使用 Virtual Machine Threat Detection

本页面介绍了如何查看和管理 VM Threat Detection 发现结果。此外还展示了如何启用或停用相关服务及其模块。

概览

虚拟机威胁检测是 Security Command Center 高级方案的内置服务, 通过 Hypervisor 级别的插桩和永久性磁盘进行威胁检测 分析。 VM 威胁检测可检测潜在的恶意应用,例如 加密货币挖矿软件、内核模式 rootkit 以及 遭到入侵的云环境

VM Threat Detection 是 Security Command Center Premium 的威胁检测套件的一部分,旨在补充 Event Threat DetectionContainer Threat Detection 的现有功能。

如需了解详情,请参阅 VM Threat Detection 概览

费用

注册 Security Command Center Premium 后,使用 VM Threat Detection 无需额外费用。

准备工作

要使用此功能,你必须注册 Security Command Center 高级方案

此外,您需要足够的 Identity and Access Management (IAM) 角色才能查看或修改发现结果以及修改 Google Cloud 资源。如果您在 Security Command Center 中遇到访问错误,请让您的管理员寻求帮助。如需详细了解角色,请参阅访问权限控制

测试 VM Threat Detection

如需测试 VM Threat Detection 的加密货币挖矿检测功能,您可以在虚拟机上运行加密货币挖矿应用。如需查看触发发现结果的二进制文件名称和 YARA 规则的列表,请参阅软件名称和 YARA 规则。如果您安装和测试挖矿应用,建议您仅在隔离的测试环境中运行这些应用,密切监控其使用情况,并在测试后完全移除这些应用。

如需测试 VM Threat Detection 恶意软件检测,您可以下载恶意软件 部署应用如果您下载了恶意软件,我们建议您 在隔离的测试环境中进行,并在测试后将其彻底移除。

在 Google Cloud 控制台中查看发现结果

如需在 Google Cloud 控制台中查看 VM Threat Detection 发现结果,请执行以下操作:

  1. 在 Google Cloud 控制台中,前往 Security Command Center 的发现结果页面。

    前往“发现结果”

  2. 选择您的 Google Cloud 项目或组织。
  3. 快速过滤条件部分的来源显示名称子部分中,选择 Virtual Machine Threat Detection。发现结果的查询结果会更新为仅显示此来源的发现结果。
  4. 如需查看特定发现结果的详细信息,请点击类别下的发现结果名称。系统会打开发现结果的详细信息面板,并显示摘要标签页。
  5. 摘要标签页上,查看发现结果的详细信息,包括有关检测到的内容、受影响的资源的信息,以及您可以采取的发现结果修复步骤(如果有)。
  6. 可选:如需查看发现结果的完整 JSON 定义,请点击 JSON 标签页。

如需详细了解如何响应每个虚拟机威胁检测 查找, 查看 VM Threat Detection 响应

如需查看 VM Threat Detection 发现结果列表,请参阅发现结果

严重程度

VM Threat Detection 发现结果的严重程度会根据威胁分类置信度分为

组合检测

如果在一天内检测到多个类别的发现结果,就会进行组合检测。发现结果可能是由一个或多个恶意应用导致的。例如,单个应用可以同时触发 Execution: Cryptocurrency Mining YARA RuleExecution: Cryptocurrency Mining Hash Match 发现结果。但是,在当天从单个来源检测到的所有威胁都会汇总到一个组合检测发现结果中。在接下来的几天,如果发现更多威胁(即使是相同的威胁),则会附加到新发现结果。

如需查看组合检测发现结果的示例,请参阅 发现结果格式示例

发现结果格式示例

这些 JSON 输出示例包含虚拟机威胁检测的通用字段 结果。每个示例仅显示与发现结果类型相关的字段;它 并不提供 字段列表

您可以 通过 Security Command Center 控制台导出发现结果通过 Security Command Center API 列出发现结果

如需查看示例发现结果,请展开以下一个或多个节点。如需了解相应发现结果中的每个字段,请参阅 Finding

Defense Evasion: Rootkit预览版

以下输出示例展示了某个已知内核模式 rootkit 的发现结果: 海因芬。

{
  "findings": {
    "access": {},
    "assetDisplayName": "DISPLAY_NAME",
    "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
    "category": "Defense Evasion: Rootkit",
    "createTime": "2023-01-12T00:39:33.007Z",
    "database": {},
    "eventTime": "2023-01-11T21:24:05.326Z",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
    "indicator": {},
    "kernelRootkit": {
      "name": "Diamorphine",
      "unexpected_kernel_code_pages": true,
      "unexpected_system_call_handler": true
    },
    "kubernetes": {},
    "mitreAttack": {
      "version": "9"
    },
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "parentDisplayName": "Virtual Machine Threat Detection",
    "processes": [],
    "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
    "severity": "HIGH",
    "sourceDisplayName": "Virtual Machine Threat Detection",
    "state": "ACTIVE",
    "vulnerability": {},
    "workflowState": "NEW"
  },
  "resource": {
    "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
    "display_name": "DISPLAY_NAME",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "project_display_name": "PROJECT_ID",
    "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "parent_display_name": "DISPLAY_NAME",
    "type": "google.compute.Instance",
    "folders": []
  },
  "sourceProperties": {}
}
      

