This page describes how to view and manage VM Threat Detection findings. It also shows you how to enable or disable the service and its modules.
Overview
Virtual Machine Threat Detection is a built-in service of Security Command Center that is available in the Enterprise and Premium tiers. This service scans Compute Engine instances to detect potentially malicious applications, such as cryptocurrency mining software, kernel-mode rootkits, and malware running in compromised cloud environments.
VM Threat Detection is part of the Security Command Center threat detection suite and is designed to complement the existing capabilities of Event Threat Detection and Container Threat Detection.
For more information, see VM Threat Detection overview.
Costs
After you enroll in Security Command Center Premium, there is no additional cost to use VM Threat Detection.
Before you begin
To use this feature, you must be enrolled in Security Command Center Premium.
In addition, you need adequate Identity and Access Management (IAM) roles to view or edit findings, and modify Google Cloud resources. If you encounter access errors in Security Command Center, ask your administrator for assistance. To learn more about roles, see Access control.
Test VM Threat Detection
To test VM Threat Detection cryptocurrency mining detection, you can run a cryptocurrency mining application on your VM. For a list of binary names and YARA rules that trigger findings, see Software names and YARA rules. If you install and test mining applications, we recommended that you only run applications in an isolated test environment, closely monitor their use, and remove them completely after testing.
To test VM Threat Detection malware detection, you can download malware applications on your VM. If you download malware, we recommend that you do so in an isolated test environment, and remove them completely after testing.
Review findings in the Google Cloud console
To review VM Threat Detection findings in the Google Cloud console, do the following:
- In the Google Cloud console, go to the Findings page of Security Command Center.
- Select your Google Cloud project or organization.
- In the Quick filters section, in the Source display name subsection, select Virtual Machine Threat Detection. The findings query results are updated to show only the findings from this source.
- To view the details of a specific finding, click the finding name in the Category column. The details panel for the finding opens and displays the Summary tab.
- On the Summary tab, review the details of the finding, including information about what was detected, the affected resource, and—if available—steps that you can take to remediate the finding.
- Optional: To view the full JSON definition of the finding, click the JSON tab.
For more detailed information about how to respond to each VM Threat Detection finding, see VM Threat Detection response.
For a list of VM Threat Detection findings, see Findings.
Severity
VM Threat Detection findings are assigned High, Medium, and Low severity based on the threat classification confidence.
Combined detections
Combined detections occur when multiple categories of findings are detected
within a day. The findings can be caused by one or more malicious applications.
For example, a single application can simultaneously trigger
Execution: Cryptocurrency Mining YARA Rule and Execution: Cryptocurrency
Mining Hash Match findings. However, all threats detected from a single source
within the same day are rolled into one combined detection finding. In the
following days, if more threats are found, even the same ones, they are
attached to new findings.
For an example of a combined detection finding, see Example finding formats.
Example finding formats
These JSON output examples contain fields common to VM Threat Detection findings. Each example shows only the fields relevant to the finding type; it doesn't provide an exhaustive list of fields.
You can export findings through the Security Command Center console or list findings through the Security Command Center API.
To see the example findings, expand one or more of the following nodes. For
information about each field in the finding, see
Finding.
Defense Evasion: Rootkit
This output example shows a finding of a known kernel-mode rootkit: Diamorphine.
