本页面介绍了如何查看和管理 VM Threat Detection 发现结果。此外还展示了如何启用或停用相关服务及其模块。
概览
Virtual Machine Threat Detection 是 Security Command Center 高级方案的内置服务,可通过 Hypervisor 级插桩和永久性磁盘分析提供威胁检测。虚拟机威胁检测可检测潜在的恶意应用,例如加密货币挖矿软件、内核模式 rootkit 以及在遭到入侵的云环境中运行的恶意软件。
VM Threat Detection 是 Security Command Center Premium 的威胁检测套件的一部分,旨在补充 Event Threat Detection 和 Container Threat Detection 的现有功能。
如需了解详情,请参阅 VM Threat Detection 概览。
费用
注册 Security Command Center Premium 后,使用 VM Threat Detection 无需额外费用。
准备工作
如需使用此功能,您必须注册 Security Command Center Premium。
此外,您需要足够的 Identity and Access Management (IAM) 角色才能查看或修改发现结果以及修改 Google Cloud 资源。如果您在 Security Command Center 中遇到访问错误,请让您的管理员寻求帮助。如需详细了解角色,请参阅访问权限控制。
测试 VM Threat Detection
如需测试虚拟机威胁检测的加密货币挖矿检测,您可以在虚拟机上运行加密货币挖矿应用。如需查看触发发现结果的二进制文件名称和 YARA 规则的列表,请参阅软件名称和 YARA 规则。如果您要安装和测试采矿应用,我们建议您仅在隔离的测试环境中运行应用,密切监控其使用情况,并在测试后将其彻底移除。
如需测试 VM Threat Detection 恶意软件检测功能,您可以在虚拟机上下载恶意软件应用。如果您要下载恶意软件,我们建议您在隔离的测试环境中下载,并在测试后将其彻底移除。
在 Google Cloud 控制台中查看发现结果
如需在 Google Cloud 控制台中查看虚拟机威胁检测发现结果,请执行以下操作:
转到 Google Cloud 控制台中的 Security Command Center 发现结果页面。
如有必要,请选择您的 Google Cloud 项目或组织。
在快速过滤条件部分的来源显示名子部分中,选择 Virtual Machine Threat Detection。
如果您没有看到 Virtual Machine Threat Detection,请点击查看更多。在该对话框中搜索 Virtual Machine Threat Detection。
如需查看特定发现结果的详细信息,请点击类别下的发现结果名称。系统会打开发现结果的详细信息面板,并显示摘要标签页。
在摘要标签页上,查看发现结果的相关信息,包括检测到的二进制文件、受影响的资源等信息。
在详细信息面板上,点击 JSON 标签页以查看发现结果的完整 JSON 文件。
如需详细了解如何对每个 VM Threat Detection 发现结果做出相应的响应,请参阅 VM Threat Detection 响应。
如需查看 VM Threat Detection 发现结果列表,请参阅发现结果。
严重级别
系统会根据威胁分类置信度为虚拟机威胁检测发现结果分配严重级别为高、中和低。
组合检测
如果在一天内检测到多个类别的发现结果,就会进行组合检测。发现结果可能是由一个或多个恶意应用导致的。例如,单个应用可以同时触发 Execution: Cryptocurrency Mining YARA Rule 和 Execution: Cryptocurrency
Mining Hash Match 发现结果。但是,在当天从单个来源检测到的所有威胁都会汇总到一个组合检测发现结果中。在接下来的几天,如果发现更多威胁(即使是相同的威胁),则会附加到新发现结果。
如需查看组合检测发现结果的示例,请参阅发现结果格式示例。
发现结果格式示例
这些 JSON 输出示例包含虚拟机威胁检测发现结果的通用字段。每个示例仅显示与发现结果类型相关的字段,不提供字段的详尽列表。
您可以通过 Security Command Center 信息中心导出发现结果,也可以通过 Security Command Center API 列出发现结果。
如需查看示例发现结果,请展开以下一个或多个节点。如需了解发现结果中的每个字段,请参阅 Finding。
Defense Evasion: Rootkit预览版
此输出示例展示了一项已知的内核模式 rootkit:Diamorphine。
{
"findings": {
"access": {},
"assetDisplayName": "DISPLAY_NAME",
"assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Defense Evasion: Rootkit",
"createTime": "2023-01-12T00:39:33.007Z",
"database": {},
"eventTime": "2023-01-11T21:24:05.326Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
"indicator": {},
"kernelRootkit": {
"name": "Diamorphine",
"unexpected_kernel_code_pages": true,
"unexpected_system_call_handler": true
},
"kubernetes": {},
"mitreAttack": {
"version": "9"
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Virtual Machine Threat Detection",
"processes": [],
"resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"severity": "HIGH",
"sourceDisplayName": "Virtual Machine Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"display_name": "DISPLAY_NAME",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parent_display_name": "DISPLAY_NAME",
"type": "google.compute.Instance",
"folders": []
},
"sourceProperties": {}
}
Defense Evasion: Unexpected ftrace handler预览版
{
"findings": {
"access": {},
"assetDisplayName": "DISPLAY_NAME",
"assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Defense Evasion: Unexpected ftrace handler",
