本页面介绍了如何查看和管理 VM Threat Detection 发现结果。此外还展示了如何启用或停用相关服务及其模块。
概览
Virtual Machine Threat Detection 是 Security Command Center 内置的一项服务。此服务会扫描虚拟机以检测潜在恶意应用,例如加密货币挖矿软件、内核模式 rootkit 以及在遭入侵的云环境中运行的恶意软件。
VM Threat Detection 是 Security Command Center 威胁检测套件的一部分,旨在补充 Event Threat Detection 和 Container Threat Detection 的现有功能。
如需了解详情,请参阅 VM Threat Detection 概览。
准备工作
如需获得管理 Virtual Machine Threat Detection 服务及其各模块所需的权限,请让您的管理员为您授予组织、文件夹或项目的 Security Center Management Admin (roles/securitycentermanagement.admin) IAM 角色。
如需详细了解如何授予角色,请参阅管理对项目、文件夹和组织的访问权限。
测试 VM Threat Detection
如要测试 VM Threat Detection 中的加密货币挖矿检测功能,您可以在虚拟机上运行一个加密货币挖矿应用。如需查看触发发现结果的二进制文件名称和 YARA 规则的列表,请参阅软件名称和 YARA 规则。如果您要安装和测试挖矿应用,建议您仅在隔离的测试环境中运行这些应用,密切监控其使用情况,并在测试完毕后完全移除这些应用。
如要测试 VM Threat Detection 中的恶意软件检测功能,您可以在虚拟机上下载一些恶意软件应用。如果您要下载恶意软件,建议您在隔离的测试环境中执行下载,并在测试完毕后完全移除这些软件。
在 Google Cloud 控制台中查看发现结果
如需在 Google Cloud 控制台中查看 VM Threat Detection 发现结果,请执行以下操作:
- 在 Google Cloud 控制台中,前往 Security Command Center 的发现结果页面。
- 选择您的 Google Cloud 项目或组织。
- 在快速过滤条件部分的来源显示名称子部分中,选择 Virtual Machine Threat Detection。发现结果查询结果已更新,仅显示来自此来源的发现结果。
- 如需查看特定发现结果的详细信息,请点击类别列中的发现结果名称。 系统会打开发现结果的详细信息面板,并显示摘要标签页。
- 在摘要标签页上,查看发现结果的详细信息,包括有关检测到的内容、受影响的资源的信息,以及您可以采取的修复该发现结果的步骤(如果有)。
- 可选:如需查看发现结果的完整 JSON 定义,请点击 JSON 标签页。
如需了解如何对特定的 VM Threat Detection 发现结果做出响应,请在威胁发现结果索引中搜索该发现结果。
如需查看响应建议概要,请参阅对 Compute Engine 威胁发现结果做出响应。
如需查看 VM Threat Detection 发现结果列表,请参阅发现结果。
严重级别
VM Threat Detection 发现结果的严重级别分为高、中和低,具体取决于威胁分类置信度。
组合检测
如果在一天内检测到多个类别的发现结果,就会进行组合检测。发现结果可能是由一个或多个恶意应用导致的。例如,单个应用可以同时触发 Execution: Cryptocurrency Mining YARA Rule 和 Execution: Cryptocurrency
Mining Hash Match 发现结果。但是,在当天从单个来源检测到的所有威胁都会汇总到一个组合检测发现结果中。在接下来的几天,如果发现更多威胁(即使是相同的威胁),则会附加到新发现结果。
如需查看组合检测的发现结果示例,请参阅发现结果格式示例。
发现结果格式示例
本部分提供了 VM Threat Detection 发现结果的 JSON 输出示例。当您使用Google Cloud 控制台导出发现结果时,或者使用 Security Command Center API 或 Google Cloud CLI 列出发现结果时,会看到此输出。
本页面上的示例展示了不同类型的发现结果。每个示例仅包含与相应类型的发现结果最相关的字段。如需查看某个发现结果可用的所有字段的完整列表,请参阅 Security Command Center API 文档中的 Finding 资源部分。
您可以通过 Security Command Center 控制台导出发现结果,也可以通过 Security Command Center API 列出发现结果。
如需查看示例发现结果,请展开以下一个或多个节点。如需了解发现结果中的每个字段,请参阅 Finding。
Defense Evasion: Rootkit
此输出示例展示了已知内核模式 rootkit (Diamorphine) 相关的发现结果。
{ "findings": { "access": {}, "assetDisplayName": "DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Defense Evasion: Rootkit", "createTime": "2023-01-12T00:39:33.007Z", "database": {}, "eventTime": "2023-01-11T21:24:05.326Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd", "indicator": {}, "kernelRootkit": { "name": "Diamorphine", "unexpected_kernel_code_pages": true, "unexpected_system_call_handler": true }, "kubernetes": {}, "mitreAttack": { "version": "9" }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Virtual Machine Threat Detection", "processes": [], "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "severity": "HIGH", "sourceDisplayName": "Virtual Machine Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "display_name": "DISPLAY_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "DISPLAY_NAME", "type": "google.compute.Instance", "folders": [] }, "sourceProperties": {} }
Defense Evasion: Unexpected ftrace handler
