This page describes how to view and manage VM Threat Detection findings. It also shows you how to enable or disable the service and its modules.
Overview
Virtual Machine Threat Detection, a built-in service of Security Command Center Premium, provides threat detection through hypervisor-level instrumentation and persistent disk analysis. VM Threat Detection detects potentially malicious applications, such as cryptocurrency mining software, kernel-mode rootkits, and malware running in compromised cloud environments.
VM Threat Detection is part of Security Command Center Premium's threat detection suite and is designed to complement the existing capabilities of Event Threat Detection and Container Threat Detection.
For more information, see VM Threat Detection overview.
Costs
After you enroll in Security Command Center Premium, there is no additional cost to use VM Threat Detection.
Before you begin
To use this feature, you must be enrolled in Security Command Center Premium.
In addition, you need adequate Identity and Access Management (IAM) roles to view or edit findings, and modify Google Cloud resources. If you encounter access errors in Security Command Center, ask your administrator for assistance. To learn more about roles, see Access control.
Test VM Threat Detection
To test VM Threat Detection cryptocurrency mining detection, you can run a cryptocurrency mining application on your VM. For a list of binary names and YARA rules that trigger findings, see Software names and YARA rules. If you install and test mining applications, we recommended that you only run applications in an isolated test environment, closely monitor their use, and remove them completely after testing.
To test VM Threat Detection malware detection, you can download malware applications on your VM. If you download malware, we recommend that you do so in an isolated test environment, and remove them completely after testing.
Review findings in the Google Cloud console
To review VM Threat Detection findings in the Google Cloud console, do the following:
Go to the Security Command Center Findings page in the Google Cloud console.
If necessary, select your Google Cloud project or organization.
In the Quick filters section, in the Source display name subsection, select Virtual Machine Threat Detection.
If you don't see Virtual Machine Threat Detection, click View more. In the dialog, do a search for Virtual Machine Threat Detection.
To view details of a specific finding, click the finding name under Category. The details panel for the finding opens and displays the Summary tab.
On the Summary tab, review the information about the finding, including information about the binary that was detected, the resource that was affected, and more.
On the details panel, click the JSON tab to see the complete JSON for the finding.
For more detailed information about how to respond to each VM Threat Detection finding, see VM Threat Detection response.
For a list of VM Threat Detection findings, see Findings.
Severity
VM Threat Detection findings are assigned High, Medium, and Low severity based on the threat classification confidence.
Combined detections
Combined detections occur when multiple categories of findings are detected
within a day. The findings can be caused by one or more malicious
applications. For example, a single application can simultaneously trigger
Execution: Cryptocurrency Mining YARA Rule and Execution: Cryptocurrency
Mining Hash Match findings. However, all threats detected from a single source
within the same day are rolled into one combined detection finding. In the
following days, if more threats are found, even the same ones, they are
attached to new findings.
For an example of a combined detection finding, see Example finding formats.
Example finding formats
These JSON output examples contain fields common to VM Threat Detection findings. Each example shows only the fields relevant to the finding type; it doesn't provide an exhaustive list of fields.
You can export findings through the Security Command Center dashboard or list findings through the Security Command Center API.
To see the example findings, expand one or more of the following nodes. For
information about each field in the finding, see
Finding.
Field values—like YARA rule names—that VM Threat Detection uses during a Preview might change when the feature reaches General Availability.
Defense Evasion: RootkitPreview
This output example shows a finding of a known kernel-mode rootkit: Diamorphine.
