使用 Virtual Machine Threat Detection

本页面介绍了如何查看和管理 VM Threat Detection 发现结果。此外还展示了如何启用或停用相关服务及其模块。

概览

Virtual Machine Threat Detection 是 Security Command Center 的一项内置服务,在 Enterprise 和 Premium 层级提供。此服务会扫描 Compute Engine 实例,以检测在遭到破解的云环境中运行的潜在恶意应用,例如加密货币挖矿软件、内核模式 rootkit 和恶意软件。

VM Threat Detection 是 Security Command Center 威胁检测套件的一部分,旨在补充 Event Threat DetectionContainer Threat Detection 的现有功能。

如需了解详情,请参阅 VM Threat Detection 概览

费用

注册 Security Command Center Premium 后,使用 VM Threat Detection 无需额外费用。

准备工作

如需使用此功能,您必须注册 Security Command Center Premium

此外,您需要足够的 Identity and Access Management (IAM) 角色才能查看或修改发现结果以及修改 Google Cloud 资源。如果您在 Security Command Center 中遇到访问错误,请让您的管理员寻求帮助。如需详细了解角色,请参阅访问权限控制

测试 VM Threat Detection

如需测试 VM Threat Detection 加密货币挖矿检测功能,您可以在虚拟机上运行加密货币挖矿应用。如需查看触发发现结果的二进制文件名称和 YARA 规则的列表,请参阅软件名称和 YARA 规则。如果您安装和测试挖矿应用,建议您仅在隔离的测试环境中运行这些应用,密切监控其使用情况,并在测试后完全移除这些应用。

如需测试 VM Threat Detection 恶意软件检测功能,您可以在虚拟机上下载恶意软件应用。如果您下载恶意软件,建议您在隔离的测试环境中下载,并在测试后完全移除这些软件。

在 Google Cloud 控制台中查看发现结果

如需在 Google Cloud 控制台中查看 VM Threat Detection 发现结果,请执行以下操作:

  1. 在 Google Cloud 控制台中,前往 Security Command Center 的发现结果页面。

    前往“发现结果”页面

  2. 选择您的 Google Cloud 项目或组织。
  3. 快速过滤条件部分的来源显示名称子部分中,选择 Virtual Machine Threat Detection。发现结果的查询结果会更新为仅显示此来源的发现结果。
  4. 如需查看特定发现结果的详细信息,请点击类别列中的发现结果名称。 系统会打开发现结果的详细信息面板,并显示摘要标签页。
  5. 摘要标签页上,查看发现结果的详细信息,包括有关检测到的内容、受影响的资源的信息,以及您可以采取的发现结果修复步骤(如果有)。
  6. 可选:如需查看发现结果的完整 JSON 定义,请点击 JSON 标签页。

如需详细了解如何对每个 VM Threat Detection 发现结果做出相应的响应,请参阅 VM Threat Detection 响应

如需查看 VM Threat Detection 发现结果列表,请参阅发现结果

严重程度

VM Threat Detection 发现结果的严重程度会根据威胁分类置信度分为

组合检测

如果在一天内检测到多个类别的发现结果,就会进行组合检测。发现结果可能是由一个或多个恶意应用导致的。例如,单个应用可以同时触发 Execution: Cryptocurrency Mining YARA RuleExecution: Cryptocurrency Mining Hash Match 发现结果。但是,在当天从单个来源检测到的所有威胁都会汇总到一个组合检测发现结果中。在接下来的几天,如果发现更多威胁(即使是相同的威胁),则会附加到新发现结果。

如需查看组合检测发现结果的示例,请参阅发现结果格式示例

发现结果格式示例

以下 JSON 输出示例包含 VM Threat Detection 发现结果中常见的字段。每个示例仅显示与发现类型相关的字段,而不会提供完整的字段列表

您可以通过 Security Command Center 控制台导出发现结果,也可以通过 Security Command Center API 列出发现结果

如需查看示例发现结果,请展开以下一个或多个节点。如需了解相应发现结果中的每个字段,请参阅 Finding

Defense Evasion: Rootkit

以下输出示例显示了已知内核模式的根木马:Diamorphine。

{
  "findings": {
    "access": {},
    "assetDisplayName": "DISPLAY_NAME",
    "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
    "category": "Defense Evasion: Rootkit",
    "createTime": "2023-01-12T00:39:33.007Z",
    "database": {},
    "eventTime": "2023-01-11T21:24:05.326Z",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
    "indicator": {},
    "kernelRootkit": {
      "name": "Diamorphine",
      "unexpected_kernel_code_pages": true,
      "unexpected_system_call_handler": true
    },
    "kubernetes": {},
    "mitreAttack": {
      "version": "9"
    },
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "parentDisplayName": "Virtual Machine Threat Detection",
    "processes": [],
    "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
    "severity": "HIGH",
    "sourceDisplayName": "Virtual Machine Threat Detection",
    "state": "ACTIVE",
    "vulnerability": {},
    "workflowState": "NEW"
  },
  "resource": {
    "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
    "display_name": "DISPLAY_NAME",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "project_display_name": "PROJECT_ID",
    "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "parent_display_name": "DISPLAY_NAME",
    "type": "google.compute.Instance",
    "folders": []
  },
  "sourceProperties": {}
}
      