Defense Evasion: Unexpected ftrace handler预览版

  {
    "findings": {
      "access": {},
      "assetDisplayName": "DISPLAY_NAME",
      "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
      "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
      "category": "Defense Evasion: Unexpected ftrace handler",
      "createTime": "2023-01-12T00:39:33.007Z",
      "database": {},
      "eventTime": "2023-01-11T21:24:05.326Z",
      "exfiltration": {},
      "findingClass": "THREAT",
      "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
      "indicator": {},
      "kernelRootkit": {},
      "kubernetes": {},
      "mitreAttack": {
        "version": "9"
      },
      "mute": "UNDEFINED",
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
      "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
      "parentDisplayName": "Virtual Machine Threat Detection",
      "processes": [],
      "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
      "severity": "MEDIUM",
      "sourceDisplayName": "Virtual Machine Threat Detection",
      "state": "ACTIVE",
      "vulnerability": {},
      "workflowState": "NEW"
    },
    "resource": {
      "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
      "display_name": "DISPLAY_NAME",
      "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "project_display_name": "PROJECT_ID",
      "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "parent_display_name": "DISPLAY_NAME",
      "type": "google.compute.Instance",
      "folders": []
    },
    "sourceProperties": {}
  }
      

Defense Evasion: Unexpected interrupt handler预览版

  {
    "findings": {
      "access": {},
      "assetDisplayName": "DISPLAY_NAME",
      "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
      "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
      "category": "Defense Evasion: Unexpected interrupt handler",
      "createTime": "2023-01-12T00:39:33.007Z",
      "database": {},
      "eventTime": "2023-01-11T21:24:05.326Z",
      "exfiltration": {},
      "findingClass": "THREAT",
      "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
      "indicator": {},
      "kernelRootkit": {},
      "kubernetes": {},
      "mitreAttack": {
        "version": "9"
      },
      "mute": "UNDEFINED",
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
      "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
      "parentDisplayName": "Virtual Machine Threat Detection",
      "processes": [],
      "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
      "severity": "MEDIUM",
      "sourceDisplayName": "Virtual Machine Threat Detection",
      "state": "ACTIVE",
      "vulnerability": {},
      "workflowState": "NEW"
    },
    "resource": {
      "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
      "display_name": "DISPLAY_NAME",
      "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "project_display_name": "PROJECT_ID",
      "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "parent_display_name": "DISPLAY_NAME",
      "type": "google.compute.Instance",
      "folders": []
    },
    "sourceProperties": {}
  }
      

Defense Evasion: Unexpected kernel code modification预览版

  {
    "findings": {
      "access": {},
      "assetDisplayName": "DISPLAY_NAME",
      "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
      "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
      "category": "Defense Evasion: Unexpected kernel code modification",
      "createTime": "2023-01-12T00:39:33.007Z",
      "database": {},
      "eventTime": "2023-01-11T21:24:05.326Z",
      "exfiltration": {},
      "findingClass": "THREAT",
      "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
      "indicator": {},
      "kernelRootkit": {},
      "kubernetes": {},
      "mitreAttack": {
        "version": "9"
      },
      "mute": "UNDEFINED",
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
      "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
      "parentDisplayName": "Virtual Machine Threat Detection",
      "processes": [],
      "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
      "severity": "MEDIUM",
      "sourceDisplayName": "Virtual Machine Threat Detection",
      "state": "ACTIVE",
      "vulnerability": {},
      "workflowState": "NEW"
    },
    "resource": {
      "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
      "display_name": "DISPLAY_NAME",
      "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "project_display_name": "PROJECT_ID",
      "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "parent_display_name": "DISPLAY_NAME",
      "type": "google.compute.Instance",
      "folders": []
    },
    "sourceProperties": {}
  }
      

Defense Evasion: Unexpected kernel modules预览版

  {
    "findings": {
      "access": {},
      "assetDisplayName": "DISPLAY_NAME",
      "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
      "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
      "category": "Defense Evasion: Unexpected kernel modules",
      "createTime": "2023-01-12T00:39:33.007Z",
      "database": {},
      "eventTime": "2023-01-11T21:24:05.326Z",
      "exfiltration": {},
      "findingClass": "THREAT",
      "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
      "indicator": {},
      "kernelRootkit": {},
      "kubernetes": {},
      "mitreAttack": {
        "version": "9"
      },
      "mute": "UNDEFINED",
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
      "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
      "parentDisplayName": "Virtual Machine Threat Detection",
      "processes": [],
      "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
      "severity": "MEDIUM",
      "sourceDisplayName": "Virtual Machine Threat Detection",
      "state": "ACTIVE",
      "vulnerability": {},
      "workflowState": "NEW"
    },
    "resource": {
      "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
      "display_name": "DISPLAY_NAME",
      "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "project_display_name": "PROJECT_ID",
      "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "parent_display_name": "DISPLAY_NAME",
      "type": "google.compute.Instance",
      "folders": []
    },
    "sourceProperties": {}
  }
      

Defense Evasion: Unexpected kernel read-only data modification预览版

  {
    "findings": {
      "access": {},
      "assetDisplayName": "DISPLAY_NAME",
      "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
      "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
      "category": "Defense Evasion: Unexpected kernel read-only data modification",
      "createTime": "2023-01-12T00:39:33.007Z",
      "database": {},
      "eventTime": "2023-01-11T21:24:05.326Z",
      "exfiltration": {},
      "findingClass": "THREAT",
      "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
      "indicator": {},
      "kernelRootkit": {},
      "kubernetes": {},
      "mitreAttack": {
        "version": "9"
      },
      "mute": "UNDEFINED",
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
      "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
      "parentDisplayName": "Virtual Machine Threat Detection",
      "processes": [],
      "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
      "severity": "MEDIUM",
      "sourceDisplayName": "Virtual Machine Threat Detection",
      "state": "ACTIVE",
      "vulnerability": {},
      "workflowState": "NEW"
    },
    "resource": {
      "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
      "display_name": "DISPLAY_NAME",
      "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "project_display_name": "PROJECT_ID",
      "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "parent_display_name": "DISPLAY_NAME",
      "type": "google.compute.Instance",
      "folders": []
    },
    "sourceProperties": {}
  }
      