{
"findings": {
"access": {},
"assetDisplayName": "DISPLAY_NAME",
"assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Defense Evasion: Rootkit",
"createTime": "2023-01-12T00:39:33.007Z",
"database": {},
"eventTime": "2023-01-11T21:24:05.326Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
"indicator": {},
"kernelRootkit": {
"name": "Diamorphine",
"unexpected_kernel_code_pages": true,
"unexpected_system_call_handler": true
},
"kubernetes": {},
"mitreAttack": {
"version": "9"
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Virtual Machine Threat Detection",
"processes": [],
"resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"severity": "HIGH",
"sourceDisplayName": "Virtual Machine Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"display_name": "DISPLAY_NAME",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parent_display_name": "DISPLAY_NAME",
"type": "google.compute.Instance",
"folders": []
},
"sourceProperties": {}
}
Defense Evasion: Unexpected ftrace handler (Preview)
{
"findings": {
"access": {},
"assetDisplayName": "DISPLAY_NAME",
"assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Defense Evasion: Unexpected ftrace handler",
"createTime": "2023-01-12T00:39:33.007Z",
"database": {},
"eventTime": "2023-01-11T21:24:05.326Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"version": "9"
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Virtual Machine Threat Detection",
"processes": [],
"resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"severity": "MEDIUM",
"sourceDisplayName": "Virtual Machine Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"display_name": "DISPLAY_NAME",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parent_display_name": "DISPLAY_NAME",
"type": "google.compute.Instance",
"folders": []
},
"sourceProperties": {}
}
Defense Evasion: Unexpected interrupt handler (Preview)
{
"findings": {
"access": {},
"assetDisplayName": "DISPLAY_NAME",
"assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Defense Evasion: Unexpected interrupt handler",
"createTime": "2023-01-12T00:39:33.007Z",
"database": {},
"eventTime": "2023-01-11T21:24:05.326Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"version": "9"
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Virtual Machine Threat Detection",
"processes": [],
"resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"severity": "MEDIUM",
"sourceDisplayName": "Virtual Machine Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"display_name": "DISPLAY_NAME",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parent_display_name": "DISPLAY_NAME",
"type": "google.compute.Instance",
"folders": []
},
"sourceProperties": {}
}
Defense Evasion: Unexpected kernel code modification (Preview)
{
"findings": {
"access": {},
"assetDisplayName": "DISPLAY_NAME",
"assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Defense Evasion: Unexpected kernel code modification",
"createTime": "2023-01-12T00:39:33.007Z",
"database": {},
"eventTime": "2023-01-11T21:24:05.326Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"version": "9"
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Virtual Machine Threat Detection",
"processes": [],
"resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"severity": "MEDIUM",
"sourceDisplayName": "Virtual Machine Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"display_name": "DISPLAY_NAME",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parent_display_name": "DISPLAY_NAME",
"type": "google.compute.Instance",
"folders": []
},
"sourceProperties": {}
}
Defense Evasion: Unexpected kernel modules (Preview)
{
"findings": {
"access": {},
"assetDisplayName": "DISPLAY_NAME",
"assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Defense Evasion: Unexpected kernel modules",
"createTime": "2023-01-12T00:39:33.007Z",
"database": {},
"eventTime": "2023-01-11T21:24:05.326Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"version": "9"
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Virtual Machine Threat Detection",
"processes": [],
"resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"severity": "MEDIUM",
"sourceDisplayName": "Virtual Machine Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"display_name": "DISPLAY_NAME",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parent_display_name": "DISPLAY_NAME",
"type": "google.compute.Instance",
"folders": []
},
"sourceProperties": {}
}
Defense Evasion: Unexpected kernel read-only data modification (Preview)
{
"findings": {
"access": {},
"assetDisplayName": "DISPLAY_NAME",
"assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Defense Evasion: Unexpected kernel read-only data modification",
"createTime": "2023-01-12T00:39:33.007Z",
"database": {},
"eventTime": "2023-01-11T21:24:05.326Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"version": "9"
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Virtual Machine Threat Detection",
"processes": [],
"resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"severity": "MEDIUM",