Defense Evasion: Unexpected ftrace handler预览版

  {
    "findings": {
      "access": {},
      "assetDisplayName": "DISPLAY_NAME",
      "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
      "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
      "category": "Defense Evasion: Unexpected ftrace handler",
      "createTime": "2023-01-12T00:39:33.007Z",
      "database": {},
      "eventTime": "2023-01-11T21:24:05.326Z",
      "exfiltration": {},
      "findingClass": "THREAT",
      "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
      "indicator": {},
      "kernelRootkit": {},
      "kubernetes": {},
      "mitreAttack": {
        "version": "9"
      },
      "mute": "UNDEFINED",
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
      "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
      "parentDisplayName": "Virtual Machine Threat Detection",
      "processes": [],
      "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
      "severity": "MEDIUM",
      "sourceDisplayName": "Virtual Machine Threat Detection",
      "state": "ACTIVE",
      "vulnerability": {},
      "workflowState": "NEW"
    },
    "resource": {
      "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
      "display_name": "DISPLAY_NAME",
      "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "project_display_name": "PROJECT_ID",
      "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "parent_display_name": "DISPLAY_NAME",
      "type": "google.compute.Instance",
      "folders": []
    },
    "sourceProperties": {}
  }
      

Defense Evasion: Unexpected interrupt handler预览版

  {
    "findings": {
      "access": {},
      "assetDisplayName": "DISPLAY_NAME",
      "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
      "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
      "category": "Defense Evasion: Unexpected interrupt handler",
      "createTime": "2023-01-12T00:39:33.007Z",
      "database": {},
      "eventTime": "2023-01-11T21:24:05.326Z",
      "exfiltration": {},
      "findingClass": "THREAT",
      "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
      "indicator": {},
      "kernelRootkit": {},
      "kubernetes": {},
      "mitreAttack": {
        "version": "9"
      },
      "mute": "UNDEFINED",
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
      "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
      "parentDisplayName": "Virtual Machine Threat Detection",
      "processes": [],
      "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
      "severity": "MEDIUM",
      "sourceDisplayName": "Virtual Machine Threat Detection",
      "state": "ACTIVE",
      "vulnerability": {},
      "workflowState": "NEW"
    },
    "resource": {
      "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
      "display_name": "DISPLAY_NAME",
      "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "project_display_name": "PROJECT_ID",
      "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "parent_display_name": "DISPLAY_NAME",
      "type": "google.compute.Instance",
      "folders": []
    },
    "sourceProperties": {}
  }
      

Defense Evasion: Unexpected kernel code modification预览版

  {
    "findings": {
      "access": {},
      "assetDisplayName": "DISPLAY_NAME",
      "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
      "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
      "category": "Defense Evasion: Unexpected kernel code modification",
      "createTime": "2023-01-12T00:39:33.007Z",
      "database": {},
      "eventTime": "2023-01-11T21:24:05.326Z",
      "exfiltration": {},
      "findingClass": "THREAT",
      "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
      "indicator": {},
      "kernelRootkit": {},
      "kubernetes": {},
      "mitreAttack": {
        "version": "9"
      },
      "mute": "UNDEFINED",
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
      "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
      "parentDisplayName": "Virtual Machine Threat Detection",
      "processes": [],
      "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
      "severity": "MEDIUM",
      "sourceDisplayName": "Virtual Machine Threat Detection",
      "state": "ACTIVE",
      "vulnerability": {},
      "workflowState": "NEW"
    },
    "resource": {
      "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
      "display_name": "DISPLAY_NAME",
      "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "project_display_name": "PROJECT_ID",
      "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "parent_display_name": "DISPLAY_NAME",
      "type": "google.compute.Instance",
      "folders": []
    },
    "sourceProperties": {}
  }
      

Defense Evasion: Unexpected kernel modules预览版

  {
    "findings": {
      "access": {},
      "assetDisplayName": "DISPLAY_NAME",
      "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
      "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
      "category": "Defense Evasion: Unexpected kernel modules",
      "createTime": "2023-01-12T00:39:33.007Z",
      "database": {},
      "eventTime": "2023-01-11T21:24:05.326Z",
      "exfiltration": {},
      "findingClass": "THREAT",
      "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
      "indicator": {},
      "kernelRootkit": {},
      "kubernetes": {},
      "mitreAttack": {
        "version": "9"
      },
      "mute": "UNDEFINED",
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
      "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
      "parentDisplayName": "Virtual Machine Threat Detection",
      "processes": [],
      "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
      "severity": "MEDIUM",
      "sourceDisplayName": "Virtual Machine Threat Detection",
      "state": "ACTIVE",
      "vulnerability": {},
      "workflowState": "NEW"
    },
    "resource": {
      "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
      "display_name": "DISPLAY_NAME",
      "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "project_display_name": "PROJECT_ID",
      "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "parent_display_name": "DISPLAY_NAME",
      "type": "google.compute.Instance",
      "folders": []
    },
    "sourceProperties": {}
  }
      

Defense Evasion: Unexpected kernel read-only data modification预览版

  {
    "findings": {
      "access": {},
      "assetDisplayName": "DISPLAY_NAME",
      "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
      "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
      "category": "Defense Evasion: Unexpected kernel read-only data modification",
      "createTime": "2023-01-12T00:39:33.007Z",
      "database": {},
      "eventTime": "2023-01-11T21:24:05.326Z",
      "exfiltration": {},
      "findingClass": "THREAT",
      "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
      "indicator": {},
      "kernelRootkit": {},
      "kubernetes": {},
      "mitreAttack": {
        "version": "9"
      },
      "mute": "UNDEFINED",
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
      "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
      "parentDisplayName": "Virtual Machine Threat Detection",
      "processes": [],
      "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
      "severity": "MEDIUM",
      "sourceDisplayName": "Virtual Machine Threat Detection",
      "state": "ACTIVE",
      "vulnerability": {},
      "workflowState": "NEW"
    },
    "resource": {
      "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
      "display_name": "DISPLAY_NAME",
      "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "project_display_name": "PROJECT_ID",
      "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "parent_display_name": "DISPLAY_NAME",
      "type": "google.compute.Instance",
      "folders": []
    },
    "sourceProperties": {}
  }
      