Defense Evasion: Unexpected kprobe handler预览版

  {
    "findings": {
      "access": {},
      "assetDisplayName": "DISPLAY_NAME",
      "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
      "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
      "category": "Defense Evasion: Unexpected kprobe handler",
      "createTime": "2023-01-12T00:39:33.007Z",
      "database": {},
      "eventTime": "2023-01-11T21:24:05.326Z",
      "exfiltration": {},
      "findingClass": "THREAT",
      "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
      "indicator": {},
      "kernelRootkit": {},
      "kubernetes": {},
      "mitreAttack": {
        "version": "9"
      },
      "mute": "UNDEFINED",
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
      "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
      "parentDisplayName": "Virtual Machine Threat Detection",
      "processes": [],
      "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
      "severity": "MEDIUM",
      "sourceDisplayName": "Virtual Machine Threat Detection",
      "state": "ACTIVE",
      "vulnerability": {},
      "workflowState": "NEW"
    },
    "resource": {
      "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
      "display_name": "DISPLAY_NAME",
      "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "project_display_name": "PROJECT_ID",
      "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "parent_display_name": "DISPLAY_NAME",
      "type": "google.compute.Instance",
      "folders": []
    },
    "sourceProperties": {}
  }
      

Defense Evasion: Unexpected processes in runqueue预览版

  {
    "findings": {
      "access": {},
      "assetDisplayName": "DISPLAY_NAME",
      "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
      "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
      "category": "Defense Evasion: Unexpected processes in runqueue",
      "createTime": "2023-01-12T00:39:33.007Z",
      "database": {},
      "eventTime": "2023-01-11T21:24:05.326Z",
      "exfiltration": {},
      "findingClass": "THREAT",
      "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
      "indicator": {},
      "kernelRootkit": {},
      "kubernetes": {},
      "mitreAttack": {
        "version": "9"
      },
      "mute": "UNDEFINED",
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
      "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
      "parentDisplayName": "Virtual Machine Threat Detection",
      "processes": [],
      "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
      "severity": "MEDIUM",
      "sourceDisplayName": "Virtual Machine Threat Detection",
      "state": "ACTIVE",
      "vulnerability": {},
      "workflowState": "NEW"
    },
    "resource": {
      "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
      "display_name": "DISPLAY_NAME",
      "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "project_display_name": "PROJECT_ID",
      "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "parent_display_name": "DISPLAY_NAME",
      "type": "google.compute.Instance",
      "folders": []
    },
    "sourceProperties": {}
  }
      

Defense Evasion: Unexpected system call handler预览版

  {
    "findings": {
      "access": {},
      "assetDisplayName": "DISPLAY_NAME",
      "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
      "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
      "category": "Defense Evasion: Unexpected system call handler",
      "createTime": "2023-01-12T00:39:33.007Z",
      "database": {},
      "eventTime": "2023-01-11T21:24:05.326Z",
      "exfiltration": {},
      "findingClass": "THREAT",
      "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
      "indicator": {},
      "kernelRootkit": {},
      "kubernetes": {},
      "mitreAttack": {
        "version": "9"
      },
      "mute": "UNDEFINED",
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
      "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
      "parentDisplayName": "Virtual Machine Threat Detection",
      "processes": [],
      "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
      "severity": "MEDIUM",
      "sourceDisplayName": "Virtual Machine Threat Detection",
      "state": "ACTIVE",
      "vulnerability": {},
      "workflowState": "NEW"
    },
    "resource": {
      "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
      "display_name": "DISPLAY_NAME",
      "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "project_display_name": "PROJECT_ID",
      "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "parent_display_name": "DISPLAY_NAME",
      "type": "google.compute.Instance",
      "folders": []
    },
    "sourceProperties": {}
  }
      