"createTime": "2023-01-12T00:39:33.007Z",
"database": {},
"eventTime": "2023-01-11T21:24:05.326Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"version": "9"
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Virtual Machine Threat Detection",
"processes": [],
"resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"severity": "MEDIUM",
"sourceDisplayName": "Virtual Machine Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"display_name": "DISPLAY_NAME",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parent_display_name": "DISPLAY_NAME",
"type": "google.compute.Instance",
"folders": []
},
"sourceProperties": {}
}
Defense Evasion: Unexpected interrupt handler预览版
{
"findings": {
"access": {},
"assetDisplayName": "DISPLAY_NAME",
"assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Defense Evasion: Unexpected interrupt handler",
"createTime": "2023-01-12T00:39:33.007Z",
"database": {},
"eventTime": "2023-01-11T21:24:05.326Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"version": "9"
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Virtual Machine Threat Detection",
"processes": [],
"resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"severity": "MEDIUM",
"sourceDisplayName": "Virtual Machine Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"display_name": "DISPLAY_NAME",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parent_display_name": "DISPLAY_NAME",
"type": "google.compute.Instance",
"folders": []
},
"sourceProperties": {}
}
Defense Evasion: Unexpected kernel code modification预览版
{
"findings": {
"access": {},
"assetDisplayName": "DISPLAY_NAME",
"assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Defense Evasion: Unexpected kernel code modification",
"createTime": "2023-01-12T00:39:33.007Z",
"database": {},
"eventTime": "2023-01-11T21:24:05.326Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"version": "9"
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Virtual Machine Threat Detection",
"processes": [],
"resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"severity": "MEDIUM",
"sourceDisplayName": "Virtual Machine Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"display_name": "DISPLAY_NAME",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parent_display_name": "DISPLAY_NAME",
"type": "google.compute.Instance",
"folders": []
},
"sourceProperties": {}
}
Defense Evasion: Unexpected kernel modules预览版
{
"findings": {
"access": {},
"assetDisplayName": "DISPLAY_NAME",
"assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Defense Evasion: Unexpected kernel modules",
"createTime": "2023-01-12T00:39:33.007Z",
"database": {},
"eventTime": "2023-01-11T21:24:05.326Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"version": "9"
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Virtual Machine Threat Detection",
"processes": [],
"resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"severity": "MEDIUM",
"sourceDisplayName": "Virtual Machine Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"display_name": "DISPLAY_NAME",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parent_display_name": "DISPLAY_NAME",
"type": "google.compute.Instance",
"folders": []
},
"sourceProperties": {}
}