{ "findings": { "access": {}, "assetDisplayName": "DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Defense Evasion: Unexpected ftrace handler", "createTime": "2023-01-12T00:39:33.007Z", "database": {}, "eventTime": "2023-01-11T21:24:05.326Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "version": "9" }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Virtual Machine Threat Detection", "processes": [], "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "severity": "HIGH", "sourceDisplayName": "Virtual Machine Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "display_name": "DISPLAY_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "DISPLAY_NAME", "type": "google.compute.Instance", "folders": [] }, "sourceProperties": {} }
Defense Evasion: Unexpected interrupt handler
{ "findings": { "access": {}, "assetDisplayName": "DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Defense Evasion: Unexpected interrupt handler", "createTime": "2023-01-12T00:39:33.007Z", "database": {}, "eventTime": "2023-01-11T21:24:05.326Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "version": "9" }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Virtual Machine Threat Detection", "processes": [], "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "severity": "HIGH", "sourceDisplayName": "Virtual Machine Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "display_name": "DISPLAY_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "DISPLAY_NAME", "type": "google.compute.Instance", "folders": [] }, "sourceProperties": {} }
Defense Evasion: Unexpected kernel modules
{ "findings": { "access": {}, "assetDisplayName": "DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Defense Evasion: Unexpected kernel modules", "createTime": "2023-01-12T00:39:33.007Z", "database": {}, "eventTime": "2023-01-11T21:24:05.326Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "version": "9" }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Virtual Machine Threat Detection", "processes": [], "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "severity": "HIGH", "sourceDisplayName": "Virtual Machine Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "display_name": "DISPLAY_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "DISPLAY_NAME", "type": "google.compute.Instance", "folders": [] }, "sourceProperties": {} }
Defense Evasion: Unexpected kernel read-only data modification
{ "findings": { "access": {}, "assetDisplayName": "DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Defense Evasion: Unexpected kernel read-only data modification", "createTime": "2023-01-12T00:39:33.007Z", "database": {}, "eventTime": "2023-01-11T21:24:05.326Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "version": "9" }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Virtual Machine Threat Detection", "processes": [], "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "severity": "HIGH", "sourceDisplayName": "Virtual Machine Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "display_name": "DISPLAY_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "DISPLAY_NAME", "type": "google.compute.Instance", "folders": [] }, "sourceProperties": {} }
Defense Evasion: Unexpected kprobe handler