Execution: Cryptocurrency Mining Combined Detection

以下输出示例显示了 CRYPTOMINING_HASHCRYPTOMINING_YARA 模块都检测到的威胁。

{
  "findings": {
    "access": {},
    "assetDisplayName": "DISPLAY_NAME",
    "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
    "canonicalName": "projects/PROJECT_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "category": "Execution: Cryptocurrency Mining Combined Detection",
    "createTime": "2023-01-05T01:40:48.994Z",
    "database": {},
    "eventTime": "2023-01-05T01:39:36.876Z",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
    "indicator": {
      "signatures": [
        {
          "yaraRuleSignature": {
            "yaraRule": "YARA_RULE1"
          }
        },
        {
          "yaraRuleSignature": {
            "yaraRule": "YARA_RULE9"
          }
        },
        {
          "yaraRuleSignature": {
            "yaraRule": "YARA_RULE10"
          }
        },
        {
          "yaraRuleSignature": {
            "yaraRule": "YARA_RULE25"
          }
        },
        {
          "memoryHashSignature": {
            "binaryFamily": "XMRig",
            "detections": [
              {
                "binary": "linux-x86-64_xmrig_6.12.2",
                "percentPagesMatched": 1
              }
            ]
          }
        }
      ]
    },
    "kernelRootkit": {},
    "kubernetes": {},
    "mitreAttack": {
      "version": "9"
    },
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "parentDisplayName": "Virtual Machine Threat Detection",
    "processes": [
      {
        "binary": {
          "path": "BINARY_PATH"
        },
        "script": {},
        "args": [
          "./miner",
          ""
        ],
        "pid": "123",
        "parentPid": "456",
        "name": "miner"
      }
    ],
    "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
    "severity": "HIGH",
    "sourceDisplayName": "Virtual Machine Threat Detection",
    "state": "ACTIVE",
    "vulnerability": {},
    "workflowState": "NEW"
  },
  "resource": {
    "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
    "display_name": "DISPLAY_NAME",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
    "project_display_name": "DISPLAY_NAME",
    "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
    "parent_display_name": "DISPLAY_NAME",
    "type": "google.compute.Instance",
    "folders": []
  },
  "sourceProperties": {}
}
    

Execution: Cryptocurrency Mining Hash Match Detection

{
  "findings": {
    "access": {},
    "assetDisplayName": "DISPLAY_NAME",
    "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
    "canonicalName": "projects/PROJECT_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "category": "Execution: Cryptocurrency Mining Hash Match",
    "createTime": "2023-01-05T01:40:48.994Z",
    "database": {},
    "eventTime": "2023-01-05T01:39:36.876Z",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
    "indicator": {
      "signatures": [
        {
          "memoryHashSignature": {
            "binaryFamily": "XMRig",
            "detections": [
              {
                "binary": "linux-x86-64_xmrig_6.12.2",
                "percentPagesMatched": 1
              }
            ]
          }
        }
      ]
    },
    "kernelRootkit": {},
    "kubernetes": {},
    "mitreAttack": {
      "version": "9"
    },
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "parentDisplayName": "Virtual Machine Threat Detection",
    "processes": [
      {
        "binary": {
          "path": "BINARY_PATH"
        },
        "script": {},
        "args": [
          "./miner",
          ""
        ],
        "pid": "123",
        "parentPid": "456",
        "name": "miner"
      }
    ],
    "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
    "severity": "HIGH",
    "sourceDisplayName": "Virtual Machine Threat Detection",
    "state": "ACTIVE",
    "vulnerability": {},
    "workflowState": "NEW"
  },
  "resource": {
    "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
    "display_name": "DISPLAY_NAME",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
    "project_display_name": "DISPLAY_NAME",
    "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
    "parent_display_name": "DISPLAY_NAME",
    "type": "google.compute.Instance",
    "folders": []
  },
  "sourceProperties": {}
}
    

Execution: Cryptocurrency Mining YARA Rule

{
  "findings": {
    "access": {},
    "assetDisplayName": "DISPLAY_NAME",
    "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
    "canonicalName": "projects/PROJECT_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "category": "Execution: Cryptocurrency Mining YARA Rule",
    "createTime": "2023-01-05T00:37:38.450Z",
    "database": {},
    "eventTime": "2023-01-05T01:12:48.828Z",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
    "indicator": {
      "signatures": [
        {
          "yaraRuleSignature": {
            "yaraRule": "YARA_RULE9"
          }
        },
        {
          "yaraRuleSignature": {
            "yaraRule": "YARA_RULE10"
          }
        },
        {
          "yaraRuleSignature": {
            "yaraRule": "YARA_RULE25"
          }
        }
      ]
    },
    "kernelRootkit": {},
    "kubernetes": {},
    "mitreAttack": {
      "version": "9"
    },
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "parentDisplayName": "Virtual Machine Threat Detection",
    "processes": [
      {
        "binary": {
          "path": "BINARY_PATH"
        },
        "script": {},
        "args": [
          "./miner",
          ""
        ],
        "pid": "123",
        "parentPid": "456",
        "name": "miner"
      }
    ],
    "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
    "severity": "HIGH",
    "sourceDisplayName": "Virtual Machine Threat Detection",
    "state": "ACTIVE",
    "vulnerability": {},
    "workflowState": "NEW"
  },
  "resource": {
    "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
    "display_name": "DISPLAY_NAME",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
    "project_display_name": "DISPLAY_NAME",
    "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
    "parent_display_name": "DISPLAY_NAME",
    "type": "google.compute.Instance",
    "folders": []
  },
  "sourceProperties": {}
}
    

Malware: Malicious file on disk (YARA)

{
  "findings": {
    "assetDisplayName": "DISPLAY_NAME",
    "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
    "canonicalName": "projects/PROJECT_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "category": "Malware: Malicious file on disk (YARA)",
    "createTime": "2023-01-05T00:37:38.450Z",
    "eventTime": "2023-01-05T01:12:48.828Z",
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
    "indicator": {
      "signatures": [
        {
          "yaraRuleSignature": {
            "yaraRule": "M_Backdoor_REDSONJA_1"
          },
          "signatureType": "SIGNATURE_TYPE_FILE",
        },
        {
          "yaraRuleSignature": {
            "yaraRule": "M_Backdoor_REDSONJA_2"
          },
          "signatureType": "SIGNATURE_TYPE_FILE",
        }
      ]
    },
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "parentDisplayName": "Virtual Machine Threat Detection",
    "files": [
      {
        "diskPath": {
          "partition_uuid": "b411dc99-f0a0-4c87-9e05-184977be8539",
          "relative_path": "RELATIVE_PATH"
        },
        "size": "21238",
        "sha256": "65d860160bdc9b98abf72407e14ca40b609417de7939897d3b58d55787aaef69",
        "hashedSize": "21238"
      }
    ],
    "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
    "severity": "HIGH",
    "sourceDisplayName": "Virtual Machine Threat Detection",
    "state": "ACTIVE",
    "vulnerability": {},
    "workflowState": "NEW"
  },
  "resource": {
    "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
    "display_name": "DISPLAY_NAME",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
    "project_display_name": "DISPLAY_NAME",
    "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
    "parent_display_name": "DISPLAY_NAME",
    "type": "google.compute.Instance",
    "folders": []
  },
  "sourceProperties": {}
}
    