{
"findings": {
"access": {},
"assetDisplayName": "DISPLAY_NAME",
"assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Defense Evasion: Rootkit",
"createTime": "2023-01-12T00:39:33.007Z",
"database": {},
"eventTime": "2023-01-11T21:24:05.326Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
"indicator": {},
"kernelRootkit": {
"name": "Diamorphine",
"unexpected_kernel_code_pages": true,
"unexpected_system_call_handler": true
},
"kubernetes": {},
"mitreAttack": {
"version": "9"
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Virtual Machine Threat Detection",
"processes": [],
"resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"severity": "HIGH",
"sourceDisplayName": "Virtual Machine Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"display_name": "DISPLAY_NAME",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parent_display_name": "DISPLAY_NAME",
"type": "google.compute.Instance",
"folders": []
},
"sourceProperties": {}
}
Defense Evasion: Unexpected ftrace handlerPreview
{
"findings": {
"access": {},
"assetDisplayName": "DISPLAY_NAME",
"assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Defense Evasion: Unexpected ftrace handler",
"createTime": "2023-01-12T00:39:33.007Z",
"database": {},
"eventTime": "2023-01-11T21:24:05.326Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"version": "9"
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Virtual Machine Threat Detection",
"processes": [],
"resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"severity": "MEDIUM",
"sourceDisplayName": "Virtual Machine Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"display_name": "DISPLAY_NAME",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parent_display_name": "DISPLAY_NAME",
"type": "google.compute.Instance",
"folders": []
},
"sourceProperties": {}
}
Defense Evasion: Unexpected interrupt handlerPreview
{
"findings": {
"access": {},
"assetDisplayName": "DISPLAY_NAME",
"assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Defense Evasion: Unexpected interrupt handler",
"createTime": "2023-01-12T00:39:33.007Z",
"database": {},
"eventTime": "2023-01-11T21:24:05.326Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"version": "9"
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Virtual Machine Threat Detection",
"processes": [],
"resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"severity": "MEDIUM",
"sourceDisplayName": "Virtual Machine Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"display_name": "DISPLAY_NAME",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parent_display_name": "DISPLAY_NAME",
"type": "google.compute.Instance",
"folders": []
},
"sourceProperties": {}
}
Defense Evasion: Unexpected kernel code modificationPreview
{
"findings": {
"access": {},
"assetDisplayName": "DISPLAY_NAME",
"assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Defense Evasion: Unexpected kernel code modification",
"createTime": "2023-01-12T00:39:33.007Z",
"database": {},
"eventTime": "2023-01-11T21:24:05.326Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"version": "9"
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Virtual Machine Threat Detection",
"processes": [],
"resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"severity": "MEDIUM",
"sourceDisplayName": "Virtual Machine Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"display_name": "DISPLAY_NAME",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parent_display_name": "DISPLAY_NAME",
"type": "google.compute.Instance",
"folders": []
},
"sourceProperties": {}
}
Defense Evasion: Unexpected kernel modulesPreview
{
"findings": {
"access": {},
"assetDisplayName": "DISPLAY_NAME",
"assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Defense Evasion: Unexpected kernel modules",
"createTime": "2023-01-12T00:39:33.007Z",
"database": {},
"eventTime": "2023-01-11T21:24:05.326Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"version": "9"
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Virtual Machine Threat Detection",
"processes": [],
"resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"severity": "MEDIUM",
"sourceDisplayName": "Virtual Machine Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"display_name": "DISPLAY_NAME",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parent_display_name": "DISPLAY_NAME",
"type": "google.compute.Instance",
"folders": []
},
"sourceProperties": {}
}
Defense Evasion: Unexpected kernel read-only data modificationPreview
{
"findings": {
"access": {},
"assetDisplayName": "DISPLAY_NAME",
"assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Defense Evasion: Unexpected kernel read-only data modification",
"createTime": "2023-01-12T00:39:33.007Z",
"database": {},