Defense Evasion: Unexpected kernel read-only data modification预览版
{
"findings": {
"access": {},
"assetDisplayName": "DISPLAY_NAME",
"assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Defense Evasion: Unexpected kernel read-only data modification",
"createTime": "2023-01-12T00:39:33.007Z",
"database": {},
"eventTime": "2023-01-11T21:24:05.326Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"version": "9"
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Virtual Machine Threat Detection",
"processes": [],
"resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"severity": "MEDIUM",
"sourceDisplayName": "Virtual Machine Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"display_name": "DISPLAY_NAME",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parent_display_name": "DISPLAY_NAME",
"type": "google.compute.Instance",
"folders": []
},
"sourceProperties": {}
}
Defense Evasion: Unexpected kprobe handler预览版
{
"findings": {
"access": {},
"assetDisplayName": "DISPLAY_NAME",
"assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Defense Evasion: Unexpected kprobe handler",
"createTime": "2023-01-12T00:39:33.007Z",
"database": {},
"eventTime": "2023-01-11T21:24:05.326Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"version": "9"
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Virtual Machine Threat Detection",
"processes": [],
"resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"severity": "MEDIUM",
"sourceDisplayName": "Virtual Machine Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"display_name": "DISPLAY_NAME",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parent_display_name": "DISPLAY_NAME",
"type": "google.compute.Instance",
"folders": []
},
"sourceProperties": {}
}
Defense Evasion: Unexpected processes in runqueue预览版
{
"findings": {
"access": {},
"assetDisplayName": "DISPLAY_NAME",
"assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Defense Evasion: Unexpected processes in runqueue",
"createTime": "2023-01-12T00:39:33.007Z",
"database": {},
"eventTime": "2023-01-11T21:24:05.326Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"version": "9"
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Virtual Machine Threat Detection",
"processes": [],
"resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"severity": "MEDIUM",
"sourceDisplayName": "Virtual Machine Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"display_name": "DISPLAY_NAME",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parent_display_name": "DISPLAY_NAME",
"type": "google.compute.Instance",
"folders": []
},
"sourceProperties": {}
}
Defense Evasion: Unexpected system call handler预览版
{
"findings": {
"access": {},
"assetDisplayName": "DISPLAY_NAME",
"assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Defense Evasion: Unexpected system call handler",
"createTime": "2023-01-12T00:39:33.007Z",
"database": {},
"eventTime": "2023-01-11T21:24:05.326Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"version": "9"
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Virtual Machine Threat Detection",
"processes": [],
"resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"severity": "MEDIUM",