{ "findings": { "access": {}, "assetDisplayName": "DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Defense Evasion: Unexpected kprobe handler", "createTime": "2023-01-12T00:39:33.007Z", "database": {}, "eventTime": "2023-01-11T21:24:05.326Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "version": "9" }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Virtual Machine Threat Detection", "processes": [], "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "severity": "HIGH", "sourceDisplayName": "Virtual Machine Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "display_name": "DISPLAY_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "DISPLAY_NAME", "type": "google.compute.Instance", "folders": [] }, "sourceProperties": {} }
Defense Evasion: Unexpected processes in runqueue
{ "findings": { "access": {}, "assetDisplayName": "DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Defense Evasion: Unexpected processes in runqueue", "createTime": "2023-01-12T00:39:33.007Z", "database": {}, "eventTime": "2023-01-11T21:24:05.326Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "version": "9" }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Virtual Machine Threat Detection", "processes": [], "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "severity": "HIGH", "sourceDisplayName": "Virtual Machine Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "display_name": "DISPLAY_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "DISPLAY_NAME", "type": "google.compute.Instance", "folders": [] }, "sourceProperties": {} }
Defense Evasion: Unexpected system call handler
{ "findings": { "access": {}, "assetDisplayName": "DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Defense Evasion: Unexpected system call handler", "createTime": "2023-01-12T00:39:33.007Z", "database": {}, "eventTime": "2023-01-11T21:24:05.326Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "version": "9" }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Virtual Machine Threat Detection", "processes": [], "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "severity": "HIGH", "sourceDisplayName": "Virtual Machine Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "display_name": "DISPLAY_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "DISPLAY_NAME", "type": "google.compute.Instance", "folders": [] }, "sourceProperties": {} }
Execution: Cryptocurrency Mining Combined
Detection
此输出示例展示了一个 CRYPTOMINING_HASH 和 CRYPTOMINING_YARA 模块都检测到的威胁。
{ "findings": { "access": {}, "assetDisplayName": "DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_ID/sources/SOURCE_ID/findings/FINDING_ID", "category": "Execution: Cryptocurrency Mining Combined Detection", "createTime": "2023-01-05T01:40:48.994Z", "database": {}, "eventTime": "2023-01-05T01:39:36.876Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd", "indicator": { "signatures": [ { "yaraRuleSignature": { "yaraRule": "YARA_RULE1" } }, { "yaraRuleSignature": { "yaraRule": "YARA_RULE9" } }, { "yaraRuleSignature": { "yaraRule": "YARA_RULE10" } }, { "yaraRuleSignature": { "yaraRule": "YARA_RULE25" } }, { "memoryHashSignature": { "binaryFamily": "XMRig", "detections": [ { "binary": "linux-x86-64_xmrig_6.12.2", "percentPagesMatched": 1 } ] } } ] }, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "version": "9" }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Virtual Machine Threat Detection", "processes": [ { "binary": { "path": "BINARY_PATH" }, "script": {}, "args": [ "./miner", "" ], "pid": "123", "parentPid": "456", "name": "miner" } ], "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "severity": "HIGH", "sourceDisplayName": "Virtual Machine Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "display_name": "DISPLAY_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "project_display_name": "DISPLAY_NAME", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "parent_display_name": "DISPLAY_NAME", "type": "google.compute.Instance", "folders": [] }, "sourceProperties": {} }