"eventTime": "2023-01-11T21:24:05.326Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"version": "9"
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Virtual Machine Threat Detection",
"processes": [],
"resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"severity": "MEDIUM",
"sourceDisplayName": "Virtual Machine Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"display_name": "DISPLAY_NAME",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parent_display_name": "DISPLAY_NAME",
"type": "google.compute.Instance",
"folders": []
},
"sourceProperties": {}
}
Defense Evasion: Unexpected kprobe handlerPreview
{
"findings": {
"access": {},
"assetDisplayName": "DISPLAY_NAME",
"assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Defense Evasion: Unexpected kprobe handler",
"createTime": "2023-01-12T00:39:33.007Z",
"database": {},
"eventTime": "2023-01-11T21:24:05.326Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"version": "9"
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Virtual Machine Threat Detection",
"processes": [],
"resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"severity": "MEDIUM",
"sourceDisplayName": "Virtual Machine Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"display_name": "DISPLAY_NAME",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parent_display_name": "DISPLAY_NAME",
"type": "google.compute.Instance",
"folders": []
},
"sourceProperties": {}
}
Defense Evasion: Unexpected processes in runqueuePreview
{
"findings": {
"access": {},
"assetDisplayName": "DISPLAY_NAME",
"assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Defense Evasion: Unexpected processes in runqueue",
"createTime": "2023-01-12T00:39:33.007Z",
"database": {},
"eventTime": "2023-01-11T21:24:05.326Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"version": "9"
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Virtual Machine Threat Detection",
"processes": [],
"resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"severity": "MEDIUM",
"sourceDisplayName": "Virtual Machine Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"display_name": "DISPLAY_NAME",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parent_display_name": "DISPLAY_NAME",
"type": "google.compute.Instance",
"folders": []
},
"sourceProperties": {}
}
Defense Evasion: Unexpected system call handlerPreview
{
"findings": {
"access": {},
"assetDisplayName": "DISPLAY_NAME",
"assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Defense Evasion: Unexpected system call handler",
"createTime": "2023-01-12T00:39:33.007Z",
"database": {},
"eventTime": "2023-01-11T21:24:05.326Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"version": "9"
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Virtual Machine Threat Detection",
"processes": [],
"resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"severity": "MEDIUM",
"sourceDisplayName": "Virtual Machine Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"display_name": "DISPLAY_NAME",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parent_display_name": "DISPLAY_NAME",
"type": "google.compute.Instance",
"folders": []
},
"sourceProperties": {}
}
Execution: Cryptocurrency Mining Combined
Detection
This output example shows a threat that was detected by both the
CRYPTOMINING_HASH and CRYPTOMINING_YARA modules.
{
"findings": {
"access": {},
"assetDisplayName": "DISPLAY_NAME",
"assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
"canonicalName": "projects/PROJECT_ID/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Execution: Cryptocurrency Mining Combined Detection",
"createTime": "2023-01-05T01:40:48.994Z",
"database": {},
"eventTime": "2023-01-05T01:39:36.876Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
"indicator": {
"signatures": [
{
"yaraRuleSignature": {
"yaraRule": "YARA_RULE1"
}
},
{
"yaraRuleSignature": {
"yaraRule": "YARA_RULE9"
}
},
{
"yaraRuleSignature": {
"yaraRule": "YARA_RULE10"
}
},
{
"yaraRuleSignature": {
"yaraRule": "YARA_RULE25"
}
},
{
"memoryHashSignature": {
"binaryFamily": "XMRig",
"detections": [
{
"binary": "linux-x86-64_xmrig_6.12.2",
"percentPagesMatched": 1
}
]
}
}
]
},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"version": "9"
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Virtual Machine Threat Detection",
"processes": [
{
"binary": {
"path": "BINARY_PATH"
},
"script": {},
"args": [
"./miner",
""
],
"pid": "123",
"parentPid": "456",
"name": "miner"
}
],
"resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"severity": "HIGH",
"sourceDisplayName": "Virtual Machine Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"display_name": "DISPLAY_NAME",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
"project_display_name": "DISPLAY_NAME",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
