This page provides an overview of Virtual Machine Threat Detection.
Overview
Virtual Machine Threat Detection, a built-in service of Security Command Center Premium, provides threat detection through hypervisor-level instrumentation. VM Threat Detection detects potentially malicious applications, such as cryptocurrency mining software and kernel-mode rootkits, running in compromised cloud environments.
VM Threat Detection is part of Security Command Center Premium's threat detection suite and is designed to complement the existing capabilities of Event Threat Detection and Container Threat Detection.
VM Threat Detection findings are high-severity threats that we recommend you fix immediately. You can view VM Threat Detection findings in Security Command Center.
For organizations enrolled in Security Command Center Premium, VM Threat Detection scans are automatically enabled. If needed, you can disable the service and/or enable the service at the project level. For more information, see Enable or disable VM Threat Detection.
How VM Threat Detection works
VM Threat Detection is a managed service that scans enabled Compute Engine projects and virtual machine (VM) instances to detect potentially malicious applications running in VMs, such as cryptocurrency mining software and kernel-mode rootkits.
The following figure is a simplified illustration showing how VM Threat Detection's analysis engine ingests metadata from VM guest memory and writes findings to Security Command Center.
VM Threat Detection is built into Google Cloud's hypervisor, a secure platform that creates and manages all Compute Engine VMs.
VM Threat Detection periodically performs scans from the hypervisor into the guest VM's live memory without pausing operation of the guest. Because this service operates from outside the guest VM instance, it doesn't require guest agents or special configuration of the guest operating system, and it's resistant to countermeasures used by sophisticated malware. No CPU cycles are used inside the guest VM, and network connectivity isn't required. Security teams don't need to update signatures or manage the service.
How cryptocurrency mining detection works
Powered by Google Cloud's threat detection rules, VM Threat Detection analyzes information about software running on VMs, including a list of application names, per-process CPU usage, hashes of memory pages, CPU hardware performance counters, and information about executed machine code to determine whether any application matches known cryptocurrency mining signatures. When possible, VM Threat Detection then determines the running process associated with the detected signature matches and includes information about that process in the finding.
How kernel-mode rootkit detection works
VM Threat Detection infers the type of operating system running on the VM and uses that information to determine the kernel code, read-only data regions, and other kernel data structures in memory. VM Threat Detection applies various techniques to determine if those regions are tampered with, by comparing them to precomputed hashes that are expected for the kernel image and verifying the integrity of important kernel data structures.
Scan frequency
VM Threat Detection scans each VM instance immediately after the instance is created. In addition, VM Threat Detection scans each VM instance every 30 minutes.
For cryptocurrency mining detection, VM Threat Detection generates one finding per process, per VM, per day. Each finding includes only the threats associated with the process that is identified by the finding. If VM Threat Detection finds threats but can't associate them with any process, then, for each VM, VM Threat Detection groups all of the unassociated threats into a single finding that it issues once per each 24-hour period. For any threats that persist longer than 24 hours, VM Threat Detection generates new findings once every 24 hours.
For kernel-mode rootkit detection, which is in Preview, VM Threat Detection generates one finding per category, per VM, every three days.
If you activate the Premium tier of Security Command Center, VM Threat Detection scans are automatically enabled. If needed, you can disable the service and/or enable the service at the project level. For more information, see Enable or disable VM Threat Detection.
Findings
This section describes the threat and observation findings that VM Threat Detection generates.
Threat findings
VM Threat Detection has the following threat detections.
Cryptocurrency mining threat findings
VM Threat Detection detects the following finding categories through hash matching or YARA rules.
| Category | Module | Description |
|---|---|---|
Execution: Cryptocurrency Mining Hash Match
|
CRYPTOMINING_HASH
|
Matches memory hashes of running programs against known memory hashes of cryptocurrency mining software. |
Execution: Cryptocurrency Mining YARA Rule
|
CRYPTOMINING_YARA
|
Matches memory patterns, such as proof-of-work constants, known to be used by cryptocurrency mining software. |
Execution: Cryptocurrency Mining Combined Detection
|
|
Identifies a threat that was detected by both the
CRYPTOMINING_HASH and CRYPTOMINING_YARA modules.
