本页面介绍了如何查看和管理 VM Threat Detection 发现结果。此外还展示了如何启用或停用相关服务及其模块。
概览
Virtual Machine Threat Detection 是 Security Command Center 的一项内置服务,在 Enterprise 和 Premium 层级提供。此服务会扫描 Compute Engine 实例,以检测在遭到破解的云环境中运行的潜在恶意应用,例如加密货币挖矿软件、内核模式 rootkit 和恶意软件。
VM Threat Detection 是 Security Command Center 威胁检测套件的一部分,旨在补充 Event Threat Detection 和 Container Threat Detection 的现有功能。
如需了解详情,请参阅 VM Threat Detection 概览。
费用
注册 Security Command Center Premium 后,使用 VM Threat Detection 无需额外费用。
准备工作
如需使用此功能,您必须注册 Security Command Center Premium。
此外,您需要足够的 Identity and Access Management (IAM) 角色才能查看或修改发现结果以及修改 Google Cloud 资源。如果您在 Security Command Center 中遇到访问错误,请让您的管理员寻求帮助。如需详细了解角色,请参阅访问权限控制。
测试 VM Threat Detection
如需测试 VM Threat Detection 加密货币挖矿检测功能,您可以在虚拟机上运行加密货币挖矿应用。如需查看触发发现结果的二进制文件名称和 YARA 规则的列表,请参阅软件名称和 YARA 规则。如果您安装和测试挖矿应用,建议您仅在隔离的测试环境中运行这些应用,密切监控其使用情况,并在测试后完全移除这些应用。
如需测试 VM Threat Detection 恶意软件检测功能,您可以在虚拟机上下载恶意软件应用。如果您下载恶意软件,建议您在隔离的测试环境中下载,并在测试后完全移除这些软件。
在 Google Cloud 控制台中查看发现结果
如需在 Google Cloud 控制台中查看 VM Threat Detection 发现结果,请执行以下操作:
- 在 Google Cloud 控制台中,前往 Security Command Center 的发现结果页面。
- 选择您的 Google Cloud 项目或组织。
- 在快速过滤条件部分的来源显示名称子部分中,选择 Virtual Machine Threat Detection。发现结果的查询结果会更新为仅显示此来源的发现结果。
- 如需查看特定发现结果的详细信息,请点击类别列中的发现结果名称。 系统会打开发现结果的详细信息面板,并显示摘要标签页。
- 在摘要标签页上,查看发现结果的详细信息,包括有关检测到的内容、受影响的资源的信息,以及您可以采取的发现结果修复步骤(如果有)。
- 可选:如需查看发现结果的完整 JSON 定义,请点击 JSON 标签页。
如需详细了解如何对每个 VM Threat Detection 发现结果做出相应的响应,请参阅 VM Threat Detection 响应。
如需查看 VM Threat Detection 发现结果列表,请参阅发现结果。
严重程度
VM Threat Detection 发现结果的严重程度会根据威胁分类置信度分为高、中和低。
组合检测
如果在一天内检测到多个类别的发现结果,就会进行组合检测。发现结果可能是由一个或多个恶意应用导致的。例如,单个应用可以同时触发 Execution: Cryptocurrency Mining YARA Rule
和 Execution: Cryptocurrency
Mining Hash Match
发现结果。但是,在当天从单个来源检测到的所有威胁都会汇总到一个组合检测发现结果中。在接下来的几天,如果发现更多威胁(即使是相同的威胁),则会附加到新发现结果。
如需查看组合检测发现结果的示例,请参阅发现结果格式示例。
发现结果格式示例
以下 JSON 输出示例包含 VM Threat Detection 发现结果中常见的字段。每个示例仅显示与发现类型相关的字段,而不会提供完整的字段列表。
您可以通过 Security Command Center 控制台导出发现结果,也可以通过 Security Command Center API 列出发现结果。
如需查看示例发现结果,请展开以下一个或多个节点。如需了解相应发现结果中的每个字段,请参阅 Finding
。
Defense Evasion: Rootkit
以下输出示例显示了已知内核模式的根木马:Diamorphine。
{ "findings": { "access": {}, "assetDisplayName": "DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Defense Evasion: Rootkit", "createTime": "2023-01-12T00:39:33.007Z", "database": {}, "eventTime": "2023-01-11T21:24:05.326Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd", "indicator": {}, "kernelRootkit": { "name": "Diamorphine", "unexpected_kernel_code_pages": true, "unexpected_system_call_handler": true }, "kubernetes": {}, "mitreAttack": { "version": "9" }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Virtual Machine Threat Detection", "processes": [], "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "severity": "HIGH", "sourceDisplayName": "Virtual Machine Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "display_name": "DISPLAY_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "DISPLAY_NAME", "type": "google.compute.Instance", "folders": [] }, "sourceProperties": {} }
Defense Evasion: Unexpected ftrace handler
(预览版)
{ "findings": { "access": {}, "assetDisplayName": "DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Defense Evasion: Unexpected ftrace handler", "createTime": "2023-01-12T00:39:33.007Z", "database": {}, "eventTime": "2023-01-11T21:24:05.326Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "version": "9" }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Virtual Machine Threat Detection", "processes": [], "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "severity": "MEDIUM", "sourceDisplayName": "Virtual Machine Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "display_name": "DISPLAY_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "DISPLAY_NAME", "type": "google.compute.Instance", "folders": [] }, "sourceProperties": {} }