"parent_display_name": "DISPLAY_NAME",
"type": "google.compute.Instance",
"folders": []
},
"sourceProperties": {}
}
Execution: Cryptocurrency Mining Hash Match
Detection
{
"findings": {
"access": {},
"assetDisplayName": "DISPLAY_NAME",
"assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
"canonicalName": "projects/PROJECT_ID/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Execution: Cryptocurrency Mining Hash Match",
"createTime": "2023-01-05T01:40:48.994Z",
"database": {},
"eventTime": "2023-01-05T01:39:36.876Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
"indicator": {
"signatures": [
{
"memoryHashSignature": {
"binaryFamily": "XMRig",
"detections": [
{
"binary": "linux-x86-64_xmrig_6.12.2",
"percentPagesMatched": 1
}
]
}
}
]
},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"version": "9"
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Virtual Machine Threat Detection",
"processes": [
{
"binary": {
"path": "BINARY_PATH"
},
"script": {},
"args": [
"./miner",
""
],
"pid": "123",
"parentPid": "456",
"name": "miner"
}
],
"resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"severity": "HIGH",
"sourceDisplayName": "Virtual Machine Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"display_name": "DISPLAY_NAME",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
"project_display_name": "DISPLAY_NAME",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
"parent_display_name": "DISPLAY_NAME",
"type": "google.compute.Instance",
"folders": []
},
"sourceProperties": {}
}
Execution: Cryptocurrency Mining YARA Rule
{
"findings": {
"access": {},
"assetDisplayName": "DISPLAY_NAME",
"assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
"canonicalName": "projects/PROJECT_ID/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Execution: Cryptocurrency Mining YARA Rule",
"createTime": "2023-01-05T00:37:38.450Z",
"database": {},
"eventTime": "2023-01-05T01:12:48.828Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
"indicator": {
"signatures": [
{
"yaraRuleSignature": {
"yaraRule": "YARA_RULE9"
}
},
{
"yaraRuleSignature": {
"yaraRule": "YARA_RULE10"
}
},
{
"yaraRuleSignature": {
"yaraRule": "YARA_RULE25"
}
}
]
},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"version": "9"
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Virtual Machine Threat Detection",
"processes": [
{
"binary": {
"path": "BINARY_PATH"
},
"script": {},
"args": [
"./miner",
""
],
"pid": "123",
"parentPid": "456",
"name": "miner"
}
],
"resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"severity": "HIGH",
"sourceDisplayName": "Virtual Machine Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"display_name": "DISPLAY_NAME",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
"project_display_name": "DISPLAY_NAME",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
"parent_display_name": "DISPLAY_NAME",
"type": "google.compute.Instance",
"folders": []
},
"sourceProperties": {}
}
Malware: Malicious file on disk (YARA)Preview
{
"findings": {
"assetDisplayName": "DISPLAY_NAME",
"assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
"canonicalName": "projects/PROJECT_ID/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Malware: Malicious file on disk (YARA)",
"createTime": "2023-01-05T00:37:38.450Z",
"eventTime": "2023-01-05T01:12:48.828Z",
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
"indicator": {
"signatures": [
{
"yaraRuleSignature": {
"yaraRule": "M_Backdoor_REDSONJA_1"
},
"signatureType": "SIGNATURE_TYPE_FILE",
},
{
"yaraRuleSignature": {
"yaraRule": "M_Backdoor_REDSONJA_2"
},
"signatureType": "SIGNATURE_TYPE_FILE",
}
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Virtual Machine Threat Detection",
"files": [
{
"diskPath": {
"partition_uuid": "b411dc99-f0a0-4c87-9e05-184977be8539",
"relative_path": "RELATIVE_PATH"
},
"size": "21238",
"sha256": "65d860160bdc9b98abf72407e14ca40b609417de7939897d3b58d55787aaef69",
"hashedSize": "21238"
}
],
"resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"severity": "HIGH",
"sourceDisplayName": "Virtual Machine Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"display_name": "DISPLAY_NAME",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
"project_display_name": "DISPLAY_NAME",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
"parent_display_name": "DISPLAY_NAME",
"type": "google.compute.Instance",
"folders": []
},
"sourceProperties": {}
}
Change the state of findings
When you resolve threats identified by VM Threat Detection, the service does not automatically set a finding's state to Inactive in subsequent scans. Due to the nature of our threat domain, VM Threat Detection can't determine if a threat is mitigated or has changed to avoid detection.