For more information, see
Combined detections.
|
Kernel-mode rootkit threat findings
VM Threat Detection analyzes kernel integrity at run time to detect common evasion techniques that are used by malware.
The KERNEL_MEMORY_TAMPERING
module detects threats by doing a hash comparison on the
kernel code and kernel read-only data memory of a virtual machine.
The KERNEL_INTEGRITY_TAMPERING module detects threats by checking
the integrity of important kernel data structures.
| Category | Module | Description |
|---|---|---|
| Kernel memory tampering | ||
Defense Evasion: Unexpected kernel code modificationPreview
|
KERNEL_MEMORY_TAMPERING
|
Unexpected modifications of kernel code memory are present. |
Defense Evasion: Unexpected kernel read-only data modificationPreview
|
KERNEL_MEMORY_TAMPERING
|
Unexpected modifications of kernel read-only data memory are present. |
| Kernel integrity tampering | ||
Defense Evasion: Unexpected ftrace handlerPreview
|
KERNEL_INTEGRITY_TAMPERING
|
ftrace points are present with callbacks pointing to regions that are not in
the expected kernel or module code range.
|
Defense Evasion: Unexpected interrupt handlerPreview
|
KERNEL_INTEGRITY_TAMPERING
|
Interrupt handlers that are are not in the expected kernel or module code regions are present. |
Defense Evasion: Unexpected kernel modulesPreview
|
KERNEL_INTEGRITY_TAMPERING
|
Kernel code pages that are not in the expected kernel or module code regions are present. |
Defense Evasion: Unexpected kprobe handlerPreview
|
KERNEL_INTEGRITY_TAMPERING
|
kprobe points are present with callbacks pointing to regions that are not in
the expected kernel or module code range.
|
Defense Evasion: Unexpected processes in runqueuePreview
|
KERNEL_INTEGRITY_TAMPERING
|
Unexpected processes in the scheduler run queue are present. Such processes are in the run queue, but not in the process task list. |
Defense Evasion: Unexpected system call handlerPreview
|
KERNEL_INTEGRITY_TAMPERING
|
System call handlers that are are not in the expected kernel or module code regions are present. |
Observation finding
VM Threat Detection generates the following observation finding:
| Category name | API name | Summary | Severity |
|---|---|---|---|
VMTD disabled
|
VMTD_DISABLED |
VM Threat Detection is disabled. Until you enable it, this service can't scan your Compute Engine projects and VM instances for unwanted applications.
This finding is set to |
High |
Supported assets and environments
VM Threat Detection supports Compute Engine VM instances, with the following limitations:
Limited support for Windows VMs
For cryptocurrency mining detection, VM Threat Detection primarily focuses on Linux binaries and has limited coverage of cryptocurrency miners that run on Windows.
For kernel-mode rootkit detection, which is in Preview, VM Threat Detection supports only Linux operating systems.
No support for Compute Engine VMs that use Confidential VM. Confidential VM instances use cryptography to protect the contents of memory as it moves in and out of the CPU. Thus, VM Threat Detection can't scan them.
VM Threat Detection relies on the capabilities of Google Cloud's hypervisor. Thus, it can't run in on-premises environments and in other public cloud environments.
Privacy and security
VM Threat Detection accesses live VM memory for analysis. The service analyzes only what is necessary to detect threats.
VM memory contents are used as inputs in VM Threat Detection's risk analysis pipeline. Memory data is encrypted in transit and processed by automated systems. During processing, data is safeguarded by Google Cloud's security control systems.
For monitoring and debugging purposes, VM Threat Detection stores basic diagnostic and statistical information about projects the service protects.
VM Threat Detection scans raw VM memory contents in their respective regions. However, the resulting findings and metadata (such as project and organization numbers) might be stored outside those regions.
What's next
- Learn how to use VM Threat Detection.
- Learn how to investigate VM Threat Detection findings.