更改发现结果的状态

解决了由 VM Threat Detection 识别出的威胁后,该服务不会在后续扫描中自动将发现结果状态设置为非活跃。由于我们的威胁网域的性质,VM Threat Detection 无法确定威胁是否已被缓解或发生变化,以免被检测出。

当安全团队认为威胁得到缓解时,可以执行以下步骤,将发现结果状态更改为非活跃。

  1. 在 Google Cloud 控制台中,进入 Security Command Center 的发现结果页面。

    前往“发现结果”页面

  2. 查看方式旁边,点击来源类型

  3. 来源类型列表中,选择 Virtual Machine Threat Detection。系统会根据所选来源类型在表中填充发现结果。

  4. 选中已解决的发现结果旁边的复选框。

  5. 点击更改活跃状态

  6. 点击无效

启用或停用 VM Threat Detection

VM Threat Detection 对 2022 年 7 月 15 日(此服务正式发布的时间)之后注册 Security Command Center Premium 的所有客户默认启用。如果需要,您可以为项目或组织手动停用或重新启用此服务。

如果您在组织或项目中启用 VM Threat Detection,该服务会自动扫描该组织或项目中的所有受支持的资源。相反,当您对组织或项目停用 VM Threat Detection 时,此服务会停止扫描其中所有支持的资源。

如需启用或停用 VM Threat Detection,请执行以下操作:

控制台

  1. 在 Google Cloud 控制台中,前往 Virtual Machine Threat Detection Service Enablement 页面。

    前往“服务启用”页面

  2. Virtual Machine Threat Detection 列中,选择当前状态,然后选择以下任一选项:

    • 启用:启用 VM Threat Detection
    • 停用:停用 VM Threat Detection
    • 继承:从父级文件夹或组织继承启用状态;仅适用于项目和文件夹

gcloud

gcloud scc manage services update 命令用于更新 Security Command Center 服务或模块的状态。

在使用下面的命令数据之前,请先进行以下替换:

  • RESOURCE_TYPE:要更新的资源类型(organizationfolderproject
  • RESOURCE_ID:组织、文件夹或 要更新的项目;对于项目,您还可以使用由字母数字组成的项目 ID
  • NEW_STATEENABLED 表示启用 VM Threat Detection;DISABLED 表示停用 VM Threat Detection;INHERITED 表示继承父级资源的启用状态(仅适用于项目和文件夹)

执行 gcloud scc manage services update 命令:

Linux、macOS 或 Cloud Shell

gcloud scc manage services update vm-threat-detection \
    --RESOURCE_TYPE=RESOURCE_ID \
    --enablement-state=NEW_STATE

Windows (PowerShell)

gcloud scc manage services update vm-threat-detection `
    --RESOURCE_TYPE=RESOURCE_ID `
    --enablement-state=NEW_STATE

Windows (cmd.exe)

gcloud scc manage services update vm-threat-detection ^
    --RESOURCE_TYPE=RESOURCE_ID ^
    --enablement-state=NEW_STATE

您应该会收到类似如下所示的响应:

effectiveEnablementState: ENABLED
modules:
  CRYPTOMINING_HASH:
    effectiveEnablementState: ENABLED
    intendedEnablementState: ENABLED
  CRYPTOMINING_YARA:
    effectiveEnablementState: ENABLED
  KERNEL_INTEGRITY_TAMPERING:
    effectiveEnablementState: ENABLED
  KERNEL_MEMORY_TAMPERING:
    effectiveEnablementState: ENABLED
  MALWARE_DISK_SCAN_YARA:
    effectiveEnablementState: ENABLED
name: projects/1234567890123/locations/global/securityCenterServices/vm-threat-detection
updateTime: '2024-08-05T22:32:01.536452397Z'

REST

Security Center Management API 的 RESOURCE_TYPE.locations.securityCenterServices.patch 方法用于更新 Security Command Center 服务或模块的状态。

在使用任何请求数据之前,请先进行以下替换:

  • RESOURCE_TYPE:要更新的资源类型(organizationsfoldersprojects
  • QUOTA_PROJECT:要用于结算和配额跟踪的项目 ID
  • RESOURCE_ID:组织、文件夹或 要更新的项目;对于项目,您还可以使用由字母数字组成的项目 ID
  • NEW_STATEENABLED 表示启用 VM Threat Detection;DISABLED 表示停用 VM Threat Detection;INHERITED 表示继承父级资源的启用状态(仅适用于项目和文件夹)

HTTP 方法和网址:

PATCH https://securitycentermanagement.googleapis.com/v1/RESOURCE_TYPE/RESOURCE_ID/locations/global/securityCenterServices/vm-threat-detection?updateMask=intendedEnablementState

请求 JSON 正文:

{
  "intendedEnablementState": "NEW_STATE"
}

如需发送您的请求,请展开以下选项之一:

您应该收到类似以下内容的 JSON 响应:

{
  "name": "projects/1234567890123/locations/global/securityCenterServices/vm-threat-detection",
  "effectiveEnablementState": "ENABLED",
  "modules": {
    "CRYPTOMINING_YARA": {
      "effectiveEnablementState": "ENABLED"
    },
    "KERNEL_MEMORY_TAMPERING": {
      "effectiveEnablementState": "ENABLED"
    },
    "KERNEL_INTEGRITY_TAMPERING": {
      "effectiveEnablementState": "ENABLED"
    },
    "CRYPTOMINING_HASH": {
      "intendedEnablementState": "ENABLED",
      "effectiveEnablementState": "ENABLED"
    },
    "MALWARE_DISK_SCAN_YARA": {
      "effectiveEnablementState": "ENABLED"
    }
  },
  "updateTime": "2024-08-05T22:32:01.536452397Z"
}

启用或停用 VM Threat Detection 模块

如需启用或停用单个 VM Threat Detection 检测器(也称为“模块”),请执行以下操作。您的更改最长可能需要 1 小时才会生效。

如需了解所有 VM Threat Detection 威胁发现结果及其生成模块,请参阅威胁发现结果

控制台

您可以在 Google Cloud 控制台中在组织级别启用或停用 VM Threat Detection 模块。如需在文件夹级或项目级启用或停用虚拟机威胁检测模块,请使用 gcloud CLI 或 REST API。

  1. 在 Google Cloud 控制台中,前往 Virtual Machine Threat Detection 模块页面。

    前往“模块”

  2. 状态列中,选择您当前执行的模块 然后选择以下选项之一:

    • 启用:启用模块。
    • Disable:停用模块。

gcloud

通过 gcloud scc manage services update 命令会更新 Security Command Center 服务或模块的状态。

在使用下面的命令数据之前,请先进行以下替换:

  • RESOURCE_TYPE:要更新的资源类型(organizationfolderproject
  • RESOURCE_ID:要更新的组织、文件夹或项目的数字标识符;对于项目,您还可以使用字母数字项目 ID
  • MODULE_NAME:要启用或停用的模块的名称;表示有效 值,请参阅 威胁发现结果
  • NEW_STATEENABLED 用于启用模块;DISABLED 用于停用模块;INHERITED 用于继承父级资源的启用状态(仅适用于项目和文件夹)

将以下内容保存在名为 request.json 的文件中:

{
  "MODULE_NAME": {
    "intendedEnablementState": "NEW_STATE"
  }
}

执行 gcloud scc manage services update 命令:

Linux、macOS 或 Cloud Shell

gcloud scc manage services update vm-threat-detection \
    --RESOURCE_TYPE=RESOURCE_ID \
    --enablement-state=ENABLED \  
    --module-config-file=request.json

Windows (PowerShell)

gcloud scc manage services update vm-threat-detection `
    --RESOURCE_TYPE=RESOURCE_ID `
    --enablement-state=ENABLED \  
    --module-config-file=request.json

Windows (cmd.exe)

gcloud scc manage services update vm-threat-detection ^
    --RESOURCE_TYPE=RESOURCE_ID ^
    --enablement-state=ENABLED \  
    --module-config-file=request.json

您应该会收到类似如下所示的响应:

effectiveEnablementState: ENABLED
modules:
  CRYPTOMINING_HASH:
    effectiveEnablementState: ENABLED
    intendedEnablementState: ENABLED
  CRYPTOMINING_YARA:
    effectiveEnablementState: ENABLED
  KERNEL_INTEGRITY_TAMPERING:
    effectiveEnablementState: ENABLED
  KERNEL_MEMORY_TAMPERING:
    effectiveEnablementState: ENABLED
  MALWARE_DISK_SCAN_YARA:
    effectiveEnablementState: ENABLED
name: projects/1234567890123/locations/global/securityCenterServices/vm-threat-detection
updateTime: '2024-08-05T22:32:01.536452397Z'

REST

Security Center Management API 的 RESOURCE_TYPE.locations.securityCenterServices.patch 方法用于更新 Security Command Center 服务或模块的状态。

在使用任何请求数据之前,请先进行以下替换:

  • RESOURCE_TYPE:要更新的资源类型(organizationsfoldersprojects
  • QUOTA_PROJECT:要用于结算和配额跟踪的项目 ID
  • RESOURCE_ID:组织、文件夹或 要更新的项目;对于项目,您还可以使用由字母数字组成的项目 ID
  • MODULE_NAME:要启用或停用的模块的名称;如需了解有效值,请参阅威胁发现
  • NEW_STATEENABLED 用于启用模块;DISABLED 用于停用模块;INHERITED 用于继承父级资源的启用状态(仅适用于项目和文件夹)

HTTP 方法和网址:

PATCH https://securitycentermanagement.googleapis.com/v1/RESOURCE_TYPE/RESOURCE_ID/locations/global/securityCenterServices/vm-threat-detection?updateMask=modules

请求 JSON 正文:

{
  "modules": {
    "MODULE_NAME": {
      "intendedEnablementState": "NEW_STATE"
    }
  }
}

如需发送您的请求,请展开以下选项之一:

您应该收到类似以下内容的 JSON 响应:

{
  "name": "projects/1234567890123/locations/global/securityCenterServices/vm-threat-detection",
  "effectiveEnablementState": "ENABLED",
  "modules": {
    "CRYPTOMINING_YARA": {
      "effectiveEnablementState": "ENABLED"
    },
    "KERNEL_MEMORY_TAMPERING": {
      "effectiveEnablementState": "ENABLED"
    },
    "KERNEL_INTEGRITY_TAMPERING": {
      "effectiveEnablementState": "ENABLED"
    },
    "CRYPTOMINING_HASH": {
      "intendedEnablementState": "ENABLED",
      "effectiveEnablementState": "ENABLED"
    },
    "MALWARE_DISK_SCAN_YARA": {
      "effectiveEnablementState": "ENABLED"
    }
  },
  "updateTime": "2024-08-05T22:32:01.536452397Z"
}

查看 VM Threat Detection 模块的设置

有关所有 VM Threat Detection 威胁发现结果和模块的信息 请参阅威胁 发现结果 表格。

控制台

通过 Google Cloud 控制台,您可以查看 VM Threat Detection 的设置 组织级管理相关模块查看 VM Threat Detection 的设置 模块,请使用 gcloud CLI 或 REST API。

如需查看 Google Cloud 控制台中的设置,请前往虚拟机 威胁检测模块页面。

前往“模块”

gcloud

通过 gcloud scc manage services update 可获取 Security Command Center 服务或模块的状态。

在使用下面的命令数据之前,请先进行以下替换:

  • RESOURCE_TYPE:要获取的资源类型 (organizationsfoldersprojects
  • QUOTA_PROJECT:用于结算和配额跟踪的项目 ID
  • RESOURCE_ID:要获取的组织、文件夹或项目的数字标识符;对于项目,您还可以使用字母数字项目 ID

将以下内容保存在名为 request.json 的文件中:

{
  "MODULE_NAME": {
    "intendedEnablementState": "NEW_STATE"
  }
}

执行 gcloud scc manage services update 命令:

Linux、macOS 或 Cloud Shell

gcloud scc manage services update vm-threat-detection \
    --RESOURCE_TYPE=RESOURCE_ID

Windows (PowerShell)

gcloud scc manage services update vm-threat-detection `
    --RESOURCE_TYPE=RESOURCE_ID

Windows (cmd.exe)

gcloud scc manage services update vm-threat-detection ^
    --RESOURCE_TYPE=RESOURCE_ID

您应该会收到类似如下所示的响应:

effectiveEnablementState: ENABLED
modules:
  CRYPTOMINING_HASH:
    effectiveEnablementState: ENABLED
    intendedEnablementState: ENABLED
  CRYPTOMINING_YARA:
    effectiveEnablementState: ENABLED
  KERNEL_INTEGRITY_TAMPERING:
    effectiveEnablementState: ENABLED
  KERNEL_MEMORY_TAMPERING:
    effectiveEnablementState: ENABLED
  MALWARE_DISK_SCAN_YARA:
    effectiveEnablementState: ENABLED
name: projects/1234567890123/locations/global/securityCenterServices/vm-threat-detection
updateTime: '2024-08-05T22:32:01.536452397Z'

REST

Security Center Management API RESOURCE_TYPE.locations.securityCenterServices.get 方法可获取 Security Command Center 服务或模块的状态。

在使用任何请求数据之前,请先进行以下替换:

  • RESOURCE_TYPE:要获取的资源类型(organizationsfoldersprojects
  • QUOTA_PROJECT:用于结算和配额跟踪的项目 ID
  • RESOURCE_ID:要获取的组织、文件夹或项目的数字标识符;对于项目,您还可以使用字母数字项目 ID

HTTP 方法和网址:

GET https://securitycentermanagement.googleapis.com/v1/RESOURCE_TYPE/RESOURCE_ID/locations/global/securityCenterServices/vm-threat-detection

如需发送您的请求,请展开以下选项之一:

您应该收到类似以下内容的 JSON 响应:

{
  "name": "projects/1234567890123/locations/global/securityCenterServices/vm-threat-detection",
  "effectiveEnablementState": "ENABLED",
  "modules": {
    "CRYPTOMINING_YARA": {
      "effectiveEnablementState": "ENABLED"
    },
    "KERNEL_MEMORY_TAMPERING": {
      "effectiveEnablementState": "ENABLED"
    },
    "KERNEL_INTEGRITY_TAMPERING": {
      "effectiveEnablementState": "ENABLED"
    },
    "CRYPTOMINING_HASH": {
      "intendedEnablementState": "ENABLED",
      "effectiveEnablementState": "ENABLED"
    },
    "MALWARE_DISK_SCAN_YARA": {
      "effectiveEnablementState": "ENABLED"
    }
  },
  "updateTime": "2024-08-05T22:32:01.536452397Z"
}