When your security teams are satisfied that a threat is mitigated, they can perform the following steps to change the state of findings to inactive.
Go to Security Command Center's Findings page in the Google Cloud console.
Next to View by, click Source Type.
In the Source type list, select Virtual Machine Threat Detection. A table populates with findings for the source type you selected.
Select the checkbox next to the findings that are resolved.
Click Change Active State.
Click Inactive.
Enable or disable VM Threat Detection
VM Threat Detection is enabled by default for all customers that enroll in Security Command Center Premium after July 15, 2022, which is when this service became generally available. If needed, you can disable or re-enable it manually for your project or organization.
When you enable VM Threat Detection on an organization or project, the service automatically scans all supported resources in that organization or project. Conversely, when you disable VM Threat Detection on an organization or project, the service stops scanning all supported resources in it.
To enable or disable VM Threat Detection, do the following:
Console
In the Google Cloud console, you can enable or disable VM Threat Detection through the Services tab on the Settings page.
For more information, see Enable or disable a built-in service.
cURL
Send a PATCH request:
curl -X PATCH -H "Authorization: Bearer \"$(gcloud auth print-access-token)\"" \
-H "Content-Type: application/json; charset=utf-8" \
-H "X-Goog-User-Project: X_GOOG_USER_PROJECT" \
https://securitycenter.googleapis.com/v1beta2/RESOURCE/RESOURCE_ID/virtualMachineThreatDetectionSettings \
-d '{"serviceEnablementState": "NEW_STATE"}'
Replace the following:
- X_GOOG_USER_PROJECT: the project to bill for access charges associated with VM Threat Detection scans.
- RESOURCE: the type of resource to be scanned (
organizationsorprojects). - RESOURCE_ID: the identifier of the organization or project you want to enable or disable VM Threat Detection on.
- NEW_STATE: the state you want VM Threat Detection to be in
(
ENABLEDorDISABLED).
gcloud
Run the following command:
gcloud alpha scc settings services ACTION --RESOURCE RESOURCE_ID \
--service VIRTUAL_MACHINE_THREAT_DETECTION
Replace the following:
- ACTION: the action you want to take on the VM Threat Detection
service (
enableordisable). - RESOURCE: the type of resource you want to enable or disable
VM Threat Detection on (
organizationorproject). - RESOURCE_ID: the identifier of the organization or project you want to enable or disable VM Threat Detection on.
Enable or disable a VM Threat Detection module
To enable or disable an individual VM Threat Detection detector, also known as a module, do the following. It can take up to an hour for your changes to take effect.
For information about all VM Threat Detection threat findings and the modules that generate them, see the Threat findings table.
Console
cURL
To enable or disable a VM Threat Detection module on your organization or
project, send a PATCH request:
curl -X PATCH -H "Authorization: Bearer \"$(gcloud auth print-access-token)\"" \
-H "Content-Type: application/json; charset=utf-8" \
-H "X-Goog-User-Project: X_GOOG_USER_PROJECT" \
https://securitycenter.googleapis.com/v1beta2/RESOURCE/RESOURCE_ID/virtualMachineThreatDetectionSettings \
-d '{"modules": {"MODULE": {"module_enablement_state": "NEW_STATE"}}}'
Replace the following:
- X_GOOG_USER_PROJECT: the project being billed for access charges associated with VM Threat Detection scans.
- RESOURCE: the type of resource you want to enable or disable the
module on (
organizationsorprojects). - RESOURCE_ID: the ID of the organization or project you want to enable or disable the module on.
