Stay organized with collections
Save and categorize content based on your preferences.
This document describes a threat finding type in Security Command Center. Threat findings are generated by
threat detectors when they detect
a potential threat in your cloud resources. For a full list of available threat findings, see Threat findings index.
Overview
VM Threat Detection detected cryptocurrency mining activities by matching memory
patterns, such as proof-of-work constants, known to be used by cryptocurrency
mining software.
How to respond
To respond to this finding, do the following:
Step 1: Review finding details
Open an Execution: Cryptocurrency Mining YARA Rule finding, as directed
in Review findings.
The details panel for the finding opens to the Summary tab.
On the Summary tab, review the information in the following sections:
What was detected, especially the following fields:
YARA rule name: the rule triggered for YARA detectors.
Program binary: the absolute path of the process.
Arguments: the arguments provided when invoking the process binary.
Process names: the name of the processes running in the VM
instance that is associated with the detected signature matches.
VM Threat Detection can recognize kernel builds from major Linux
distributions. If it can recognize the affected VM's kernel build,
it can identify the application's process details and populate
the processes field of the finding. If VM Threat Detection can't
regognize the kernel—for example, if the kernel is custom
built—the finding's processes field isn't populated.
Affected resource, especially the following fields:
Resource full name: the full resource name of the affected
VM instance, including the ID of the project that contains it.
Related links, especially the following fields:
Cloud Logging URI: link to Logging entries.
MITRE ATT&CK method: link to the MITRE ATT&CK documentation.
Related findings: links to any related findings.
VirusTotal indicator: link to the VirusTotal analysis page.
To see the complete JSON for this finding, in the detail view of
the finding, click the JSON tab.
On the Google Cloud console toolbar, select the project that contains
the VM instance, as specified on the Resource full name row in
the Summary tab of the finding details.
Check the logs for signs of intrusion on the affected VM instance. For
example, check for suspicious or unknown activities and signs of
compromised credentials.
Step 3: Review permissions and settings
On the Summary tab of the finding details, in the Resource full
name field, click the link.
Review the details of the VM instance, including the network and access
settings.
Step 4: Research attack and response methods
Review MITRE ATT&CK framework entries for
Execution.
To develop a response plan, combine your investigation results with MITRE
research.
Step 5: Implement your response
The following response plan might be appropriate for this finding, but might also impact operations.
Carefully evaluate the information you gather in your investigation to determine the best way to
resolve findings.
To assist with detection and removal, use an endpoint detection and
response solution.
Contact the owner of the VM.
Confirm whether the application is a mining application:
If the detected application's process name and binary path are available,
consider the values on the Program binary, Arguments, and
Process names rows on the Summary tab of the finding details
in your investigation.
Examine the running processes, especially the processes with high CPU usage,
to see if there are any that you don't recognize. Determine whether the
associated applications are miner applications.
Search the files in storage for common strings that mining applications
use, such as btc.com, ethminer, xmrig, cpuminer, and randomx.
For more examples of strings you can search for, see
Software names and YARA rules
and the related documentation for each software listed.
