kernel code memory are present.
Defense Evasion: Unexpected kernel read-only data modificationPreview KERNEL_MEMORY_TAMPERING Unexpected modifications of kernel read-only data memory are present.
Kernel integrity tampering
Defense Evasion: Unexpected ftrace handlerPreview KERNEL_INTEGRITY_TAMPERING ftrace points are present with callbacks pointing to regions that are not in the expected kernel or module code range.
Defense Evasion: Unexpected interrupt handlerPreview KERNEL_INTEGRITY_TAMPERING Interrupt handlers that aren't in the expected kernel or module code regions are present.
Defense Evasion: Unexpected kernel modulesPreview KERNEL_INTEGRITY_TAMPERING Kernel code pages that are not in the expected kernel or module code regions are present.
Defense Evasion: Unexpected kprobe handlerPreview KERNEL_INTEGRITY_TAMPERING kprobe points are present with callbacks pointing to regions that are not in the expected kernel or module code range.
Defense Evasion: Unexpected processes in runqueuePreview KERNEL_INTEGRITY_TAMPERING Unexpected processes in the scheduler run queue are present. Such processes are in the run queue, but not in the process task list.
Defense Evasion: Unexpected system call handlerPreview KERNEL_INTEGRITY_TAMPERING System call handlers that aren't in the expected kernel or module code regions are present.
Rootkit
Defense Evasion: RootkitPreview
  • KERNEL_MEMORY_TAMPERING
  • KERNEL_INTEGRITY_TAMPERING
A combination of signals matching a known kernel-mode rootkit is present. To receive findings of this category, make sure both modules are enabled.

Malware threat findings

VM Threat Detection detects the following finding categories by scanning a VM's persistent disk for known malware.

VM Threat Detection malware threat findings
Category Module Description
Malware: Malicious file on disk (YARA) MALWARE_DISK_SCAN_YARA Matches signatures that are used by known malware.

Observation finding

VM Threat Detection generates the following observation finding:

VM Threat Detection observation finding
Category name API name Summary Severity
VMTD disabled VMTD_DISABLED

VM Threat Detection is disabled. Until you enable it, this service can't scan your Compute Engine projects and VM instances for unwanted applications.

This finding is set to INACTIVE after 30 days. After that, this finding isn't generated again.

High

Limitations

VM Threat Detection supports Compute Engine VM instances, with the following limitations:

  • Limited support for Windows VMs:

    • For cryptocurrency mining detection, VM Threat Detection primarily focuses on Linux binaries and has limited coverage of cryptocurrency miners that run on Windows.

    • For kernel-mode rootkit detection, which is in Preview, VM Threat Detection supports only Linux operating systems.

  • No support for Compute Engine VMs that use Confidential VM. Confidential VM instances use cryptography to protect the contents of memory as it moves in and out of the CPU. Thus, VM Threat Detection can't scan them.

  • Disk scanning limitations:

  • VM Threat Detection requires the Security Center Service Agent to be able to list the VMs in the projects and clone the disks to Google-owned projects. Some security and policy configurations—like VPC Service Controls perimeters and organization policy constraints—can interfere with such operations. In this case, VM Threat Detection scanning might not work.

  • VM Threat Detection relies on the capabilities of Google Cloud's hypervisor and Compute Engine. Thus, VM Threat Detection can't run in on-premises environments or in other public cloud environments.

Privacy and security

VM Threat Detection accesses the disk clones and memory of a running VM for analysis. The service analyzes only what is necessary to detect threats.

Contents of the VM memory and disk clones are used as inputs in the VM Threat Detection risk analysis pipeline. The data is encrypted in transit and processed by automated systems. During processing, data is safeguarded by Google Cloud's security control systems.

For monitoring and debugging purposes, VM Threat Detection stores basic diagnostic and statistical information about projects the service protects.

VM Threat Detection scans VM memory contents and disk clones in their respective regions. However, the resulting findings and metadata (such as project and organization numbers) might be stored outside those regions.

What's next