Execution: Cryptocurrency Mining Hash Match
Detection
{ "findings": { "access": {}, "assetDisplayName": "DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_ID/sources/SOURCE_ID/findings/FINDING_ID", "category": "Execution: Cryptocurrency Mining Hash Match", "createTime": "2023-01-05T01:40:48.994Z", "database": {}, "eventTime": "2023-01-05T01:39:36.876Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd", "indicator": { "signatures": [ { "memoryHashSignature": { "binaryFamily": "XMRig", "detections": [ { "binary": "linux-x86-64_xmrig_6.12.2", "percentPagesMatched": 1 } ] } } ] }, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "version": "9" }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Virtual Machine Threat Detection", "processes": [ { "binary": { "path": "BINARY_PATH" }, "script": {}, "args": [ "./miner", "" ], "pid": "123", "parentPid": "456", "name": "miner" } ], "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "severity": "HIGH", "sourceDisplayName": "Virtual Machine Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "display_name": "DISPLAY_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "project_display_name": "DISPLAY_NAME", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "parent_display_name": "DISPLAY_NAME", "type": "google.compute.Instance", "folders": [] }, "sourceProperties": {} }
Execution: Cryptocurrency Mining YARA Rule
{ "findings": { "access": {}, "assetDisplayName": "DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_ID/sources/SOURCE_ID/findings/FINDING_ID", "category": "Execution: Cryptocurrency Mining YARA Rule", "createTime": "2023-01-05T00:37:38.450Z", "database": {}, "eventTime": "2023-01-05T01:12:48.828Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd", "indicator": { "signatures": [ { "yaraRuleSignature": { "yaraRule": "YARA_RULE9" } }, { "yaraRuleSignature": { "yaraRule": "YARA_RULE10" } }, { "yaraRuleSignature": { "yaraRule": "YARA_RULE25" } } ] }, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "version": "9" }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Virtual Machine Threat Detection", "processes": [ { "binary": { "path": "BINARY_PATH" }, "script": {}, "args": [ "./miner", "" ], "pid": "123", "parentPid": "456", "name": "miner" } ], "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "severity": "HIGH", "sourceDisplayName": "Virtual Machine Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "display_name": "DISPLAY_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "project_display_name": "DISPLAY_NAME", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "parent_display_name": "DISPLAY_NAME", "type": "google.compute.Instance", "folders": [] }, "sourceProperties": {} }
Malware: Malicious file on disk (YARA)