Defense Evasion: Unexpected interrupt handler
(预览版)
{ "findings": { "access": {}, "assetDisplayName": "DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Defense Evasion: Unexpected interrupt handler", "createTime": "2023-01-12T00:39:33.007Z", "database": {}, "eventTime": "2023-01-11T21:24:05.326Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "version": "9" }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Virtual Machine Threat Detection", "processes": [], "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "severity": "MEDIUM", "sourceDisplayName": "Virtual Machine Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "display_name": "DISPLAY_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "DISPLAY_NAME", "type": "google.compute.Instance", "folders": [] }, "sourceProperties": {} }
Defense Evasion: Unexpected kernel code modification
(预览版)
{ "findings": { "access": {}, "assetDisplayName": "DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Defense Evasion: Unexpected kernel code modification", "createTime": "2023-01-12T00:39:33.007Z", "database": {}, "eventTime": "2023-01-11T21:24:05.326Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "version": "9" }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Virtual Machine Threat Detection", "processes": [], "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "severity": "MEDIUM", "sourceDisplayName": "Virtual Machine Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "display_name": "DISPLAY_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "DISPLAY_NAME", "type": "google.compute.Instance", "folders": [] }, "sourceProperties": {} }
Defense Evasion: Unexpected kernel modules
(预览版)
{ "findings": { "access": {}, "assetDisplayName": "DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Defense Evasion: Unexpected kernel modules", "createTime": "2023-01-12T00:39:33.007Z", "database": {}, "eventTime": "2023-01-11T21:24:05.326Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "version": "9" }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Virtual Machine Threat Detection", "processes": [], "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "severity": "MEDIUM", "sourceDisplayName": "Virtual Machine Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "display_name": "DISPLAY_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "DISPLAY_NAME", "type": "google.compute.Instance", "folders": [] }, "sourceProperties": {} }
Defense Evasion: Unexpected kernel read-only data modification
(预览版)
{ "findings": { "access": {}, "assetDisplayName": "DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Defense Evasion: Unexpected kernel read-only data modification", "createTime": "2023-01-12T00:39:33.007Z", "database": {}, "eventTime": "2023-01-11T21:24:05.326Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "version": "9" }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Virtual Machine Threat Detection", "processes": [], "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "severity": "MEDIUM", "sourceDisplayName": "Virtual Machine Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "display_name": "DISPLAY_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "DISPLAY_NAME", "type": "google.compute.Instance", "folders": [] }, "sourceProperties": {} }