- MODULE: the module you want to enable or disable—for
example,
CRYPTOMINING_HASH. - NEW_STATE: the state you want the module to be in (
ENABLEDorDISABLED).
gcloud
To enable or disable a VM Threat Detection module on your organization or project, run the following command:
gcloud alpha scc settings services modules ACTION --RESOURCE RESOURCE_ID \
--service VIRTUAL_MACHINE_THREAT_DETECTION --module MODULE
Replace the following:
- ACTION: the action you want to take on the module (
enableordisable). - RESOURCE: the type of resource you want to enable or disable the
module on (
organizationorproject). - RESOURCE_ID: the ID of the organization or project you want to enable or disable the module on.
- MODULE: the module you want to enable or disable—for
example,
CRYPTOMINING_HASH.
View the settings of the VM Threat Detection modules
For information about all VM Threat Detection threat findings and the modules that generate them, see the Threat findings table.
Console
cURL
Send a GET request:
curl -X GET -H "Authorization: Bearer \"$(gcloud auth print-access-token)\"" \
-H "Content-Type: application/json; charset=utf-8" \
-H "X-Goog-User-Project: X_GOOG_USER_PROJECT" \
https://securitycenter.googleapis.com/v1beta2/RESOURCE/RESOURCE_ID/virtualMachineThreatDetectionSettings:calculate
Replace the following:
- X_GOOG_USER_PROJECT: the project being billed for access charges associated with VM Threat Detection scans.
- RESOURCE: the type of resource for which you want to view the module settings.
- RESOURCE_ID: the ID of the organization or project for which you want to view the module settings.
gcloud
To view the settings for a single module, run the following command:
gcloud alpha scc settings services modules describe --RESOURCE RESOURCE_ID \
--service VIRTUAL_MACHINE_THREAT_DETECTION --module MODULE
To view the settings for all modules, run the following command:
gcloud alpha scc settings services describe --RESOURCE RESOURCE_ID \
--service VIRTUAL_MACHINE_THREAT_DETECTION
Replace the following:
- RESOURCE: the type of resource for which you want to view the
module settings (
organizationorproject). - RESOURCE_ID: the ID of the organization or project for which you want to view the module settings.
- MODULE: the module you want to view—for
example,
CRYPTOMINING_HASH.
Software names and YARA rules for cryptocurrency mining detection
The following lists include the names of binaries and YARA rules that trigger cryptocurrency mining findings. To see the lists, expand the nodes.
Execution: Cryptocurrency Mining Hash Match
- Arionum CPU miner: mining software for Arionum cryptocurrency
- Avermore: mining software for scrypt-based cryptocurrencies
- Beam CUDA miner: mining software for Equihash-based cryptocurrencies
- Beam OpenCL miner: mining software for Equihash-based cryptocurrencies
- BFGMiner: ASIC/FPGA-based mining software for Bitcoin
- BMiner: mining software for various cryptocurrencies
- Cast XMR: mining software for CryptoNight-based cryptocurrencies
- ccminer: CUDA-based mining software
- cgminer: ASIC/FPGA-based mining software for Bitcoin
- Claymore's miner: GPU-based mining software for various cryptocurrencies
- CPUMiner: family of CPU-based mining software
- CryptoDredge: family of mining software for CryptoDredge
- CryptoGoblin: mining software for CryptoNight-based cryptocurrencies
- DamoMiner: GPU-based mining software for Ethereum and other cryptocurrencies
- DigitsMiner: mining software for Digits
- EasyMiner: mining software for Bitcoin and other cryptocurrencies
- Ethminer: mining software for Ethereum and other cryptocurrencies
- EWBF: mining software for Equihash-based cryptocurrencies
- FinMiner: mining software for Ethash and CryptoNight-based cryptocurrencies