"sourceDisplayName": "Virtual Machine Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"display_name": "DISPLAY_NAME",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parent_display_name": "DISPLAY_NAME",
"type": "google.compute.Instance",
"folders": []
},
"sourceProperties": {}
}
Execution: Cryptocurrency Mining Combined
Detection
此输出示例显示了由 CRYPTOMINING_HASH 和 CRYPTOMINING_YARA 模块检测到的威胁。
{
"findings": {
"access": {},
"assetDisplayName": "DISPLAY_NAME",
"assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
"canonicalName": "projects/PROJECT_ID/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Execution: Cryptocurrency Mining Combined Detection",
"createTime": "2023-01-05T01:40:48.994Z",
"database": {},
"eventTime": "2023-01-05T01:39:36.876Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
"indicator": {
"signatures": [
{
"yaraRuleSignature": {
"yaraRule": "YARA_RULE1"
}
},
{
"yaraRuleSignature": {
"yaraRule": "YARA_RULE9"
}
},
{
"yaraRuleSignature": {
"yaraRule": "YARA_RULE10"
}
},
{
"yaraRuleSignature": {
"yaraRule": "YARA_RULE25"
}
},
{
"memoryHashSignature": {
"binaryFamily": "XMRig",
"detections": [
{
"binary": "linux-x86-64_xmrig_6.12.2",
"percentPagesMatched": 1
}
]
}
}
]
},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"version": "9"
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Virtual Machine Threat Detection",
"processes": [
{
"binary": {
"path": "BINARY_PATH"
},
"script": {},
"args": [
"./miner",
""
],
"pid": "123",
"parentPid": "456",
"name": "miner"
}
],
"resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"severity": "HIGH",
"sourceDisplayName": "Virtual Machine Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"display_name": "DISPLAY_NAME",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
"project_display_name": "DISPLAY_NAME",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
"parent_display_name": "DISPLAY_NAME",
"type": "google.compute.Instance",
"folders": []
},
"sourceProperties": {}
}
Execution: Cryptocurrency Mining Hash Match
Detection
{
"findings": {
"access": {},
"assetDisplayName": "DISPLAY_NAME",
"assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
"canonicalName": "projects/PROJECT_ID/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Execution: Cryptocurrency Mining Hash Match",
"createTime": "2023-01-05T01:40:48.994Z",
"database": {},
"eventTime": "2023-01-05T01:39:36.876Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
"indicator": {
"signatures": [
{
"memoryHashSignature": {
"binaryFamily": "XMRig",
"detections": [
{
"binary": "linux-x86-64_xmrig_6.12.2",
"percentPagesMatched": 1
}
]
}
}
]
},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"version": "9"
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Virtual Machine Threat Detection",
"processes": [
{
"binary": {
"path": "BINARY_PATH"
},
"script": {},
"args": [
"./miner",
""
],
"pid": "123",
"parentPid": "456",
"name": "miner"
}
],
"resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"severity": "HIGH",
"sourceDisplayName": "Virtual Machine Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"display_name": "DISPLAY_NAME",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
"project_display_name": "DISPLAY_NAME",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
"parent_display_name": "DISPLAY_NAME",