Defense Evasion: Unexpected kprobe handler
(预览版)
{ "findings": { "access": {}, "assetDisplayName": "DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Defense Evasion: Unexpected kprobe handler", "createTime": "2023-01-12T00:39:33.007Z", "database": {}, "eventTime": "2023-01-11T21:24:05.326Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "version": "9" }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Virtual Machine Threat Detection", "processes": [], "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "severity": "MEDIUM", "sourceDisplayName": "Virtual Machine Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "display_name": "DISPLAY_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "DISPLAY_NAME", "type": "google.compute.Instance", "folders": [] }, "sourceProperties": {} }
Defense Evasion: Unexpected processes in runqueue
(预览版)
{ "findings": { "access": {}, "assetDisplayName": "DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Defense Evasion: Unexpected processes in runqueue", "createTime": "2023-01-12T00:39:33.007Z", "database": {}, "eventTime": "2023-01-11T21:24:05.326Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "version": "9" }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Virtual Machine Threat Detection", "processes": [], "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "severity": "MEDIUM", "sourceDisplayName": "Virtual Machine Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "display_name": "DISPLAY_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "DISPLAY_NAME", "type": "google.compute.Instance", "folders": [] }, "sourceProperties": {} }
Defense Evasion: Unexpected system call handler
(预览版)
{ "findings": { "access": {}, "assetDisplayName": "DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Defense Evasion: Unexpected system call handler", "createTime": "2023-01-12T00:39:33.007Z", "database": {}, "eventTime": "2023-01-11T21:24:05.326Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "version": "9" }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Virtual Machine Threat Detection", "processes": [], "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "severity": "MEDIUM", "sourceDisplayName": "Virtual Machine Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "display_name": "DISPLAY_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "DISPLAY_NAME", "type": "google.compute.Instance", "folders": [] }, "sourceProperties": {} }
Execution: Cryptocurrency Mining Combined
Detection
以下输出示例显示了 CRYPTOMINING_HASH
和 CRYPTOMINING_YARA
模块都检测到的威胁。
{ "findings": { "access": {}, "assetDisplayName": "DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_ID/sources/SOURCE_ID/findings/FINDING_ID", "category": "Execution: Cryptocurrency Mining Combined Detection", "createTime": "2023-01-05T01:40:48.994Z", "database": {}, "eventTime": "2023-01-05T01:39:36.876Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd", "indicator": { "signatures": [ { "yaraRuleSignature": { "yaraRule": "YARA_RULE1" } }, { "yaraRuleSignature": { "yaraRule": "YARA_RULE9" } }, { "yaraRuleSignature": { "yaraRule": "YARA_RULE10" } }, { "yaraRuleSignature": { "yaraRule": "YARA_RULE25" } }, { "memoryHashSignature": { "binaryFamily": "XMRig", "detections": [ { "binary": "linux-x86-64_xmrig_6.12.2", "percentPagesMatched": 1 } ] } } ] }, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "version": "9" }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Virtual Machine Threat Detection", "processes": [ { "binary": { "path": "BINARY_PATH" }, "script": {}, "args": [ "./miner", "" ], "pid": "123", "parentPid": "456", "name": "miner" } ], "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "severity": "HIGH", "sourceDisplayName": "Virtual Machine Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "display_name": "DISPLAY_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "project_display_name": "DISPLAY_NAME", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "parent_display_name": "DISPLAY_NAME", "type": "google.compute.Instance", "folders": [] }, "sourceProperties": {} }
Execution: Cryptocurrency Mining Hash Match
Detection
{ "findings": { "access": {}, "assetDisplayName": "DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_ID/sources/SOURCE_ID/findings/FINDING_ID", "category": "Execution: Cryptocurrency Mining Hash Match", "createTime": "2023-01-05T01:40:48.994Z", "database": {}, "eventTime": "2023-01-05T01:39:36.876Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd", "indicator": { "signatures": [ { "memoryHashSignature": { "binaryFamily": "XMRig", "detections": [ { "binary": "linux-x86-64_xmrig_6.12.2", "percentPagesMatched": 1 } ] } } ] }, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "version": "9" }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Virtual Machine Threat Detection", "processes": [ { "binary": { "path": "BINARY_PATH" }, "script": {}, "args": [ "./miner", "" ], "pid": "123", "parentPid": "456", "name": "miner" } ], "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "severity": "HIGH", "sourceDisplayName": "Virtual Machine Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "display_name": "DISPLAY_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "project_display_name": "DISPLAY_NAME", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "parent_display_name": "DISPLAY_NAME", "type": "google.compute.Instance", "folders": [] }, "sourceProperties": {} }
Execution: Cryptocurrency Mining YARA Rule
{ "findings": { "access": {}, "assetDisplayName": "DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_ID/sources/SOURCE_ID/findings/FINDING_ID", "category": "Execution: Cryptocurrency Mining YARA Rule", "createTime": "2023-01-05T00:37:38.450Z", "database": {}, "eventTime": "2023-01-05T01:12:48.828Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd", "indicator": { "signatures": [ { "yaraRuleSignature": { "yaraRule": "YARA_RULE9" } }, { "yaraRuleSignature": { "yaraRule": "YARA_RULE10" } }, { "yaraRuleSignature": { "yaraRule": "YARA_RULE25" } } ] }, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "version": "9" }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Virtual Machine Threat Detection", "processes": [ { "binary": { "path": "BINARY_PATH" }, "script": {}, "args": [ "./miner", "" ], "pid": "123", "parentPid": "456", "name": "miner" } ], "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "severity": "HIGH", "sourceDisplayName": "Virtual Machine Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "display_name": "DISPLAY_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "project_display_name": "DISPLAY_NAME", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "parent_display_name": "DISPLAY_NAME", "type": "google.compute.Instance", "folders": [] }, "sourceProperties": {} }