{ "findings": { "assetDisplayName": "DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_ID/sources/SOURCE_ID/findings/FINDING_ID", "category": "Malware: Malicious file on disk (YARA)", "createTime": "2023-01-05T00:37:38.450Z", "eventTime": "2023-01-05T01:12:48.828Z", "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd", "indicator": { "signatures": [ { "yaraRuleSignature": { "yaraRule": "M_Backdoor_REDSONJA_4" }, "signatureType": "SIGNATURE_TYPE_FILE", }, { "yaraRuleSignature": { "yaraRule": "M_Backdoor_REDSONJA_3" }, "signatureType": "SIGNATURE_TYPE_FILE", } ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Virtual Machine Threat Detection", "files": [ { "diskPath": { "partition_uuid": "b411dc99-f0a0-4c87-9e05-184977be8539", "relative_path": "RELATIVE_PATH" }, "size": "21238", "sha256": "65d860160bdc9b98abf72407e14ca40b609417de7939897d3b58d55787aaef69", "hashedSize": "21238" } ], "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "severity": "HIGH", "sourceDisplayName": "Virtual Machine Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "display_name": "DISPLAY_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "project_display_name": "DISPLAY_NAME", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "parent_display_name": "DISPLAY_NAME", "type": "google.compute.Instance", "folders": [] }, "sourceProperties": {} }
更改发现结果的状态
解决了由 VM Threat Detection 识别出的威胁后,该服务不会在后续扫描中自动将发现结果状态设置为非活跃。由于我们的威胁网域的性质,VM Threat Detection 无法确定威胁是否已被缓解或发生变化,以免被检测出。
当安全团队认为威胁得到缓解时,可以执行以下步骤,将发现结果状态更改为非活跃。
在 Google Cloud 控制台中,前往 Security Command Center 的发现结果页面。
在查看方式旁边,点击来源类型。
在来源类型列表中,选择 Virtual Machine Threat Detection。 系统会根据所选来源类型在表中填充发现结果。
选中已解决的发现结果旁边的复选框。
点击更改活跃状态。
点击无效。
为 Google Cloud启用或停用 VM Threat Detection
本部分介绍了如何为 Compute Engine 虚拟机启用或停用 VM Threat Detection。如需为 AWS 虚拟机启用 VM Threat Detection,请改为参阅为 AWS 启用 VM Threat Detection。
VM Threat Detection 对 2022 年 7 月 15 日(此服务正式发布的时间)之后注册 Security Command Center Premium 的所有客户默认启用。如果需要,您可以为项目或组织手动停用或重新启用此服务。
如果您在组织或项目中启用 VM Threat Detection,该服务会自动扫描该组织或项目中的所有受支持的资源。相反,当您对组织或项目停用 VM Threat Detection 时,此服务会停止扫描其中所有支持的资源。
如需启用或停用 VM Threat Detection,请执行以下操作:
控制台
在 Google Cloud 控制台中,前往 Virtual Machine Threat Detection 服务启用页面。
选择您的组织或项目。
在服务启用标签页的 Virtual Machine Threat Detection 列中,选择您要修改的组织、文件夹或项目的启用状态,然后选择以下一项:
- 启用:启用 VM Threat Detection
- 停用:停用 VM Threat Detection
- 继承:从父级文件夹或组织继承启用状态;仅适用于项目和文件夹
gcloud
gcloud scc manage services update 命令会更新 Security Command Center 服务或模块的状态。
在使用下面的命令数据之前,请先进行以下替换:
-
RESOURCE_TYPE:要更新的资源类型(organization、folder或project) -
RESOURCE_ID:要更新的组织、文件夹或项目的数字标识符;对于项目,您还可以使用项目的字母数字 ID -
NEW_STATE:ENABLED用于启用 VM Threat Detection;DISABLED用于停用 VM Threat Detection;INHERITED用于继承父级资源的启用状态(仅对项目和文件夹有效)
执行 gcloud scc manage services update 命令:
Linux、macOS 或 Cloud Shell
gcloud scc manage services update vm-threat-detection \ --RESOURCE_TYPE=RESOURCE_ID \ --enablement-state=NEW_STATE
Windows (PowerShell)
gcloud scc manage services update vm-threat-detection ` --RESOURCE_TYPE=RESOURCE_ID ` --enablement-state=NEW_STATE
Windows (cmd.exe)
gcloud scc manage services update vm-threat-detection ^ --RESOURCE_TYPE=RESOURCE_ID ^ --enablement-state=NEW_STATE
您应该会收到类似如下所示的响应:
effectiveEnablementState: ENABLED
modules:
CRYPTOMINING_HASH:
effectiveEnablementState: ENABLED
intendedEnablementState: ENABLED
CRYPTOMINING_YARA:
effectiveEnablementState: ENABLED
KERNEL_INTEGRITY_TAMPERING:
effectiveEnablementState: ENABLED
KERNEL_MEMORY_TAMPERING:
effectiveEnablementState: ENABLED
MALWARE_DISK_SCAN_YARA:
effectiveEnablementState: ENABLED
name: projects/1234567890123/locations/global/securityCenterServices/vm-threat-detection
updateTime: '2024-08-05T22:32:01.536452397Z'