"type": "google.compute.Instance",
"folders": []
},
"sourceProperties": {}
}
Execution: Cryptocurrency Mining YARA Rule
{
"findings": {
"access": {},
"assetDisplayName": "DISPLAY_NAME",
"assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
"canonicalName": "projects/PROJECT_ID/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Execution: Cryptocurrency Mining YARA Rule",
"createTime": "2023-01-05T00:37:38.450Z",
"database": {},
"eventTime": "2023-01-05T01:12:48.828Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
"indicator": {
"signatures": [
{
"yaraRuleSignature": {
"yaraRule": "YARA_RULE9"
}
},
{
"yaraRuleSignature": {
"yaraRule": "YARA_RULE10"
}
},
{
"yaraRuleSignature": {
"yaraRule": "YARA_RULE25"
}
}
]
},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"version": "9"
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Virtual Machine Threat Detection",
"processes": [
{
"binary": {
"path": "BINARY_PATH"
},
"script": {},
"args": [
"./miner",
""
],
"pid": "123",
"parentPid": "456",
"name": "miner"
}
],
"resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"severity": "HIGH",
"sourceDisplayName": "Virtual Machine Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"display_name": "DISPLAY_NAME",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
"project_display_name": "DISPLAY_NAME",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
"parent_display_name": "DISPLAY_NAME",
"type": "google.compute.Instance",
"folders": []
},
"sourceProperties": {}
}
Malware: Malicious file on disk (YARA)
{
"findings": {
"assetDisplayName": "DISPLAY_NAME",
"assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
"canonicalName": "projects/PROJECT_ID/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Malware: Malicious file on disk (YARA)",
"createTime": "2023-01-05T00:37:38.450Z",
"eventTime": "2023-01-05T01:12:48.828Z",
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
"indicator": {
"signatures": [
{
"yaraRuleSignature": {
"yaraRule": "M_Backdoor_REDSONJA_1"
},
"signatureType": "SIGNATURE_TYPE_FILE",
},
{
"yaraRuleSignature": {
"yaraRule": "M_Backdoor_REDSONJA_2"
},
"signatureType": "SIGNATURE_TYPE_FILE",
}
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Virtual Machine Threat Detection",
"files": [
{
"diskPath": {
"partition_uuid": "b411dc99-f0a0-4c87-9e05-184977be8539",
"relative_path": "RELATIVE_PATH"
},
"size": "21238",
"sha256": "65d860160bdc9b98abf72407e14ca40b609417de7939897d3b58d55787aaef69",
"hashedSize": "21238"
}
],
"resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"severity": "HIGH",
"sourceDisplayName": "Virtual Machine Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"display_name": "DISPLAY_NAME",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
"project_display_name": "DISPLAY_NAME",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
"parent_display_name": "DISPLAY_NAME",
"type": "google.compute.Instance",
"folders": []
},
"sourceProperties": {}
}
更改发现结果的状态
解决了由 VM Threat Detection 识别出的威胁后,该服务不会在后续扫描中自动将发现结果状态设置为非活跃。由于我们的威胁网域的性质,VM Threat Detection 无法确定威胁是否已被缓解或发生变化,以免被检测出。
当安全团队认为威胁得到缓解时,可以执行以下步骤,将发现结果状态更改为非活跃。
在 Google Cloud 控制台中,进入 Security Command Center 的发现结果页面。
在查看方式旁边,点击来源类型。
在来源类型列表中,选择 Virtual Machine Threat Detection。系统会根据所选来源类型在表中填充发现结果。