If you determine that the application is a miner application, and its process
is still running, terminate the process. Locate the application's executable
binary in the VM's storage, and delete it.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-08 UTC."],[],[],null,["| Premium and Enterprise [service tiers](/security-command-center/docs/service-tiers)\n\nThis document describes a threat finding type in Security Command Center. Threat findings are generated by\n[threat detectors](/security-command-center/docs/concepts-security-sources#threats) when they detect\na potential threat in your cloud resources. For a full list of available threat findings, see [Threat findings index](/security-command-center/docs/threat-findings-index).\n\nOverview\n\nVM Threat Detection detected cryptocurrency mining activities by matching memory\npatterns, such as proof-of-work constants, known to be used by cryptocurrency\nmining software.\n\nHow to respond\n\nTo respond to this finding, do the following:\n\nStep 1: Review finding details\n\n1. Open an `Execution: Cryptocurrency Mining YARA Rule` finding, as directed\n in [Review findings](/security-command-center/docs/how-to-use-vm-threat-detection#findings-vmtd).\n The details panel for the finding opens to the **Summary** tab.\n\n2. On the **Summary** tab, review the information in the following sections:\n\n - **What was detected**, especially the following fields:\n\n - **YARA rule name**: the rule triggered for YARA detectors.\n - **Program binary**: the absolute path of the process.\n - **Arguments**: the arguments provided when invoking the process binary.\n - **Process names**: the name of the processes running in the VM instance that is associated with the detected signature matches.\n\n VM Threat Detection can recognize kernel builds from major Linux\n distributions. If it can recognize the affected VM's kernel build,\n it can identify the application's process details and populate\n the `processes` field of the finding. If VM Threat Detection can't\n regognize the kernel---for example, if the kernel is custom\n built---the finding's `processes` field isn't populated.\n - **Affected resource**, especially the following fields:\n\n - **Resource full name**: the full resource name of the affected VM instance, including the ID of the project that contains it.\n - **Related links**, especially the following fields:\n\n - **Cloud Logging URI**: link to Logging entries.\n - **MITRE ATT\\&CK method**: link to the MITRE ATT\\&CK documentation.\n - **Related findings**: links to any related findings.\n - **VirusTotal indicator**: link to the VirusTotal analysis page.\n3. To see the complete JSON for this finding, in the detail view of\n the finding, click the **JSON** tab.\n\nStep 2: Check logs\n\n1. In the Google Cloud console, go to **Logs Explorer**.\n\n \u003cbr /\u003e\n\n [Go to Logs Explorer](https://console.cloud.google.com/logs/query)\n\n \u003cbr /\u003e\n\n2. On the Google Cloud console toolbar, select the project that contains\n the VM instance, as specified on the **Resource full name** row in\n the **Summary** tab of the finding details.\n\n3. Check the logs for signs of intrusion on the affected VM instance. For\n example, check for suspicious or unknown activities and signs of\n [compromised credentials](/security/compromised-credentials).\n\nStep 3: Review permissions and settings\n\n1. On the **Summary** tab of the finding details, in the **Resource full\n name** field, click the link.\n2. Review the details of the VM instance, including the network and access settings.\n\nStep 4: Research attack and response methods\n\n1. Review MITRE ATT\\&CK framework entries for [Execution](https://attack.mitre.org/tactics/TA0002/).\n2. To develop a response plan, combine your investigation results with MITRE research.\n\nStep 5: Implement your response\n\n\nThe following response plan might be appropriate for this finding, but might also impact operations.\nCarefully evaluate the information you gather in your investigation to determine the best way to\nresolve findings.\n\nTo assist with detection and removal, use an endpoint detection and\nresponse solution.\n\n1. Contact the owner of the VM.\n2. Confirm whether the application is a mining application:\n\n - If the detected application's process name and binary path are available,\n consider the values on the **Program binary** , **Arguments** , and\n **Process names** rows on the **Summary** tab of the finding details\n in your investigation.\n\n - Examine the running processes, especially the processes with high CPU usage,\n to see if there are any that you don't recognize. Determine whether the\n associated applications are miner applications.\n\n - Search the files in storage for common strings that mining applications\n use, such as `btc.com`, `ethminer`, `xmrig`, `cpuminer`, and `randomx`.\n For more examples of strings you can search for, see\n [Software names and YARA rules](/security-command-center/docs/how-to-use-vm-threat-detection#software-names-yara-rules)\n and the related documentation for each software listed.\n\n3. If you determine that the application is a miner application, and its process\n is still running, terminate the process. Locate the application's executable\n binary in the VM's storage, and delete it.\n\n4. If necessary, [stop the compromised instance](/compute/docs/instances/stop-start-instance)\n and replace it with a new instance.\n\nWhat's next\n\n- Learn [how to work with threat\n findings in Security Command Center](/security-command-center/docs/how-to-investigate-threats).\n- Refer to the [Threat findings index](/security-command-center/docs/threat-findings-index).\n- Learn how to [review a\n finding](/security-command-center/docs/how-to-investigate-threats#reviewing_findings) through the Google Cloud console.\n- Learn about the [services that\n generate threat findings](/security-command-center/docs/concepts-security-sources#threats)."]]