REST
Security Command Center Management API 的 RESOURCE_TYPE.locations.securityCenterServices.patch 方法用于更新 Security Command Center 服务或模块的状态。
在使用任何请求数据之前,请先进行以下替换:
-
RESOURCE_TYPE:要更新的资源类型(organizations、folders或projects) -
QUOTA_PROJECT:用于结算和配额跟踪的项目 ID -
RESOURCE_ID:要更新的组织、文件夹或项目的数字标识符;对于项目,您还可以使用项目的字母数字 ID -
NEW_STATE:ENABLED用于启用 VM Threat Detection;DISABLED用于停用 VM Threat Detection;INHERITED用于继承父级资源的启用状态(仅对项目和文件夹有效)
HTTP 方法和网址:
PATCH https://securitycentermanagement.googleapis.com/v1/RESOURCE_TYPE/RESOURCE_ID/locations/global/securityCenterServices/vm-threat-detection?updateMask=intendedEnablementState
请求 JSON 正文:
{
"intendedEnablementState": "NEW_STATE"
}
如需发送您的请求,请展开以下选项之一:
您应该收到类似以下内容的 JSON 响应:
{
"name": "projects/1234567890123/locations/global/securityCenterServices/vm-threat-detection",
"effectiveEnablementState": "ENABLED",
"modules": {
"CRYPTOMINING_YARA": {
"effectiveEnablementState": "ENABLED"
},
"KERNEL_MEMORY_TAMPERING": {
"effectiveEnablementState": "ENABLED"
},
"KERNEL_INTEGRITY_TAMPERING": {
"effectiveEnablementState": "ENABLED"
},
"CRYPTOMINING_HASH": {
"intendedEnablementState": "ENABLED",
"effectiveEnablementState": "ENABLED"
},
"MALWARE_DISK_SCAN_YARA": {
"effectiveEnablementState": "ENABLED"
}
},
"updateTime": "2024-08-05T22:32:01.536452397Z"
}
启用或停用 VM Threat Detection 模块
如需启用或停用单个 VM Threat Detection 检测器(也称为“模块”),请执行以下操作。您的更改最长可能需要 1 小时才会生效。
如需了解所有 VM Threat Detection 威胁发现结果以及生成这些发现结果的模块,请参阅威胁发现结果。
控制台
借助 Google Cloud 控制台,您可以在组织级别启用或停用 VM Threat Detection 模块。 如需在文件夹级或项目级启用或停用 VM Threat Detection 模块,请使用 gcloud CLI 或 REST API。
在 Google Cloud 控制台中,前往 Virtual Machine Threat Detection 模块页面。
点击要为其启用或停用这些模块的云服务提供商对应的标签页,例如 Google Cloud。
在模块标签页的状态列中,选择要启用或停用的模块的当前状态,然后选择以下任一选项:
- 启用:启用该模块。
- 停用:停用该模块。
gcloud
gcloud scc manage services update 命令会更新 Security Command Center 服务或模块的状态。
在使用下面的命令数据之前,请先进行以下替换:
-
RESOURCE_TYPE:要更新的资源类型(organization、folder或project) -
RESOURCE_ID:要更新的组织、文件夹或项目的数字标识符;对于项目,您还可以使用项目的字母数字 ID -
MODULE_NAME:要启用或停用的模块的名称;如需了解有效值,请参阅威胁发现结果 -
NEW_STATE:ENABLED用于启用模块;DISABLED用于停用模块;INHERITED用于继承父资源的启用状态(仅对项目和文件夹有效)
将以下内容保存在名为 request.json 的文件中:
{ "MODULE_NAME": { "intendedEnablementState": "NEW_STATE" } }
执行 gcloud scc manage services update 命令:
Linux、macOS 或 Cloud Shell
gcloud scc manage services update vm-threat-detection \ --RESOURCE_TYPE=RESOURCE_ID \ --enablement-state=ENABLED \ --module-config-file=request.json
Windows (PowerShell)
gcloud scc manage services update vm-threat-detection ` --RESOURCE_TYPE=RESOURCE_ID ` --enablement-state=ENABLED \ --module-config-file=request.json
Windows (cmd.exe)
gcloud scc manage services update vm-threat-detection ^ --RESOURCE_TYPE=RESOURCE_ID ^ --enablement-state=ENABLED \ --module-config-file=request.json
您应该会收到类似如下所示的响应:
effectiveEnablementState: ENABLED
modules:
CRYPTOMINING_HASH:
effectiveEnablementState: ENABLED
intendedEnablementState: ENABLED
CRYPTOMINING_YARA:
effectiveEnablementState: ENABLED
KERNEL_INTEGRITY_TAMPERING:
effectiveEnablementState: ENABLED
KERNEL_MEMORY_TAMPERING:
effectiveEnablementState: ENABLED
MALWARE_DISK_SCAN_YARA:
effectiveEnablementState: ENABLED
name: projects/1234567890123/locations/global/securityCenterServices/vm-threat-detection
updateTime: '2024-08-05T22:32:01.536452397Z'
REST
Security Command Center Management API 的 RESOURCE_TYPE.locations.securityCenterServices.patch 方法用于更新 Security Command Center 服务或模块的状态。