Defense Evasion: Unexpected kprobe handler预览版

  {
    "findings": {
      "access": {},
      "assetDisplayName": "DISPLAY_NAME",
      "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
      "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
      "category": "Defense Evasion: Unexpected kprobe handler",
      "createTime": "2023-01-12T00:39:33.007Z",
      "database": {},
      "eventTime": "2023-01-11T21:24:05.326Z",
      "exfiltration": {},
      "findingClass": "THREAT",
      "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
      "indicator": {},
      "kernelRootkit": {},
      "kubernetes": {},
      "mitreAttack": {
        "version": "9"
      },
      "mute": "UNDEFINED",
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
      "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
      "parentDisplayName": "Virtual Machine Threat Detection",
      "processes": [],
      "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
      "severity": "MEDIUM",
      "sourceDisplayName": "Virtual Machine Threat Detection",
      "state": "ACTIVE",
      "vulnerability": {},
      "workflowState": "NEW"
    },
    "resource": {
      "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
      "display_name": "DISPLAY_NAME",
      "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "project_display_name": "PROJECT_ID",
      "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "parent_display_name": "DISPLAY_NAME",
      "type": "google.compute.Instance",
      "folders": []
    },
    "sourceProperties": {}
  }
      

Defense Evasion: Unexpected processes in runqueue预览版

  {
    "findings": {
      "access": {},
      "assetDisplayName": "DISPLAY_NAME",
      "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
      "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
      "category": "Defense Evasion: Unexpected processes in runqueue",
      "createTime": "2023-01-12T00:39:33.007Z",
      "database": {},
      "eventTime": "2023-01-11T21:24:05.326Z",
      "exfiltration": {},
      "findingClass": "THREAT",
      "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
      "indicator": {},
      "kernelRootkit": {},
      "kubernetes": {},
      "mitreAttack": {
        "version": "9"
      },
      "mute": "UNDEFINED",
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
      "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
      "parentDisplayName": "Virtual Machine Threat Detection",
      "processes": [],
      "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
      "severity": "MEDIUM",
      "sourceDisplayName": "Virtual Machine Threat Detection",
      "state": "ACTIVE",
      "vulnerability": {},
      "workflowState": "NEW"
    },
    "resource": {
      "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
      "display_name": "DISPLAY_NAME",
      "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "project_display_name": "PROJECT_ID",
      "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "parent_display_name": "DISPLAY_NAME",
      "type": "google.compute.Instance",
      "folders": []
    },
    "sourceProperties": {}
  }
      

Defense Evasion: Unexpected system call handler预览版

  {
    "findings": {
      "access": {},
      "assetDisplayName": "DISPLAY_NAME",
      "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
      "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
      "category": "Defense Evasion: Unexpected system call handler",
      "createTime": "2023-01-12T00:39:33.007Z",
      "database": {},
      "eventTime": "2023-01-11T21:24:05.326Z",
      "exfiltration": {},
      "findingClass": "THREAT",
      "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
      "indicator": {},
      "kernelRootkit": {},
      "kubernetes": {},
      "mitreAttack": {
        "version": "9"
      },
      "mute": "UNDEFINED",
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
      "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
      "parentDisplayName": "Virtual Machine Threat Detection",
      "processes": [],
      "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
      "severity": "MEDIUM",
      "sourceDisplayName": "Virtual Machine Threat Detection",
      "state": "ACTIVE",
      "vulnerability": {},
      "workflowState": "NEW"
    },
    "resource": {
      "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
      "display_name": "DISPLAY_NAME",
      "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "project_display_name": "PROJECT_ID",
      "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "parent_display_name": "DISPLAY_NAME",
      "type": "google.compute.Instance",
      "folders": []
    },
    "sourceProperties": {}
  }
      

Execution: Cryptocurrency Mining Combined Detection

以下输出示例显示了 CRYPTOMINING_HASHCRYPTOMINING_YARA 模块都检测到的威胁。

{
  "findings": {
    "access": {},
    "assetDisplayName": "DISPLAY_NAME",
    "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
    "canonicalName": "projects/PROJECT_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "category": "Execution: Cryptocurrency Mining Combined Detection",
    "createTime": "2023-01-05T01:40:48.994Z",
    "database": {},
    "eventTime": "2023-01-05T01:39:36.876Z",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
    "indicator": {
      "signatures": [
        {
          "yaraRuleSignature": {
            "yaraRule": "YARA_RULE1"
          }
        },
        {
          "yaraRuleSignature": {
            "yaraRule": "YARA_RULE9"
          }
        },
        {
          "yaraRuleSignature": {
            "yaraRule": "YARA_RULE10"
          }
        },
        {
          "yaraRuleSignature": {
            "yaraRule": "YARA_RULE25"
          }
        },
        {
          "memoryHashSignature": {
            "binaryFamily": "XMRig",
            "detections": [
              {
                "binary": "linux-x86-64_xmrig_6.12.2",
                "percentPagesMatched": 1
              }
            ]
          }
        }
      ]
    },
    "kernelRootkit": {},
    "kubernetes": {},
    "mitreAttack": {
      "version": "9"
    },
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "parentDisplayName": "Virtual Machine Threat Detection",
    "processes": [
      {
        "binary": {
          "path": "BINARY_PATH"
        },
        "script": {},
        "args": [
          "./miner",
          ""
        ],
        "pid": "123",
        "parentPid": "456",
        "name": "miner"
      }
    ],
    "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
    "severity": "HIGH",
    "sourceDisplayName": "Virtual Machine Threat Detection",
    "state": "ACTIVE",
    "vulnerability": {},
    "workflowState": "NEW"
  },
  "resource": {
    "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
    "display_name": "DISPLAY_NAME",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
    "project_display_name": "DISPLAY_NAME",
    "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
    "parent_display_name": "DISPLAY_NAME",
    "type": "google.compute.Instance",
    "folders": []
  },
  "sourceProperties": {}
}
    