Malware: Malicious file on disk (YARA)
{ "findings": { "assetDisplayName": "DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_ID/sources/SOURCE_ID/findings/FINDING_ID", "category": "Malware: Malicious file on disk (YARA)", "createTime": "2023-01-05T00:37:38.450Z", "eventTime": "2023-01-05T01:12:48.828Z", "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd", "indicator": { "signatures": [ { "yaraRuleSignature": { "yaraRule": "M_Backdoor_REDSONJA_4" }, "signatureType": "SIGNATURE_TYPE_FILE", }, { "yaraRuleSignature": { "yaraRule": "M_Backdoor_REDSONJA_3" }, "signatureType": "SIGNATURE_TYPE_FILE", } ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Virtual Machine Threat Detection", "files": [ { "diskPath": { "partition_uuid": "b411dc99-f0a0-4c87-9e05-184977be8539", "relative_path": "RELATIVE_PATH" }, "size": "21238", "sha256": "65d860160bdc9b98abf72407e14ca40b609417de7939897d3b58d55787aaef69", "hashedSize": "21238" } ], "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "severity": "HIGH", "sourceDisplayName": "Virtual Machine Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "display_name": "DISPLAY_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "project_display_name": "DISPLAY_NAME", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "parent_display_name": "DISPLAY_NAME", "type": "google.compute.Instance", "folders": [] }, "sourceProperties": {} }
更改发现结果的状态
解决了由 VM Threat Detection 识别出的威胁后,该服务不会在后续扫描中自动将发现结果状态设置为非活跃。由于我们的威胁网域的性质,VM Threat Detection 无法确定威胁是否已被缓解或发生变化,以免被检测出。
当安全团队认为威胁得到缓解时,可以执行以下步骤,将发现结果状态更改为非活跃。
在 Google Cloud 控制台中,进入 Security Command Center 的发现结果页面。
在查看方式旁边,点击来源类型。
在来源类型列表中,选择 Virtual Machine Threat Detection。系统会根据所选来源类型在表中填充发现结果。
选中已解决的发现结果旁边的复选框。
点击更改活跃状态。
点击无效。
启用或停用 VM Threat Detection
VM Threat Detection 对 2022 年 7 月 15 日(此服务正式发布的时间)之后注册 Security Command Center Premium 的所有客户默认启用。如果需要,您可以为项目或组织手动停用或重新启用此服务。
如果您在组织或项目中启用 VM Threat Detection,该服务会自动扫描该组织或项目中的所有受支持的资源。相反,当您对组织或项目停用 VM Threat Detection 时,此服务会停止扫描其中所有支持的资源。
如需启用或停用 VM Threat Detection,请执行以下操作:
控制台
在 Google Cloud 控制台中,前往 Virtual Machine Threat Detection Service Enablement 页面。
在 Virtual Machine Threat Detection 列中,选择当前状态,然后选择以下任一选项:
- 启用:启用 VM Threat Detection
- 停用:停用 VM Threat Detection
- 继承:从父级文件夹或组织继承启用状态;仅适用于项目和文件夹
gcloud
gcloud scc manage services update
命令用于更新 Security Command Center 服务或模块的状态。
在使用下面的命令数据之前,请先进行以下替换:
-
RESOURCE_TYPE
:要更新的资源类型(organization
、folder
或project
) -
RESOURCE_ID
:要更新的组织、文件夹或项目的数字标识符;对于项目,您还可以使用字母数字项目 ID -
NEW_STATE
:ENABLED
表示启用 VM Threat Detection;DISABLED
表示停用 VM Threat Detection;INHERITED
表示继承父级资源的启用状态(仅适用于项目和文件夹)
执行 gcloud scc manage services update
命令:
Linux、macOS 或 Cloud Shell
gcloud scc manage services update vm-threat-detection \ --RESOURCE_TYPE=RESOURCE_ID \ --enablement-state=NEW_STATE
Windows (PowerShell)
gcloud scc manage services update vm-threat-detection ` --RESOURCE_TYPE=RESOURCE_ID ` --enablement-state=NEW_STATE
Windows (cmd.exe)
gcloud scc manage services update vm-threat-detection ^ --RESOURCE_TYPE=RESOURCE_ID ^ --enablement-state=NEW_STATE
您应该会收到类似如下所示的响应:
effectiveEnablementState: ENABLED modules: CRYPTOMINING_HASH: effectiveEnablementState: ENABLED intendedEnablementState: ENABLED CRYPTOMINING_YARA: effectiveEnablementState: ENABLED KERNEL_INTEGRITY_TAMPERING: effectiveEnablementState: ENABLED KERNEL_MEMORY_TAMPERING: effectiveEnablementState: ENABLED MALWARE_DISK_SCAN_YARA: effectiveEnablementState: ENABLED name: projects/1234567890123/locations/global/securityCenterServices/vm-threat-detection updateTime: '2024-08-05T22:32:01.536452397Z'
REST
Security Command Center Management API 的 RESOURCE_TYPE.locations.securityCenterServices.patch
方法用于更新 Security Command Center 服务或模块的状态。
在使用任何请求数据之前,请先进行以下替换:
-
RESOURCE_TYPE
:要更新的资源类型(organizations
、folders
或projects
) -
QUOTA_PROJECT
:用于结算和配额跟踪的项目 ID -
RESOURCE_ID
:要更新的组织、文件夹或项目的数字标识符;对于项目,您还可以使用字母数字项目 ID -
NEW_STATE
:ENABLED
表示启用 VM Threat Detection;DISABLED
表示停用 VM Threat Detection;INHERITED
表示继承父级资源的启用状态(仅适用于项目和文件夹)
HTTP 方法和网址:
PATCH https://securitycentermanagement.googleapis.com/v1/RESOURCE_TYPE/RESOURCE_ID/locations/global/securityCenterServices/vm-threat-detection?updateMask=intendedEnablementState
请求 JSON 正文:
{ "intendedEnablementState": "NEW_STATE" }
如需发送您的请求,请展开以下选项之一:
您应该收到类似以下内容的 JSON 响应:
{ "name": "projects/1234567890123/locations/global/securityCenterServices/vm-threat-detection", "effectiveEnablementState": "ENABLED", "modules": { "CRYPTOMINING_YARA": { "effectiveEnablementState": "ENABLED" }, "KERNEL_MEMORY_TAMPERING": { "effectiveEnablementState": "ENABLED" }, "KERNEL_INTEGRITY_TAMPERING": { "effectiveEnablementState": "ENABLED" }, "CRYPTOMINING_HASH": { "intendedEnablementState": "ENABLED", "effectiveEnablementState": "ENABLED" }, "MALWARE_DISK_SCAN_YARA": { "effectiveEnablementState": "ENABLED" } }, "updateTime": "2024-08-05T22:32:01.536452397Z" }
启用或停用 VM Threat Detection 模块
如需启用或停用单个 VM Threat Detection 检测器(也称为“模块”),请执行以下操作。您的更改最长可能需要 1 小时才会生效。
如需了解所有 VM Threat Detection 威胁发现结果及其生成模块,请参阅威胁发现结果。
控制台
您可以在 Google Cloud 控制台中在组织级别启用或停用 VM Threat Detection 模块。如需在文件夹级或项目级启用或停用虚拟机威胁检测模块,请使用 gcloud CLI 或 REST API。
在 Google Cloud 控制台中,前往 Virtual Machine Threat Detection Modules(虚拟机威胁检测模块)页面。
在状态列中,选择要启用或停用的模块的当前状态,然后选择以下任一选项:
- 启用:启用模块。
- 停用:停用模块。
gcloud
gcloud scc manage services update
命令用于更新 Security Command Center 服务或模块的状态。
在使用下面的命令数据之前,请先进行以下替换:
-
RESOURCE_TYPE
:要更新的资源类型(organization
、folder
或project
) -
RESOURCE_ID
:要更新的组织、文件夹或项目的数字标识符;对于项目,您还可以使用字母数字项目 ID -
MODULE_NAME
:要启用或停用的模块的名称;如需了解有效值,请参阅威胁发现 -
NEW_STATE
:ENABLED
用于启用模块;DISABLED
用于停用模块;INHERITED
用于继承父级资源的启用状态(仅适用于项目和文件夹)
将以下内容保存在名为 request.json
的文件中:
{ "MODULE_NAME": { "intendedEnablementState": "NEW_STATE" } }
执行 gcloud scc manage services update
命令:
Linux、macOS 或 Cloud Shell
gcloud scc manage services update vm-threat-detection \ --RESOURCE_TYPE=RESOURCE_ID \ --enablement-state=ENABLED \ --module-config-file=request.json
Windows (PowerShell)
gcloud scc manage services update vm-threat-detection ` --RESOURCE_TYPE=RESOURCE_ID ` --enablement-state=ENABLED \ --module-config-file=request.json
Windows (cmd.exe)
gcloud scc manage services update vm-threat-detection ^ --RESOURCE_TYPE=RESOURCE_ID ^ --enablement-state=ENABLED \ --module-config-file=request.json
您应该会收到类似如下所示的响应:
effectiveEnablementState: ENABLED modules: CRYPTOMINING_HASH: effectiveEnablementState: ENABLED intendedEnablementState: ENABLED CRYPTOMINING_YARA: effectiveEnablementState: ENABLED KERNEL_INTEGRITY_TAMPERING: effectiveEnablementState: ENABLED KERNEL_MEMORY_TAMPERING: effectiveEnablementState: ENABLED MALWARE_DISK_SCAN_YARA: effectiveEnablementState: ENABLED name: projects/1234567890123/locations/global/securityCenterServices/vm-threat-detection updateTime: '2024-08-05T22:32:01.536452397Z'