在使用任何请求数据之前,请先进行以下替换:
-
RESOURCE_TYPE:要更新的资源类型(organizations、folders或projects) -
QUOTA_PROJECT:用于结算和配额跟踪的项目 ID -
RESOURCE_ID:要更新的组织、文件夹或项目的数字标识符;对于项目,您还可以使用项目的字母数字 ID -
MODULE_NAME:要启用或停用的模块的名称;如需了解有效值,请参阅威胁发现结果 -
NEW_STATE:ENABLED用于启用模块;DISABLED用于停用模块;INHERITED用于继承父资源的启用状态(仅对项目和文件夹有效)
HTTP 方法和网址:
PATCH https://securitycentermanagement.googleapis.com/v1/RESOURCE_TYPE/RESOURCE_ID/locations/global/securityCenterServices/vm-threat-detection?updateMask=modules
请求 JSON 正文:
{
"modules": {
"MODULE_NAME": {
"intendedEnablementState": "NEW_STATE"
}
}
}
如需发送您的请求,请展开以下选项之一:
您应该收到类似以下内容的 JSON 响应:
{
"name": "projects/1234567890123/locations/global/securityCenterServices/vm-threat-detection",
"effectiveEnablementState": "ENABLED",
"modules": {
"CRYPTOMINING_YARA": {
"effectiveEnablementState": "ENABLED"
},
"KERNEL_MEMORY_TAMPERING": {
"effectiveEnablementState": "ENABLED"
},
"KERNEL_INTEGRITY_TAMPERING": {
"effectiveEnablementState": "ENABLED"
},
"CRYPTOMINING_HASH": {
"intendedEnablementState": "ENABLED",
"effectiveEnablementState": "ENABLED"
},
"MALWARE_DISK_SCAN_YARA": {
"effectiveEnablementState": "ENABLED"
}
},
"updateTime": "2024-08-05T22:32:01.536452397Z"
}
查看 VM Threat Detection 模块的设置
如需了解所有 VM Threat Detection 威胁发现结果以及生成这些发现结果的模块,请参阅威胁发现结果表。
控制台
借助 Google Cloud 控制台,您可以在组织级别查看 VM Threat Detection 模块的设置。 如需查看文件夹级或项目级 VM Threat Detection 模块设置,请使用 gcloud CLI 或 REST API。
如需在 Google Cloud 控制台中查看设置,请前往 Virtual Machine Threat Detection 模块页面。
gcloud
gcloud scc manage services describe 命令会获取 Security Command Center 服务或模块的状态。
在使用下面的命令数据之前,请先进行以下替换:
-
RESOURCE_TYPE:要获取的资源类型(organization、folder或project) -
RESOURCE_ID:要获取的组织、文件夹或项目的数字标识符;对于项目,您还可以使用项目的字母数字 ID
执行 gcloud scc manage services describe 命令:
Linux、macOS 或 Cloud Shell
gcloud scc manage services describe vm-threat-detection \ --RESOURCE_TYPE=RESOURCE_ID
Windows (PowerShell)
gcloud scc manage services describe vm-threat-detection ` --RESOURCE_TYPE=RESOURCE_ID
Windows (cmd.exe)
gcloud scc manage services describe vm-threat-detection ^ --RESOURCE_TYPE=RESOURCE_ID
您应该会收到类似如下所示的响应:
effectiveEnablementState: ENABLED
modules:
CRYPTOMINING_HASH:
effectiveEnablementState: ENABLED
intendedEnablementState: ENABLED
CRYPTOMINING_YARA:
effectiveEnablementState: ENABLED
KERNEL_INTEGRITY_TAMPERING:
effectiveEnablementState: ENABLED
KERNEL_MEMORY_TAMPERING:
effectiveEnablementState: ENABLED
MALWARE_DISK_SCAN_YARA:
effectiveEnablementState: ENABLED
name: projects/1234567890123/locations/global/securityCenterServices/vm-threat-detection
updateTime: '2024-08-05T22:32:01.536452397Z'
REST
Security Command Center Management API 的 RESOURCE_TYPE.locations.securityCenterServices.get 方法用于获取 Security Command Center 服务或模块的状态。
在使用任何请求数据之前,请先进行以下替换:
-
RESOURCE_TYPE:要获取的资源类型(organizations、folders或projects) -
QUOTA_PROJECT:用于结算和配额跟踪的项目 ID -
RESOURCE_ID:要获取的组织、文件夹或项目的数字标识符;对于项目,您还可以使用项目的字母数字 ID
HTTP 方法和网址:
GET https://securitycentermanagement.googleapis.com/v1/RESOURCE_TYPE/RESOURCE_ID/locations/global/securityCenterServices/vm-threat-detection
如需发送您的请求,请展开以下选项之一:
您应该收到类似以下内容的 JSON 响应:
{
"name": "projects/1234567890123/locations/global/securityCenterServices/vm-threat-detection",
"effectiveEnablementState": "ENABLED",
"modules": {
"CRYPTOMINING_YARA": {
"effectiveEnablementState": "ENABLED"
},
"KERNEL_MEMORY_TAMPERING": {
"effectiveEnablementState": "ENABLED"