Execution: Cryptocurrency Mining Hash Match Detection

{
  "findings": {
    "access": {},
    "assetDisplayName": "DISPLAY_NAME",
    "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
    "canonicalName": "projects/PROJECT_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "category": "Execution: Cryptocurrency Mining Hash Match",
    "createTime": "2023-01-05T01:40:48.994Z",
    "database": {},
    "eventTime": "2023-01-05T01:39:36.876Z",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
    "indicator": {
      "signatures": [
        {
          "memoryHashSignature": {
            "binaryFamily": "XMRig",
            "detections": [
              {
                "binary": "linux-x86-64_xmrig_6.12.2",
                "percentPagesMatched": 1
              }
            ]
          }
        }
      ]
    },
    "kernelRootkit": {},
    "kubernetes": {},
    "mitreAttack": {
      "version": "9"
    },
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "parentDisplayName": "Virtual Machine Threat Detection",
    "processes": [
      {
        "binary": {
          "path": "BINARY_PATH"
        },
        "script": {},
        "args": [
          "./miner",
          ""
        ],
        "pid": "123",
        "parentPid": "456",
        "name": "miner"
      }
    ],
    "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
    "severity": "HIGH",
    "sourceDisplayName": "Virtual Machine Threat Detection",
    "state": "ACTIVE",
    "vulnerability": {},
    "workflowState": "NEW"
  },
  "resource": {
    "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
    "display_name": "DISPLAY_NAME",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
    "project_display_name": "DISPLAY_NAME",
    "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
    "parent_display_name": "DISPLAY_NAME",
    "type": "google.compute.Instance",
    "folders": []
  },
  "sourceProperties": {}
}
    

Execution: Cryptocurrency Mining YARA Rule

{
  "findings": {
    "access": {},
    "assetDisplayName": "DISPLAY_NAME",
    "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
    "canonicalName": "projects/PROJECT_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "category": "Execution: Cryptocurrency Mining YARA Rule",
    "createTime": "2023-01-05T00:37:38.450Z",
    "database": {},
    "eventTime": "2023-01-05T01:12:48.828Z",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
    "indicator": {
      "signatures": [
        {
          "yaraRuleSignature": {
            "yaraRule": "YARA_RULE9"
          }
        },
        {
          "yaraRuleSignature": {
            "yaraRule": "YARA_RULE10"
          }
        },
        {
          "yaraRuleSignature": {
            "yaraRule": "YARA_RULE25"
          }
        }
      ]
    },
    "kernelRootkit": {},
    "kubernetes": {},
    "mitreAttack": {
      "version": "9"
    },
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "parentDisplayName": "Virtual Machine Threat Detection",
    "processes": [
      {
        "binary": {
          "path": "BINARY_PATH"
        },
        "script": {},
        "args": [
          "./miner",
          ""
        ],
        "pid": "123",
        "parentPid": "456",
        "name": "miner"
      }
    ],
    "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
    "severity": "HIGH",
    "sourceDisplayName": "Virtual Machine Threat Detection",
    "state": "ACTIVE",
    "vulnerability": {},
    "workflowState": "NEW"
  },
  "resource": {
    "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
    "display_name": "DISPLAY_NAME",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
    "project_display_name": "DISPLAY_NAME",
    "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
    "parent_display_name": "DISPLAY_NAME",
    "type": "google.compute.Instance",
    "folders": []
  },
  "sourceProperties": {}
}
    

Malware: Malicious file on disk (YARA)

{
  "findings": {
    "assetDisplayName": "DISPLAY_NAME",
    "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
    "canonicalName": "projects/PROJECT_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "category": "Malware: Malicious file on disk (YARA)",
    "createTime": "2023-01-05T00:37:38.450Z",
    "eventTime": "2023-01-05T01:12:48.828Z",
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
    "indicator": {
      "signatures": [
        {
          "yaraRuleSignature": {
            "yaraRule": "M_Backdoor_REDSONJA_4"
          },
          "signatureType": "SIGNATURE_TYPE_FILE",
        },
        {
          "yaraRuleSignature": {
            "yaraRule": "M_Backdoor_REDSONJA_3"
          },
          "signatureType": "SIGNATURE_TYPE_FILE",
        }
      ]
    },
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "parentDisplayName": "Virtual Machine Threat Detection",
    "files": [
      {
        "diskPath": {
          "partition_uuid": "b411dc99-f0a0-4c87-9e05-184977be8539",
          "relative_path": "RELATIVE_PATH"
        },
        "size": "21238",
        "sha256": "65d860160bdc9b98abf72407e14ca40b609417de7939897d3b58d55787aaef69",
        "hashedSize": "21238"
      }
    ],
    "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
    "severity": "HIGH",
    "sourceDisplayName": "Virtual Machine Threat Detection",
    "state": "ACTIVE",
    "vulnerability": {},
    "workflowState": "NEW"
  },
  "resource": {
    "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
    "display_name": "DISPLAY_NAME",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
    "project_display_name": "DISPLAY_NAME",
    "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
    "parent_display_name": "DISPLAY_NAME",
    "type": "google.compute.Instance",
    "folders": []
  },
  "sourceProperties": {}
}
    