用于加密货币挖矿检测的软件名称和 YARA 规则

以下列表包含会触发二进制文件和 YARA 规则的 加密货币挖矿发现。如需查看列表,请展开节点。

Execution: Cryptocurrency Mining Hash Match

  • Arionum CPU 矿工:用于 Arionum 加密货币
  • Avermore:面向基于 Scrypt 加密货币的挖矿软件
  • Beam CUDA 矿工:适用于基于 Equihash 的采矿软件 加密货币
  • Beam OpenCL Miner:面向基于 Equihash 的加密货币的挖矿软件
  • BFGMiner:基于 ASIC/FPGA 的比特币挖矿软件
  • BMiner:面向各种加密货币的挖矿软件
  • Cast XMR:用于挖矿软件 基于 CryptoNight 加密货币
  • ccminer:基于 CUDA 的挖矿软件
  • cgminer:基于 ASIC/FPGA 的比特币挖矿软件
  • Claymore's Miner:面向各种加密货币的基于 GPU 的挖掘软件
  • CPUMiner:基于 CPU 的挖掘软件系列
  • CryptoDredge:面向 CryptoDredge 的挖矿软件系列
  • CryptoGoblin:面向基于 CryptoNight 的加密货币的挖矿软件
  • DamoMiner:基于 GPU 的挖矿软件, Ethereum和其他 加密货币
  • DigitsMiner:面向 Digits 的挖掘软件
  • EasyMiner:面向比特币和其他加密货币的挖矿软件
  • Ethminer:用于 Ethereum和其他 加密货币
  • EWBF:面向基于 Equihash 的加密货币的挖矿软件
  • FinMiner:面向 Ethash 和基于 CryptoNight 的加密货币的挖矿软件
  • 船越矿工 (Funakoshi Miner):一款用于 比特币黄金加密货币
  • Geth:面向 Ethereum 的挖矿软件
  • GMiner:适用于各种加密货币的挖矿软件
  • gominer:针对 声明
  • GrinGoldMiner:用于 咧嘴笑
  • Hush:挖矿软件 基于 Zcash 的加密货币
  • IxiMiner:用于挖矿软件 伊县
  • kawpowminer:面向 Ravencoin 的挖矿软件
  • Komodo:适用于 Komodo 的采矿软件系列
  • lolMiner:面向各种加密货币的挖矿软件
  • lukMiner:适用于各种加密货币的挖矿软件
  • MinerGate:面向各种加密货币的挖矿软件
  • miniZ:面向基于 Equihash 的加密货币的挖矿软件
  • Mirai:可用于挖掘加密货币的恶意软件
  • MultiMiner:面向各种加密货币的挖矿软件
  • nanominer:面向各种加密货币的挖矿软件
  • NBMiner:面向各种加密货币的挖矿软件
  • Nevermore:面向各种加密货币的挖矿软件
  • nheqminer:用于 NiceHash
  • NinjaRig:面向基于 Argon2 的加密货币的挖矿软件
  • NodeCore PoW CUDA Miner:用于 VeriBlock
  • NoncerPro:针对 尼米克
  • Optiminer/Equihash:面向基于 Equihash 的加密货币的挖矿软件
  • PascalCoin:面向 PascalCoin 的挖矿软件系列
  • PhoenixMiner:用于 Ethereum
  • Pooler CPU Miner:面向 Litecoin 和 Bitcoin 的挖矿软件
  • ProgPoW Miner:用于 Ethereum和其他 加密货币
  • rhminer:用于挖矿软件 PascalCoin
  • sgminer:面向基于 scrypt 加密货币的挖矿软件
  • simplecoin:面向基于 scrypt 的 SimpleCoin 的挖矿软件系列
  • Skypool Nimiq Miner:用于 尼米克
  • SwapReferenceMiner:用于 咧嘴笑
  • Team Red Miner:基于 AMD 的采矿软件,适用于各种 加密货币
  • T-Rex:针对各种加密货币的挖矿软件
  • TT-Miner:面向各种加密货币的挖矿软件
  • Ubqminer:面向基于 Ubqhash 的加密货币的挖矿软件
  • VersusCoin:适用于 VersusCoin 的挖矿软件
  • violetminer:用于基于 Argon2 的加密货币的挖矿软件
  • webchain-miner:用于挖矿软件 MintMe
  • WildRig:面向各种加密货币的挖矿软件
  • XCASH_ALL_Miner:用于挖矿软件 XCASH
  • xFash:面向 MinerGate 的挖矿软件
  • XLArig:用于 基于 CryptoNight 加密货币
  • XMRig:适用于各种加密货币的挖矿软件
  • Xmr-Stak:用于 基于 CryptoNight 加密货币
  • XMR-Stak TurtleCoin:面向基于 CryptoNight 的加密货币的挖矿软件
  • Xtl-Stak:用于 基于 CryptoNight 加密货币
  • Yam Miner:面向 MinerGate 的挖矿软件
  • YCash:面向 YCash 的挖矿软件
  • ZCoin:面向 ZCoin/Fire 的挖矿软件
  • Zealot/Enemy:面向各种加密货币的挖矿软件
  • 加密货币挖矿机信号1

1 这种笼统的威胁名称表示 加密货币挖矿机可能在虚拟机中运行,但虚拟机威胁检测 没有关于该矿工的具体信息。

Execution: Cryptocurrency Mining YARA Rule

  • YARA_RULE1:与面向 Monero 的挖矿软件匹配
  • YARA_RULE9:与使用 Blake2 和 AES 加密的挖矿软件匹配
  • YARA_RULE10:与使用 CryptoNight 工作证明例程的挖矿软件匹配
  • YARA_RULE15:与以下挖矿软件匹配: NBMiner
  • YARA_RULE17:与使用 Scrypt 工作证明 日常安排
  • YARA_RULE18:与使用 Scrypt 工作证明 日常安排
  • YARA_RULE19:与以下挖矿软件匹配: BFGMiner
  • YARA_RULE24:与面向 XMR-Stak 的挖矿软件匹配
  • YARA_RULE25:与以下挖矿软件匹配: XMRig
  • DYNAMIC_YARA_RULE_BFGMINER_2:与以下挖矿软件匹配: BFGMiner

后续步骤