- Funakoshi Miner: mining software for Bitcoin-Gold cryptocurrencies
- Geth: mining software for Ethereum
- GMiner: mining software for various cryptocurrencies
- gominer: mining software for Decred
- GrinGoldMiner: mining software for Grin
- Hush: mining software for Zcash-based cryptocurrencies
- IxiMiner: mining software for Ixian
- kawpowminer: mining software for Ravencoin
- Komodo: family of mining software for Komodo
- lolMiner: mining software for various cryptocurrencies
- lukMiner: mining software for various cryptocurrencies
- MinerGate: mining software for various cryptocurrencies
- miniZ: mining software for Equihash-based cryptocurrencies
- Mirai: malware that can be used to mine cryptocurrencies
- MultiMiner: mining software for various cryptocurrencies
- nanominer: mining software for various cryptocurrencies
- NBMiner: mining software for various cryptocurrencies
- Nevermore: mining software for various cryptocurrencies
- nheqminer: mining software for NiceHash
- NinjaRig: mining software for Argon2-based cryptocurrencies
- NodeCore PoW CUDA Miner: mining software for VeriBlock
- NoncerPro: mining software for Nimiq
- Optiminer/Equihash: mining software for Equihash-based cryptocurrencies
- PascalCoin: family of mining software for PascalCoin
- PhoenixMiner: mining software for Ethereum
- Pooler CPU Miner: mining software for Litecoin and Bitcoin
- ProgPoW Miner: mining software for Ethereum and other cryptocurrencies
- rhminer: mining software for PascalCoin
- sgminer: mining software for scrypt-based cryptocurrencies
- simplecoin: family of mining software for scrypt-based SimpleCoin
- Skypool Nimiq Miner: mining software for Nimiq
- SwapReferenceMiner: mining software for Grin
- Team Red Miner: AMD-based mining software for various cryptocurrencies
- T-Rex: mining software for various cryptocurrencies
- TT-Miner: mining software for various cryptocurrencies
- Ubqminer: mining software for Ubqhash-based cryptocurrencies
- VersusCoin: mining software for VersusCoin
- violetminer: mining software for Argon2-based cryptocurrencies
- webchain-miner: mining software for MintMe
- WildRig: mining software for various cryptocurrencies
- XCASH_ALL_Miner: mining software for XCASH
- xFash: mining software for MinerGate
- XLArig: mining software for CryptoNight-based cryptocurrencies
- XMRig: mining software for various cryptocurrencies
- Xmr-Stak: mining software for CryptoNight-based cryptocurrencies
- XMR-Stak TurtleCoin: mining software for CryptoNight-based cryptocurrencies
- Xtl-Stak: mining software for CryptoNight-based cryptocurrencies
- Yam Miner: mining software for MinerGate
- YCash: mining software for YCash
- ZCoin: mining software for ZCoin/Fire
- Zealot/Enemy: mining software for various cryptocurrencies
- Cryptocurrency miner signal1
1 This generic threat name indicates that an unknown cryptocurrency miner might be operating in the VM, but VM Threat Detection does not have specific information about the miner.
Execution: Cryptocurrency Mining YARA Rule
- YARA_RULE1: matches mining software for Monero
- YARA_RULE9: matches mining software that uses the Blake2 and AES cipher
- YARA_RULE10: matches mining software that uses the CryptoNight proof-of-work routine
- YARA_RULE15: matches mining software for NBMiner
- YARA_RULE17: matches mining software that uses the Scrypt proof-of-work routine
- YARA_RULE18: matches mining software that uses the Scrypt proof-of-work routine
- YARA_RULE19: matches mining software for BFGMiner
- YARA_RULE24: matches mining software for XMR-Stak
- YARA_RULE25: matches mining software for XMRig
- DYNAMIC_YARA_RULE_BFGMINER_2: matches mining software for BFGMiner
What's next
- Learn more about VM Threat Detection.
- Learn how to investigate VM Threat Detection findings.