选中已解决的发现结果旁边的复选框。
点击更改活跃状态。
点击无效。
启用或停用 VM Threat Detection
VM Threat Detection 对 2022 年 7 月 15 日(此服务正式发布的时间)之后注册 Security Command Center Premium 的所有客户默认启用。如果需要,您可以为项目或组织手动停用或重新启用此服务。
如果您在组织或项目中启用 VM Threat Detection,该服务会自动扫描该组织或项目中的所有受支持的资源。相反,当您对组织或项目停用 VM Threat Detection 时,此服务会停止扫描其中所有支持的资源。
如需启用或停用 VM Threat Detection,请执行以下操作:
控制台
在 Google Cloud 控制台中,您可以通过设置页面上的服务标签页启用或停用 VM Threat Detection。
如需了解详情,请参阅启用或停用内置服务。
cURL
请发送 PATCH 请求:
curl -X PATCH -H "Authorization: Bearer \"$(gcloud auth print-access-token)\"" \
-H "Content-Type: application/json; charset=utf-8" \
-H "X-Goog-User-Project: X_GOOG_USER_PROJECT" \
https://securitycenter.googleapis.com/v1beta2/RESOURCE/RESOURCE_ID/virtualMachineThreatDetectionSettings \
-d '{"serviceEnablementState": "NEW_STATE"}'
请替换以下内容:
- X_GOOG_USER_PROJECT:结算与 VM Threat Detection 扫描相关的访问费用的项目。
- RESOURCE:要扫描的资源类型(
organizations或projects)。 - RESOURCE_ID:要对其启用或停用 VM Threat Detection 的组织或项目的标识符。
- NEW_STATE:您希望 VM Threat Detection 所处的状态(
ENABLED或DISABLED)。
gcloud
运行以下命令:
gcloud alpha scc settings services ACTION --RESOURCE RESOURCE_ID \
--service VIRTUAL_MACHINE_THREAT_DETECTION
请替换以下内容:
- ACTION:您希望对 VM Threat Detection 服务执行的操作(
enable或disable)。 - RESOURCE:要对其启用或停用 VM Threat Detection 的资源的类型(
organization或project)。 - RESOURCE_ID:要对其启用或停用 VM Threat Detection 的组织或项目的标识符。
启用或停用 VM Threat Detection 模块
如需启用或停用单个 VM Threat Detection 检测器(也称为“模块”),请执行以下操作。您的更改最长可能需要 1 小时才会生效。
如需了解所有虚拟机威胁检测威胁发现结果以及生成这些威胁的模块,请参阅威胁发现结果表。
控制台
请参阅启用或停用模块。
cURL
如需对组织或项目启用或停用 VM Threat Detection 模块,请发送 PATCH 请求:
curl -X PATCH -H "Authorization: Bearer \"$(gcloud auth print-access-token)\"" \
-H "Content-Type: application/json; charset=utf-8" \
-H "X-Goog-User-Project: X_GOOG_USER_PROJECT" \
https://securitycenter.googleapis.com/v1beta2/RESOURCE/RESOURCE_ID/virtualMachineThreatDetectionSettings \
-d '{"modules": {"MODULE": {"module_enablement_state": "NEW_STATE"}}}'
请替换以下内容:
- X_GOOG_USER_PROJECT:结算与 VM Threat Detection 扫描相关的访问费用的项目。
- RESOURCE:要对其启用或停用模块的资源类型(
organizations或projects)。 - RESOURCE_ID:要对其启用或停用模块的组织或项目的 ID。
- MODULE:要启用或停用的模块,例如
CRYPTOMINING_HASH。 - NEW_STATE:您希望模块所处的状态(
ENABLED或DISABLED)。
gcloud
如需对组织或项目启用或停用 VM Threat Detection 模块,请运行以下命令:
gcloud alpha scc settings services modules ACTION --RESOURCE RESOURCE_ID \
--service VIRTUAL_MACHINE_THREAT_DETECTION --module MODULE
请替换以下内容:
- ACTION:您要对模块执行的操作(
enable或disable)。 - RESOURCE:要对其启用或停用模块的资源类型(
organization或project)。 - RESOURCE_ID:要对其启用或停用模块的组织或项目的 ID。
- MODULE:要启用或停用的模块,例如
CRYPTOMINING_HASH。
查看 VM Threat Detection 模块的设置
如需了解所有虚拟机威胁检测威胁发现结果以及生成这些威胁的模块,请参阅威胁发现结果表。
控制台
请参阅查看服务的模块。
cURL
请发送 GET 请求:
curl -X GET -H "Authorization: Bearer \"$(gcloud auth print-access-token)\"" \
-H "Content-Type: application/json; charset=utf-8" \
-H "X-Goog-User-Project: X_GOOG_USER_PROJECT" \
https://securitycenter.googleapis.com/v1beta2/RESOURCE/RESOURCE_ID/virtualMachineThreatDetectionSettings:calculate
请替换以下内容:
- X_GOOG_USER_PROJECT:结算与 VM Threat Detection 扫描相关的访问费用的项目。
- RESOURCE:要查看其模块设置的资源类型。
- RESOURCE_ID:要查看其模块的设置的组织或项目 ID。
gcloud
如需查看单个模块的设置,请运行以下命令:
gcloud alpha scc settings services modules describe --RESOURCE RESOURCE_ID \
--service VIRTUAL_MACHINE_THREAT_DETECTION --module MODULE
要查看所有模块的设置,请运行以下命令:
gcloud alpha scc settings services describe --RESOURCE RESOURCE_ID \
--service VIRTUAL_MACHINE_THREAT_DETECTION
请替换以下内容:
- RESOURCE:要查看其模块设置的资源类型(
organization或project)。 - RESOURCE_ID:要查看其模块的设置的组织或项目 ID。
- MODULE:您要查看的模块,例如
CRYPTOMINING_HASH。
用于加密货币挖矿检测的软件名称和 YARA 规则
以下列表包含可触发加密货币挖掘发现结果的二进制文件和 YARA 规则的名称。如需查看列表,请展开节点。
Execution: Cryptocurrency Mining Hash Match
- Arionum CPU Miner:面向 Arionum 加密货币的挖矿软件
- Avermore:面向基于 Scrypt 加密货币的挖矿软件
- Beam CUDA Miner:面向基于 Equihash 的加密货币的挖矿软件
- Beam OpenCL Miner:面向基于 Equihash 的加密货币的挖矿软件
- BFGMiner:面向 Bitcoin 的 ASIC/FPGA 挖矿软件
- BMiner:面向各种加密货币的挖矿软件
- Cast XMR:面向基于 CryptoNight 的加密货币的挖矿软件
- ccccer:面向基于 CUDA 的挖矿软件
- cgminer:面向 Bitcoin 的 ASIC/FPGA 挖矿软件
- Claymore's Miner:面向各种加密货币的基于 GPU 的挖掘软件
- CPUMiner:基于 CPU 的挖掘软件系列
- CryptoDredge:面向 CryptoDredge 的挖矿软件系列
- CryptoGoblin:面向 CryptoNight 的加密货币的挖矿软件
- DamoMiner:面向 Ehereum 和其他加密货币的基于 GPU 的挖矿软件
- DigitsMiner:面向 Digits 的挖掘软件
- EasyMiner:面向比特币和其他加密货币的挖矿软件
- Ethminer:面向 Etherum 和其他加密货币的挖矿软件
- EWBF:面向基于 Equihash 的加密货币的挖矿软件
- FinMiner:面向 Ethash 和基于 CryptoNight 的加密货币的挖矿软件
- Funakoshi Miner:面向 Bitcoin-Gold 加密货币的挖矿软件
- Geth:面向 Ehereum 挖矿软件
- GMiner:面向各种加密货币的挖矿软件
- gominer:面向 Decred 的挖矿软件
- GrinGoldMiner:面向 Grin 的挖掘软件
- Hush:面向基于 Zcash 的加密货币的挖矿软件
- IxiMiner:面向 Ixian 的挖矿软件
- kawpowminer:面向 Ravencoin 挖矿软件
- Komodo:面向 Komodo 的采矿软件系列
- lolMiner:面向各种加密货币的挖矿软件
- lukMiner:面向各种加密货币的挖矿软件
- MinerGate:面向各种加密货币的挖矿软件
- miniZ:面向基于 Equihash 的加密货币的挖矿软件
- Mirai:可用于挖掘加密货币的恶意软件
- MultiMiner:面向各种加密货币的挖矿软件
- nanominer:面向各种加密货币的挖矿软件
- NBMiner:面向各种加密货币的挖矿软件
- Never:面向各种加密货币的挖矿软件
- nheqminer:面向 NiceHash 的挖矿软件
- NinjaRig:面向基于 Argon2 的加密货币的挖矿软件
- NodeCore PoW CUDA Miner:面向 VeriBlock 挖矿软件
- NoncerPro:面向 Nmiq 的挖矿软件
- Optiminer/Equihash:面向 Equihash 的加密货币的挖矿软件
- PascalCoin:面向 PascalCoin 的挖矿软件系列
- PhoenixMiner:面向 Ethereum 的挖矿软件
- Pooler CPU Miner:面向 Litecoin 和 Bitcoin 的挖矿软件
- ProgPoW Miner:面向 Ehereum 和其他加密货币的挖矿软件
- rrminer:面向 PascalCoin 的挖矿软件
- sgminer:面向基于 scrypt 加密货币的挖矿软件
- simplecoin:面向基于 scrypt 的 SimpleCoin 的挖矿软件系列
- Skypool Namiq Miner:面向 Nimq 的挖矿软件
- SwapReferenceMiner:面向 Grin 的挖矿软件
- Red Red 团队:面向各种加密货币的基于 AMD 的挖矿软件
- T-Rex:面向各种加密货币的挖矿软件
- TT-Miner:面向各种加密货币的挖矿软件
- Ubqminer:面向基于 Ubqhash 的加密货币的挖矿软件
- VersusCoin:面向 VersusCoin 的挖矿软件
- violetminer:面向基于 Argon2 的加密货币的挖矿软件
- webchain-miner:面向 MintMe 的挖矿软件
- WildRig:面向各种加密货币的挖矿软件
- XCASH_ALL_Miner:面向 XCASH 的挖矿软件
- xFash:面向 MinerGate 的挖矿软件
- XLArig:面向基于 CryptoNight 的加密货币的挖矿软件
- XMRig:面向各种加密货币的挖矿软件
- Xmr-Stak:面向基于 CryptoNight 的加密货币的挖矿软件
- XMR-Stak TurtleCoin:面向基于 CryptoNight 的加密货币的挖矿软件
- Xtl-Strk:面向基于 CryptoNight 的加密货币的挖矿软件
- Yam Miner:面向 MinerGate 的挖矿软件
- YCash:面向 YCash 的挖掘软件
- ZCoin:面向 ZCoin/Fire 挖矿软件
- Zealot/Enemy:面向各种加密货币的挖矿软件
- 加密货币挖矿机信号1
1 此通用威胁名称表示虚拟机中可能运行未知的加密货币挖矿机活动,但 VM Threat Detection 没有关于该挖矿机的具体信息。
Execution: Cryptocurrency Mining YARA Rule
- YARA_RULE1:与面向 Monero 的挖矿软件匹配
- YARA_RULE9:与使用 Blake2 和 AES 加密的挖矿软件匹配
- YARA_RULE10:与使用 CryptoNight 工作证明例程的挖矿软件匹配
- YARA_RULE15:与面向 NBMiner 的挖矿软件匹配
- YARA_RULE17:与使用 Scrypt 工作证明例程的挖矿软件匹配
- YARA_RULE18:与使用 Scrypt 工作证明例程的挖矿软件匹配
- YARA_RULE19:与面向 BFGMiner 的挖矿软件匹配
- YARA_RULE24:与面向 XMR-Stak 的挖矿软件匹配
- YARA_RULE25:与面向 XMRig 的挖矿软件匹配
- DYNAMIC_YARA_RULE_BFGMINER_2:与面向 BFGMiner 的挖矿软件匹配
后续步骤
- 详细了解 VM Threat Detection。
- 了解如何调查 VM Threat Detection 发现结果。