REST
Security Command Center Management API 的 RESOURCE_TYPE.locations.securityCenterServices.patch
方法用于更新 Security Command Center 服务或模块的状态。
在使用任何请求数据之前,请先进行以下替换:
-
RESOURCE_TYPE
:要更新的资源类型(organizations
、folders
或projects
) -
QUOTA_PROJECT
:用于结算和配额跟踪的项目 ID -
RESOURCE_ID
:要更新的组织、文件夹或项目的数字标识符;对于项目,您还可以使用字母数字项目 ID -
MODULE_NAME
:要启用或停用的模块的名称;如需了解有效值,请参阅威胁发现 -
NEW_STATE
:ENABLED
用于启用模块;DISABLED
用于停用模块;INHERITED
用于继承父级资源的启用状态(仅适用于项目和文件夹)
HTTP 方法和网址:
PATCH https://securitycentermanagement.googleapis.com/v1/RESOURCE_TYPE/RESOURCE_ID/locations/global/securityCenterServices/vm-threat-detection?updateMask=modules
请求 JSON 正文:
{ "modules": { "MODULE_NAME": { "intendedEnablementState": "NEW_STATE" } } }
如需发送您的请求,请展开以下选项之一:
您应该收到类似以下内容的 JSON 响应:
{ "name": "projects/1234567890123/locations/global/securityCenterServices/vm-threat-detection", "effectiveEnablementState": "ENABLED", "modules": { "CRYPTOMINING_YARA": { "effectiveEnablementState": "ENABLED" }, "KERNEL_MEMORY_TAMPERING": { "effectiveEnablementState": "ENABLED" }, "KERNEL_INTEGRITY_TAMPERING": { "effectiveEnablementState": "ENABLED" }, "CRYPTOMINING_HASH": { "intendedEnablementState": "ENABLED", "effectiveEnablementState": "ENABLED" }, "MALWARE_DISK_SCAN_YARA": { "effectiveEnablementState": "ENABLED" } }, "updateTime": "2024-08-05T22:32:01.536452397Z" }
查看 VM Threat Detection 模块的设置
如需了解所有 VM Threat Detection 威胁发现结果及其生成模块,请参阅威胁发现结果表格。
控制台
借助 Google Cloud 控制台,您可以在组织级查看 VM Threat Detection 模块的设置。如需在文件夹级或项目级查看虚拟机威胁检测模块的设置,请使用 gcloud CLI 或 REST API。
如需在 Google Cloud 控制台中查看设置,请前往虚拟机威胁检测模块页面。
gcloud
gcloud scc manage services update
命令用于获取 Security Command Center 服务或模块的状态。
在使用下面的命令数据之前,请先进行以下替换:
-
RESOURCE_TYPE
:要获取的资源类型(organizations
、folders
或projects
) -
QUOTA_PROJECT
:用于结算和配额跟踪的项目 ID -
RESOURCE_ID
:要获取的组织、文件夹或项目的数字标识符;对于项目,您还可以使用字母数字项目 ID
将以下内容保存在名为 request.json
的文件中:
{ "MODULE_NAME": { "intendedEnablementState": "NEW_STATE" } }
执行 gcloud scc manage services update
命令:
Linux、macOS 或 Cloud Shell
gcloud scc manage services update vm-threat-detection \ --RESOURCE_TYPE=RESOURCE_ID
Windows (PowerShell)
gcloud scc manage services update vm-threat-detection ` --RESOURCE_TYPE=RESOURCE_ID
Windows (cmd.exe)
gcloud scc manage services update vm-threat-detection ^ --RESOURCE_TYPE=RESOURCE_ID
您应该会收到类似如下所示的响应:
effectiveEnablementState: ENABLED modules: CRYPTOMINING_HASH: effectiveEnablementState: ENABLED intendedEnablementState: ENABLED CRYPTOMINING_YARA: effectiveEnablementState: ENABLED KERNEL_INTEGRITY_TAMPERING: effectiveEnablementState: ENABLED KERNEL_MEMORY_TAMPERING: effectiveEnablementState: ENABLED MALWARE_DISK_SCAN_YARA: effectiveEnablementState: ENABLED name: projects/1234567890123/locations/global/securityCenterServices/vm-threat-detection updateTime: '2024-08-05T22:32:01.536452397Z'
REST
Security Command Center Management API 的 RESOURCE_TYPE.locations.securityCenterServices.get
方法可获取 Security Command Center 服务或模块的状态。
在使用任何请求数据之前,请先进行以下替换:
-
RESOURCE_TYPE
:要获取的资源类型(organizations
、folders
或projects
) -
QUOTA_PROJECT
:用于结算和配额跟踪的项目 ID -
RESOURCE_ID
:要获取的组织、文件夹或项目的数字标识符;对于项目,您还可以使用字母数字项目 ID
HTTP 方法和网址:
GET https://securitycentermanagement.googleapis.com/v1/RESOURCE_TYPE/RESOURCE_ID/locations/global/securityCenterServices/vm-threat-detection
如需发送您的请求,请展开以下选项之一:
您应该收到类似以下内容的 JSON 响应:
{ "name": "projects/1234567890123/locations/global/securityCenterServices/vm-threat-detection", "effectiveEnablementState": "ENABLED", "modules": { "CRYPTOMINING_YARA": { "effectiveEnablementState": "ENABLED" }, "KERNEL_MEMORY_TAMPERING": { "effectiveEnablementState": "ENABLED" }, "KERNEL_INTEGRITY_TAMPERING": { "effectiveEnablementState": "ENABLED" }, "CRYPTOMINING_HASH": { "intendedEnablementState": "ENABLED", "effectiveEnablementState": "ENABLED" }, "MALWARE_DISK_SCAN_YARA": { "effectiveEnablementState": "ENABLED" } }, "updateTime": "2024-08-05T22:32:01.536452397Z" }
用于检测加密货币挖矿的软件名称和 YARA 规则
以下列表包含触发加密货币挖矿发现结果的二进制文件和 YARA 规则的名称。如需查看列表,请展开节点。
Execution: Cryptocurrency Mining Hash Match
- Arionum CPU Miner:面向 Arionum 加密货币的挖矿软件
- Avermore:面向基于 Scrypt 加密货币的挖矿软件
- Beam CUDA Miner:面向基于 Equihash 的加密货币的挖矿软件
- Beam OpenCL Miner:面向基于 Equihash 的加密货币的挖矿软件
- BFGMiner:面向比特币的 ASIC/FPGA 挖矿软件
- BMiner:面向各种加密货币的挖矿软件
- Cast XMR:面向 基于 CryptoNight 的加密货币的挖矿软件
- ccminer:基于 CUDA 的挖矿软件
- cgminer:面向比特币的 ASIC/FPGA 挖矿软件
- Claymore's Miner:面向各种加密货币的基于 GPU 的挖掘软件
- CPUMiner:基于 CPU 的挖掘软件系列
- CryptoDredge:面向 CryptoDredge 的挖矿软件系列
- CryptoGoblin:面向 基于 CryptoNight 的加密货币的挖矿软件
- DamoMiner:面向 Ethereum 和其他加密货币的基于 GPU 的挖矿软件
- DigitsMiner:面向 Digits 的挖掘软件
- EasyMiner:面向比特币和其他加密货币的挖矿软件
- Ethminer:面向 Ethereum 和其他加密货币的挖矿软件
- EWBF:面向基于 Equihash 的加密货币的挖矿软件
- FinMiner:面向 Ethash 和基于 CryptoNight 的加密货币的挖矿软件
- Funakoshi Miner:面向 Bitcoin-Gold 加密货币的挖矿软件
- Geth:面向 Ethereum 的挖矿软件
- GMiner:面向各种加密货币的挖矿软件
- gominer:面向 Decred 的挖矿软件
- GrinGoldMiner:面向 Grin 的挖矿软件
- Hush:面向基于 Zcash 的加密货币的挖矿软件
- IxiMiner:面向 Ixian 的挖矿软件
- kawpowminer:面向 Ravencoin 的挖矿软件
- Komodo:面向 Komodo 的采矿软件系列
- lolMiner:面向各种加密货币的挖矿软件
- lukMiner:面向各种加密货币的挖矿软件
- MinerGate:面向各种加密货币的挖矿软件
- miniZ:面向基于 Equihash 的加密货币的挖矿软件
- Mirai:可用于挖掘加密货币的恶意软件
- MultiMiner:面向各种加密货币的挖矿软件
- nanominer:面向各种加密货币的挖矿软件
- NBMiner:面向各种加密货币的挖矿软件
- Nevermore:面向各种加密货币的挖矿软件
- nheqminer:面向 NiceHash 的挖矿软件
- NinjaRig:面向基于 Argon2 的加密货币的挖矿软件
- NodeCore PoW CUDA Miner:面向 VeriBlock 的挖矿软件
- NoncerPro:面向 Nimiq 的挖矿软件
- Optiminer/Equihash:面向基于 Equihash 的加密货币的挖矿软件
- PascalCoin:面向 PascalCoin 的挖矿软件系列
- PhoenixMiner:面向 Ethereum 的挖矿软件
- Pooler CPU Miner:面向 Litecoin 和 Bitcoin 的挖矿软件
- ProgPoW Miner:面向 Ethereum 和其他加密货币的挖矿软件
- rhminer:面向 PascalCoin 的挖矿软件
- sgminer:面向基于 scrypt 加密货币的挖矿软件
- simplecoin:面向基于 scrypt 的 SimpleCoin 的挖矿软件系列
- Skypool Nimiq Miner:面向 Nimiq 的挖矿软件
- SwapReferenceMiner:面向 Grin 的挖矿软件
- Team Red Miner:面向各种加密货币的基于 AMD 的挖矿软件
- T-Rex:面向各种加密货币的挖矿软件
- TT-Miner:面向各种加密货币的挖矿软件
- Ubqminer:面向基于 Ubqhash 的加密货币的挖矿软件
- VersusCoin:面向 VersusCoin 的挖矿软件
- violetminer:面向基于 Argon2 的加密货币的挖矿软件
- webchain-miner:面向 MintMe 的挖矿软件
- WildRig:面向各种加密货币的挖矿软件
- XCASH_ALL_Miner:面向 XCASH 的挖矿软件
- xFash:面向 MinerGate 的挖矿软件
- XLArig:面向基于 CryptoNight 的加密货币的挖矿软件
- XMRig:面向各种加密货币的挖矿软件
- Xmr-Stak:面向基于 CryptoNight 的加密货币的挖矿软件
- XMR-Stak TurtleCoin:面向基于 CryptoNight 的加密货币的挖矿软件
- Xtl-Stak:面向基于 CryptoNight 的加密货币的挖矿软件
- Yam Miner:面向 MinerGate 的挖矿软件
- YCash:面向 YCash 的挖矿软件
- ZCoin:面向 ZCoin/Fire 的挖矿软件
- Zealot/Enemy:面向各种加密货币的挖矿软件
- 加密货币挖矿机信号1
1 此通用威胁名称表示虚拟机中可能运行未知的加密货币挖矿机活动,但 VM Threat Detection 没有关于该挖矿机的具体信息。
Execution: Cryptocurrency Mining YARA Rule
- YARA_RULE1:与面向 Monero 的挖矿软件匹配
- YARA_RULE9:与使用 Blake2 和 AES 加密的挖矿软件匹配
- YARA_RULE10:与使用 CryptoNight 工作证明例程的挖矿软件匹配
- YARA_RULE15:与面向 NBMiner 的挖矿软件匹配
- YARA_RULE17:与使用 Scrypt 工作证明例程的挖矿软件匹配
- YARA_RULE18:与使用 Scrypt 工作证明例程的挖矿软件匹配
- YARA_RULE19:与面向 BFGMiner 的挖矿软件匹配
- YARA_RULE24:与面向 XMR-Stak 的挖矿软件匹配
- YARA_RULE25:与面向 XMRig 的挖矿软件匹配
- DYNAMIC_YARA_RULE_BFGMINER_2:与面向 BFGMiner 的挖矿软件匹配
后续步骤
- 详细了解 VM Threat Detection。
- 了解如何调查 VM Threat Detection 发现结果。