更改发现结果的状态

解决了由 VM Threat Detection 识别出的威胁后,该服务不会在后续扫描中自动将发现结果状态设置为非活跃。由于我们的威胁网域的性质,VM Threat Detection 无法确定威胁是否已被缓解或发生变化,以免被检测出。

当安全团队认为威胁得到缓解时,可以执行以下步骤,将发现结果状态更改为非活跃。

  1. 在 Google Cloud 控制台中,进入 Security Command Center 的发现结果页面。

    前往“发现结果”页面

  2. 查看方式旁边,点击来源类型

  3. 来源类型列表中,选择 Virtual Machine Threat Detection。系统会根据所选来源类型在表中填充发现结果。

  4. 选中已解决的发现结果旁边的复选框。

  5. 点击更改活跃状态

  6. 点击无效

启用或停用 VM Threat Detection

VM Threat Detection 对 2022 年 7 月 15 日(此服务正式发布的时间)之后注册 Security Command Center Premium 的所有客户默认启用。如果需要,您可以为项目或组织手动停用或重新启用此服务。

如果您在组织或项目中启用 VM Threat Detection,该服务会自动扫描该组织或项目中的所有受支持的资源。相反,当您对组织或项目停用 VM Threat Detection 时,此服务会停止扫描其中所有支持的资源。

如需启用或停用 VM Threat Detection,请执行以下操作:

控制台

  1. 在 Google Cloud 控制台中,前往 Virtual Machine Threat Detection Service Enablement 页面。

    前往“服务启用”页面

  2. Virtual Machine Threat Detection 列中,选择当前状态,然后选择以下任一选项:

    • 启用:启用 VM Threat Detection
    • 停用:停用 VM Threat Detection
    • 继承:从父级文件夹或组织继承启用状态;仅适用于项目和文件夹

gcloud

gcloud scc manage services update 命令用于更新 Security Command Center 服务或模块的状态。

在使用下面的命令数据之前,请先进行以下替换:

  • RESOURCE_TYPE:要更新的资源类型(organizationfolderproject
  • RESOURCE_ID:要更新的组织、文件夹或项目的数字标识符;对于项目,您还可以使用字母数字项目 ID
  • NEW_STATEENABLED 表示启用 VM Threat Detection;DISABLED 表示停用 VM Threat Detection;INHERITED 表示继承父级资源的启用状态(仅适用于项目和文件夹)

执行 gcloud scc manage services update 命令:

Linux、macOS 或 Cloud Shell

gcloud scc manage services update vm-threat-detection \
    --RESOURCE_TYPE=RESOURCE_ID \
    --enablement-state=NEW_STATE

Windows (PowerShell)

gcloud scc manage services update vm-threat-detection `
    --RESOURCE_TYPE=RESOURCE_ID `
    --enablement-state=NEW_STATE

Windows (cmd.exe)

gcloud scc manage services update vm-threat-detection ^
    --RESOURCE_TYPE=RESOURCE_ID ^
    --enablement-state=NEW_STATE

您应该会收到类似如下所示的响应:

effectiveEnablementState: ENABLED
modules:
  CRYPTOMINING_HASH:
    effectiveEnablementState: ENABLED
    intendedEnablementState: ENABLED
  CRYPTOMINING_YARA:
    effectiveEnablementState: ENABLED
  KERNEL_INTEGRITY_TAMPERING:
    effectiveEnablementState: ENABLED
  KERNEL_MEMORY_TAMPERING:
    effectiveEnablementState: ENABLED
  MALWARE_DISK_SCAN_YARA:
    effectiveEnablementState: ENABLED
name: projects/1234567890123/locations/global/securityCenterServices/vm-threat-detection
updateTime: '2024-08-05T22:32:01.536452397Z'

REST

Security Command Center Management API 的 RESOURCE_TYPE.locations.securityCenterServices.patch 方法用于更新 Security Command Center 服务或模块的状态。

在使用任何请求数据之前,请先进行以下替换:

  • RESOURCE_TYPE:要更新的资源类型(organizationsfoldersprojects
  • QUOTA_PROJECT:用于结算和配额跟踪的项目 ID
  • RESOURCE_ID:要更新的组织、文件夹或项目的数字标识符;对于项目,您还可以使用字母数字项目 ID
  • NEW_STATEENABLED 表示启用 VM Threat Detection;DISABLED 表示停用 VM Threat Detection;INHERITED 表示继承父级资源的启用状态(仅适用于项目和文件夹)

HTTP 方法和网址:

PATCH https://securitycentermanagement.googleapis.com/v1/RESOURCE_TYPE/RESOURCE_ID/locations/global/securityCenterServices/vm-threat-detection?updateMask=intendedEnablementState

请求 JSON 正文:

{
  "intendedEnablementState": "NEW_STATE"
}

如需发送您的请求,请展开以下选项之一:

您应该收到类似以下内容的 JSON 响应:

{
  "name": "projects/1234567890123/locations/global/securityCenterServices/vm-threat-detection",
  "effectiveEnablementState": "ENABLED",
  "modules": {
    "CRYPTOMINING_YARA": {
      "effectiveEnablementState": "ENABLED"
    },
    "KERNEL_MEMORY_TAMPERING": {
      "effectiveEnablementState": "ENABLED"
    },
    "KERNEL_INTEGRITY_TAMPERING": {
      "effectiveEnablementState": "ENABLED"
    },
    "CRYPTOMINING_HASH": {
      "intendedEnablementState": "ENABLED",
      "effectiveEnablementState": "ENABLED"
    },
    "MALWARE_DISK_SCAN_YARA": {
      "effectiveEnablementState": "ENABLED"
    }
  },
  "updateTime": "2024-08-05T22:32:01.536452397Z"
}

启用或停用 VM Threat Detection 模块

如需启用或停用单个 VM Threat Detection 检测器(也称为“模块”),请执行以下操作。您的更改最长可能需要 1 小时才会生效。

如需了解所有 VM Threat Detection 威胁发现结果及其生成模块,请参阅威胁发现结果

控制台

您可以在 Google Cloud 控制台中在组织级别启用或停用 VM Threat Detection 模块。如需在文件夹级或项目级启用或停用虚拟机威胁检测模块,请使用 gcloud CLI 或 REST API。

  1. 在 Google Cloud 控制台中,前往 Virtual Machine Threat Detection Modules(虚拟机威胁检测模块)页面。

    进入“模块”

  2. 状态列中,选择要启用或停用的模块的当前状态,然后选择以下任一选项:

    • 启用:启用模块。
    • 停用:停用模块。

gcloud

gcloud scc manage services update 命令用于更新 Security Command Center 服务或模块的状态。

在使用下面的命令数据之前,请先进行以下替换:

  • RESOURCE_TYPE:要更新的资源类型(organizationfolderproject
  • RESOURCE_ID:要更新的组织、文件夹或项目的数字标识符;对于项目,您还可以使用字母数字项目 ID
  • MODULE_NAME:要启用或停用的模块的名称;如需了解有效值,请参阅威胁发现
  • NEW_STATEENABLED 用于启用模块;DISABLED 用于停用模块;INHERITED 用于继承父级资源的启用状态(仅适用于项目和文件夹)

将以下内容保存在名为 request.json 的文件中:

{
  "MODULE_NAME": {
    "intendedEnablementState": "NEW_STATE"
  }
}

执行 gcloud scc manage services update 命令:

Linux、macOS 或 Cloud Shell

gcloud scc manage services update vm-threat-detection \
    --RESOURCE_TYPE=RESOURCE_ID \
    --enablement-state=ENABLED \  
    --module-config-file=request.json

Windows (PowerShell)

gcloud scc manage services update vm-threat-detection `
    --RESOURCE_TYPE=RESOURCE_ID `
    --enablement-state=ENABLED \  
    --module-config-file=request.json

Windows (cmd.exe)

gcloud scc manage services update vm-threat-detection ^
    --RESOURCE_TYPE=RESOURCE_ID ^
    --enablement-state=ENABLED \  
    --module-config-file=request.json

您应该会收到类似如下所示的响应:

effectiveEnablementState: ENABLED
modules:
  CRYPTOMINING_HASH:
    effectiveEnablementState: ENABLED
    intendedEnablementState: ENABLED
  CRYPTOMINING_YARA:
    effectiveEnablementState: ENABLED
  KERNEL_INTEGRITY_TAMPERING:
    effectiveEnablementState: ENABLED
  KERNEL_MEMORY_TAMPERING:
    effectiveEnablementState: ENABLED
  MALWARE_DISK_SCAN_YARA:
    effectiveEnablementState: ENABLED
name: projects/1234567890123/locations/global/securityCenterServices/vm-threat-detection
updateTime: '2024-08-05T22:32:01.536452397Z'

REST

Security Command Center Management API 的 RESOURCE_TYPE.locations.securityCenterServices.patch 方法用于更新 Security Command Center 服务或模块的状态。

在使用任何请求数据之前,请先进行以下替换:

  • RESOURCE_TYPE:要更新的资源类型(organizationsfoldersprojects
  • QUOTA_PROJECT:用于结算和配额跟踪的项目 ID
  • RESOURCE_ID:要更新的组织、文件夹或项目的数字标识符;对于项目,您还可以使用字母数字项目 ID
  • MODULE_NAME:要启用或停用的模块的名称;如需了解有效值,请参阅威胁发现
  • NEW_STATEENABLED 用于启用模块;DISABLED 用于停用模块;INHERITED 用于继承父级资源的启用状态(仅适用于项目和文件夹)

HTTP 方法和网址:

PATCH https://securitycentermanagement.googleapis.com/v1/RESOURCE_TYPE/RESOURCE_ID/locations/global/securityCenterServices/vm-threat-detection?updateMask=modules

请求 JSON 正文:

{
  "modules": {
    "MODULE_NAME": {
      "intendedEnablementState": "NEW_STATE"
    }
  }
}

如需发送您的请求,请展开以下选项之一:

您应该收到类似以下内容的 JSON 响应:

{
  "name": "projects/1234567890123/locations/global/securityCenterServices/vm-threat-detection",
  "effectiveEnablementState": "ENABLED",
  "modules": {
    "CRYPTOMINING_YARA": {
      "effectiveEnablementState": "ENABLED"
    },
    "KERNEL_MEMORY_TAMPERING": {
      "effectiveEnablementState": "ENABLED"
    },
    "KERNEL_INTEGRITY_TAMPERING": {
      "effectiveEnablementState": "ENABLED"
    },
    "CRYPTOMINING_HASH": {
      "intendedEnablementState": "ENABLED",
      "effectiveEnablementState": "ENABLED"
    },
    "MALWARE_DISK_SCAN_YARA": {
      "effectiveEnablementState": "ENABLED"
    }
  },
  "updateTime": "2024-08-05T22:32:01.536452397Z"
}

查看 VM Threat Detection 模块的设置

如需了解所有 VM Threat Detection 威胁发现结果及其生成模块,请参阅威胁发现结果表格。

控制台

借助 Google Cloud 控制台,您可以在组织级查看 VM Threat Detection 模块的设置。如需在文件夹级或项目级查看虚拟机威胁检测模块的设置,请使用 gcloud CLI 或 REST API。

如需在 Google Cloud 控制台中查看设置,请前往虚拟机威胁检测模块页面。

进入“模块”

gcloud

gcloud scc manage services update 命令用于获取 Security Command Center 服务或模块的状态。

在使用下面的命令数据之前,请先进行以下替换:

  • RESOURCE_TYPE:要获取的资源类型(organizationsfoldersprojects
  • QUOTA_PROJECT:用于结算和配额跟踪的项目 ID
  • RESOURCE_ID:要获取的组织、文件夹或项目的数字标识符;对于项目,您还可以使用字母数字项目 ID

将以下内容保存在名为 request.json 的文件中:

{
  "MODULE_NAME": {
    "intendedEnablementState": "NEW_STATE"
  }
}

执行 gcloud scc manage services update 命令:

Linux、macOS 或 Cloud Shell

gcloud scc manage services update vm-threat-detection \
    --RESOURCE_TYPE=RESOURCE_ID

Windows (PowerShell)

gcloud scc manage services update vm-threat-detection `
    --RESOURCE_TYPE=RESOURCE_ID

Windows (cmd.exe)

gcloud scc manage services update vm-threat-detection ^
    --RESOURCE_TYPE=RESOURCE_ID

您应该会收到类似如下所示的响应:

effectiveEnablementState: ENABLED
modules:
  CRYPTOMINING_HASH:
    effectiveEnablementState: ENABLED
    intendedEnablementState: ENABLED
  CRYPTOMINING_YARA:
    effectiveEnablementState: ENABLED
  KERNEL_INTEGRITY_TAMPERING:
    effectiveEnablementState: ENABLED
  KERNEL_MEMORY_TAMPERING:
    effectiveEnablementState: ENABLED
  MALWARE_DISK_SCAN_YARA:
    effectiveEnablementState: ENABLED
name: projects/1234567890123/locations/global/securityCenterServices/vm-threat-detection
updateTime: '2024-08-05T22:32:01.536452397Z'

REST

Security Command Center Management API 的 RESOURCE_TYPE.locations.securityCenterServices.get 方法可获取 Security Command Center 服务或模块的状态。

在使用任何请求数据之前,请先进行以下替换:

  • RESOURCE_TYPE:要获取的资源类型(organizationsfoldersprojects
  • QUOTA_PROJECT:用于结算和配额跟踪的项目 ID
  • RESOURCE_ID:要获取的组织、文件夹或项目的数字标识符;对于项目,您还可以使用字母数字项目 ID

HTTP 方法和网址:

GET https://securitycentermanagement.googleapis.com/v1/RESOURCE_TYPE/RESOURCE_ID/locations/global/securityCenterServices/vm-threat-detection

如需发送您的请求,请展开以下选项之一:

您应该收到类似以下内容的 JSON 响应:

{
  "name": "projects/1234567890123/locations/global/securityCenterServices/vm-threat-detection",
  "effectiveEnablementState": "ENABLED",
  "modules": {
    "CRYPTOMINING_YARA": {
      "effectiveEnablementState": "ENABLED"
    },
    "KERNEL_MEMORY_TAMPERING": {
      "effectiveEnablementState": "ENABLED"
    },
    "KERNEL_INTEGRITY_TAMPERING": {
      "effectiveEnablementState": "ENABLED"
    },
    "CRYPTOMINING_HASH": {
      "intendedEnablementState": "ENABLED",
      "effectiveEnablementState": "ENABLED"
    },
    "MALWARE_DISK_SCAN_YARA": {
      "effectiveEnablementState": "ENABLED"
    }
  },
  "updateTime": "2024-08-05T22:32:01.536452397Z"
}