},
"KERNEL_INTEGRITY_TAMPERING": {
"effectiveEnablementState": "ENABLED"
},
"CRYPTOMINING_HASH": {
"intendedEnablementState": "ENABLED",
"effectiveEnablementState": "ENABLED"
},
"MALWARE_DISK_SCAN_YARA": {
"effectiveEnablementState": "ENABLED"
}
},
"updateTime": "2024-08-05T22:32:01.536452397Z"
}
加密货币挖矿检测中的软件名称和 YARA 规则
以下列表包含触发加密货币挖矿发现结果的二进制文件名称及 YARA 规则。如需查看列表,请展开节点。
Execution: Cryptocurrency Mining Hash Match
- Arionum CPU Miner:面向 Arionum 加密货币的挖矿软件
- Avermore:面向基于 Scrypt 的加密货币的挖矿软件
- Beam CUDA Miner:面向基于 Equihash 的加密货币的挖矿软件
- Beam OpenCL Miner:面向基于 Equihash 的加密货币的挖矿软件
- BFGMiner:面向比特币的基于 ASIC/FPGA 的挖矿软件
- BMiner:面向各种加密货币的挖矿软件
- Cast XMR:面向基于 CryptoNight 的加密货币的挖矿软件
- ccminer:基于 CUDA 的挖矿软件
- cgminer:面向比特币的基于 ASIC/FPGA 的挖矿软件
- Claymore's Miner:面向各种加密货币的基于 GPU 的挖矿软件
- CPUMiner:基于 CPU 的挖掘软件系列
- CryptoDredge:面向 CryptoDredge 的挖矿软件系列
- CryptoGoblin:面向基于 CryptoNight 的加密货币的挖矿软件
- DamoMiner:面向以太坊及其他加密货币的基于 GPU 的挖矿软件
- DigitsMiner:面向 Digits 的挖矿软件
- EasyMiner:面向比特币及其他加密货币的挖矿软件
- Ethminer:面向以太坊及其他加密货币的挖矿软件
- EWBF:面向基于 Equihash 的加密货币的挖矿软件
- FinMiner:面向基于 Ethash 和 CryptoNight 的加密货币的挖矿软件
- Funakoshi Miner:面向比特币黄金加密货币的挖矿软件
- Geth:面向以太坊的挖矿软件
- GMiner:面向各种加密货币的挖矿软件
- gominer:面向 Decred 的挖矿软件
- GrinGoldMiner:面向 Grin 的挖矿软件
- Hush:面向基于 Zcash 的加密货币的挖矿软件
- IxiMiner:面向 Ixian 的挖矿软件
- kawpowminer:面向 Ravencoin 的挖矿软件
- Komodo:面向 Komodo 的挖矿软件系列
- lolMiner:面向各种加密货币的挖矿软件
- lukMiner:面向各种加密货币的挖矿软件
- MinerGate:面向各种加密货币的挖矿软件
- miniZ:面向基于 Equihash 的加密货币的挖矿软件
- Mirai:可用于挖掘加密货币的恶意软件
- MultiMiner:面向各种加密货币的挖矿软件
- nanominer:面向各种加密货币的挖矿软件
- NBMiner:面向各种加密货币的挖矿软件
- Nevermore:面向各种加密货币的挖矿软件
- nheqminer:面向 NiceHash 的挖矿软件
- NinjaRig:面向基于 Argon2 的加密货币的挖矿软件
- NodeCore PoW CUDA Miner:面向 VeriBlock 的挖矿软件
- NoncerPro:面向 Nimiq 的挖矿软件
- Optiminer/Equihash:面向基于 Equihash 的加密货币的挖矿软件
- PascalCoin:面向 PascalCoin 的挖矿软件系列
- PhoenixMiner:面向以太坊的挖矿软件
- Pooler CPU Miner:面向莱特币和比特币的挖矿软件
- ProgPoW Miner:面向以太坊及其他加密货币的挖矿软件
- rhminer:面向 PascalCoin 的挖矿软件
- sgminer:面向基于 scrypt 的加密货币的挖矿软件
- simplecoin:面向基于 scrypt 的 SimpleCoin 的挖矿软件系列
- Skypool Nimiq Miner:面向 Nimiq 的挖矿软件
- SwapReferenceMiner:面向 Grin 的挖矿软件
- Team Red Miner:面向各种加密货币的基于 AMD 的挖矿软件
- T-Rex:面向各种加密货币的挖矿软件
- TT-Miner:面向各种加密货币的挖矿软件
- Ubqminer:面向基于 Ubqhash 的加密货币的挖矿软件
- VersusCoin:面向 VersusCoin 的挖矿软件
- violetminer:面向基于 Argon2 的加密货币的挖矿软件
- webchain-miner:面向 MintMe 的挖矿软件
- WildRig:面向各种加密货币的挖矿软件
- XCASH_ALL_Miner:面向 XCASH 的挖矿软件
- xFash:面向 MinerGate 的挖矿软件
- XLArig:面向基于 CryptoNight 的加密货币的挖矿软件
- XMRig:面向各种加密货币的挖矿软件
- Xmr-Stak:面向基于 CryptoNight 的加密货币的挖矿软件
- XMR-Stak TurtleCoin:面向基于 CryptoNight 的加密货币的挖矿软件
- Xtl-Stak:面向基于 CryptoNight 的加密货币的挖矿软件
- Yam Miner:面向 MinerGate 的挖矿软件
- YCash:面向 YCash 的挖矿软件
- ZCoin:面向 ZCoin/Fire 的挖矿软件
- Zealot/Enemy:面向各种加密货币的挖矿软件
- 加密货币挖矿机信号1
1 此通用威胁名称表示虚拟机可能在运行未知的加密货币挖矿程序,但 VM Threat Detection 没有关于该挖矿程序的具体信息。
Execution: Cryptocurrency Mining YARA Rule
- YARA_RULE1:与面向 Monero 的挖矿软件匹配
- YARA_RULE9:匹配使用 Blake2 和 AES 加密的挖矿软件
- YARA_RULE10:匹配使用 CryptoNight 工作量证明例程的挖矿软件
- YARA_RULE15:与面向 NBMiner 的挖矿软件匹配
- YARA_RULE17:匹配使用 Scrypt 工作量证明例程的挖矿软件
- YARA_RULE18:匹配使用 Scrypt 工作量证明例程的挖矿软件
- YARA_RULE19:与面向 BFGMiner 的挖矿软件匹配
- YARA_RULE24:与面向 XMR-Stak 的挖矿软件匹配
- YARA_RULE25:与面向 XMRig 的挖矿软件匹配
- DYNAMIC_YARA_RULE_BFGMINER_2:与面向 BFGMiner 的挖矿软件匹配
后续步骤
- 详细了解 VM Threat Detection。
- 了解如何允许 VM Threat Detection 扫描 VPC Service Controls 边界中的虚拟机。
- 了解如何为 AWS 启用 VM Threat Detection。
- 了解如何对 Compute Engine 威胁发现结果做出响应。
- 查看威胁发现结果索引。