用于检测加密货币挖矿的软件名称和 YARA 规则

以下列表包含触发加密货币挖矿发现结果的二进制文件和 YARA 规则的名称。如需查看列表,请展开节点。

Execution: Cryptocurrency Mining Hash Match

  • Arionum CPU Miner:面向 Arionum 加密货币的挖矿软件
  • Avermore:面向基于 Scrypt 加密货币的挖矿软件
  • Beam CUDA Miner:面向基于 Equihash 的加密货币的挖矿软件
  • Beam OpenCL Miner:面向基于 Equihash 的加密货币的挖矿软件
  • BFGMiner:面向比特币的 ASIC/FPGA 挖矿软件
  • BMiner:面向各种加密货币的挖矿软件
  • Cast XMR:面向 基于 CryptoNight 的加密货币的挖矿软件
  • ccminer:基于 CUDA 的挖矿软件
  • cgminer:面向比特币的 ASIC/FPGA 挖矿软件
  • Claymore's Miner:面向各种加密货币的基于 GPU 的挖掘软件
  • CPUMiner:基于 CPU 的挖掘软件系列
  • CryptoDredge:面向 CryptoDredge 的挖矿软件系列
  • CryptoGoblin:面向 基于 CryptoNight 的加密货币的挖矿软件
  • DamoMiner:面向 Ethereum 和其他加密货币的基于 GPU 的挖矿软件
  • DigitsMiner:面向 Digits 的挖掘软件
  • EasyMiner:面向比特币和其他加密货币的挖矿软件
  • Ethminer:面向 Ethereum 和其他加密货币的挖矿软件
  • EWBF:面向基于 Equihash 的加密货币的挖矿软件
  • FinMiner:面向 Ethash 和基于 CryptoNight 的加密货币的挖矿软件
  • Funakoshi Miner:面向 Bitcoin-Gold 加密货币的挖矿软件
  • Geth:面向 Ethereum 的挖矿软件
  • GMiner:面向各种加密货币的挖矿软件
  • gominer:面向 Decred 的挖矿软件
  • GrinGoldMiner:面向 Grin 的挖矿软件
  • Hush:面向基于 Zcash 的加密货币的挖矿软件
  • IxiMiner:面向 Ixian 的挖矿软件
  • kawpowminer:面向 Ravencoin 的挖矿软件
  • Komodo:面向 Komodo 的采矿软件系列
  • lolMiner:面向各种加密货币的挖矿软件
  • lukMiner:面向各种加密货币的挖矿软件
  • MinerGate:面向各种加密货币的挖矿软件
  • miniZ:面向基于 Equihash 的加密货币的挖矿软件
  • Mirai:可用于挖掘加密货币的恶意软件
  • MultiMiner:面向各种加密货币的挖矿软件
  • nanominer:面向各种加密货币的挖矿软件
  • NBMiner:面向各种加密货币的挖矿软件
  • Nevermore:面向各种加密货币的挖矿软件
  • nheqminer:面向 NiceHash 的挖矿软件
  • NinjaRig:面向基于 Argon2 的加密货币的挖矿软件
  • NodeCore PoW CUDA Miner:面向 VeriBlock 的挖矿软件
  • NoncerPro:面向 Nimiq 的挖矿软件
  • Optiminer/Equihash:面向基于 Equihash 的加密货币的挖矿软件
  • PascalCoin:面向 PascalCoin 的挖矿软件系列
  • PhoenixMiner:面向 Ethereum 的挖矿软件
  • Pooler CPU Miner:面向 Litecoin 和 Bitcoin 的挖矿软件
  • ProgPoW Miner:面向 Ethereum 和其他加密货币的挖矿软件
  • rhminer:面向 PascalCoin 的挖矿软件
  • sgminer:面向基于 scrypt 加密货币的挖矿软件
  • simplecoin:面向基于 scrypt 的 SimpleCoin 的挖矿软件系列
  • Skypool Nimiq Miner:面向 Nimiq 的挖矿软件
  • SwapReferenceMiner:面向 Grin 的挖矿软件
  • Team Red Miner:面向各种加密货币的基于 AMD 的挖矿软件
  • T-Rex:面向各种加密货币的挖矿软件
  • TT-Miner:面向各种加密货币的挖矿软件
  • Ubqminer:面向基于 Ubqhash 的加密货币的挖矿软件
  • VersusCoin:面向 VersusCoin 的挖矿软件
  • violetminer:面向基于 Argon2 的加密货币的挖矿软件
  • webchain-miner:面向 MintMe 的挖矿软件
  • WildRig:面向各种加密货币的挖矿软件
  • XCASH_ALL_Miner:面向 XCASH 的挖矿软件
  • xFash:面向 MinerGate 的挖矿软件
  • XLArig:面向基于 CryptoNight 的加密货币的挖矿软件
  • XMRig:面向各种加密货币的挖矿软件
  • Xmr-Stak:面向基于 CryptoNight 的加密货币的挖矿软件
  • XMR-Stak TurtleCoin:面向基于 CryptoNight 的加密货币的挖矿软件
  • Xtl-Stak:面向基于 CryptoNight 的加密货币的挖矿软件
  • Yam Miner:面向 MinerGate 的挖矿软件
  • YCash:面向 YCash 的挖矿软件
  • ZCoin:面向 ZCoin/Fire 的挖矿软件
  • Zealot/Enemy:面向各种加密货币的挖矿软件
  • 加密货币挖矿机信号1

1 此通用威胁名称表示虚拟机中可能运行未知的加密货币挖矿机活动,但 VM Threat Detection 没有关于该挖矿机的具体信息。

Execution: Cryptocurrency Mining YARA Rule

  • YARA_RULE1:与面向 Monero 的挖矿软件匹配
  • YARA_RULE9:与使用 Blake2 和 AES 加密的挖矿软件匹配
  • YARA_RULE10:与使用 CryptoNight 工作证明例程的挖矿软件匹配
  • YARA_RULE15:与面向 NBMiner 的挖矿软件匹配
  • YARA_RULE17:与使用 Scrypt 工作证明例程的挖矿软件匹配
  • YARA_RULE18:与使用 Scrypt 工作证明例程的挖矿软件匹配
  • YARA_RULE19:与面向 BFGMiner 的挖矿软件匹配
  • YARA_RULE24:与面向 XMR-Stak 的挖矿软件匹配
  • YARA_RULE25:与面向 XMRig 的挖矿软件匹配
  • DYNAMIC_YARA_RULE_BFGMINER_2:与面向 BFGMiner 的挖矿软件匹配

后续步骤