"sourceDisplayName": "Virtual Machine Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"display_name": "DISPLAY_NAME",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parent_display_name": "DISPLAY_NAME",
"type": "google.compute.Instance",
"folders": []
},
"sourceProperties": {}
}
Defense Evasion: Unexpected kprobe handler (Preview)
{
"findings": {
"access": {},
"assetDisplayName": "DISPLAY_NAME",
"assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Defense Evasion: Unexpected kprobe handler",
"createTime": "2023-01-12T00:39:33.007Z",
"database": {},
"eventTime": "2023-01-11T21:24:05.326Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"version": "9"
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Virtual Machine Threat Detection",
"processes": [],
"resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"severity": "MEDIUM",
"sourceDisplayName": "Virtual Machine Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"display_name": "DISPLAY_NAME",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parent_display_name": "DISPLAY_NAME",
"type": "google.compute.Instance",
"folders": []
},
"sourceProperties": {}
}
Defense Evasion: Unexpected processes in runqueue (Preview)
{
"findings": {
"access": {},
"assetDisplayName": "DISPLAY_NAME",
"assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Defense Evasion: Unexpected processes in runqueue",
"createTime": "2023-01-12T00:39:33.007Z",
"database": {},
"eventTime": "2023-01-11T21:24:05.326Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"version": "9"
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Virtual Machine Threat Detection",
"processes": [],
"resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"severity": "MEDIUM",
"sourceDisplayName": "Virtual Machine Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"display_name": "DISPLAY_NAME",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parent_display_name": "DISPLAY_NAME",
"type": "google.compute.Instance",
"folders": []
},
"sourceProperties": {}
}
Defense Evasion: Unexpected system call handler (Preview)
{
"findings": {
"access": {},
"assetDisplayName": "DISPLAY_NAME",
"assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Defense Evasion: Unexpected system call handler",
"createTime": "2023-01-12T00:39:33.007Z",
"database": {},
"eventTime": "2023-01-11T21:24:05.326Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"version": "9"
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Virtual Machine Threat Detection",
"processes": [],
"resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"severity": "MEDIUM",
"sourceDisplayName": "Virtual Machine Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"display_name": "DISPLAY_NAME",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parent_display_name": "DISPLAY_NAME",
"type": "google.compute.Instance",
"folders": []
},
"sourceProperties": {}
}
Execution: Cryptocurrency Mining Combined
Detection
This output example shows a threat that was detected by both the
CRYPTOMINING_HASH and CRYPTOMINING_YARA modules.
{
"findings": {
"access": {},
"assetDisplayName": "DISPLAY_NAME",
"assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
"canonicalName": "projects/PROJECT_ID/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Execution: Cryptocurrency Mining Combined Detection",
"createTime": "2023-01-05T01:40:48.994Z",
"database": {},
"eventTime": "2023-01-05T01:39:36.876Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
"indicator": {
"signatures": [
{
"yaraRuleSignature": {
"yaraRule": "YARA_RULE1"
}
},
{
"yaraRuleSignature": {
"yaraRule": "YARA_RULE9"
}
},
{
"yaraRuleSignature": {
"yaraRule": "YARA_RULE10"
}
},
{
"yaraRuleSignature": {
"yaraRule": "YARA_RULE25"
}
},
{
"memoryHashSignature": {
"binaryFamily": "XMRig",
"detections": [
{
"binary": "linux-x86-64_xmrig_6.12.2",
"percentPagesMatched": 1
}
]
}
}
]
},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"version": "9"
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Virtual Machine Threat Detection",
"processes": [
{
"binary": {
"path": "BINARY_PATH"
},
"script": {},
"args": [
"./miner",
""
],
"pid": "123",
"parentPid": "456",
"name": "miner"
}
],
"resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"severity": "HIGH",
"sourceDisplayName": "Virtual Machine Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"display_name": "DISPLAY_NAME",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
"project_display_name": "DISPLAY_NAME",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
"parent_display_name": "DISPLAY_NAME",
"type": "google.compute.Instance",
"folders": []
},
"sourceProperties": {}
}
Execution: Cryptocurrency Mining Hash Match
Detection
{
"findings": {
"access": {},
"assetDisplayName": "DISPLAY_NAME",
"assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
"canonicalName": "projects/PROJECT_ID/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Execution: Cryptocurrency Mining Hash Match",
"createTime": "2023-01-05T01:40:48.994Z",
"database": {},
"eventTime": "2023-01-05T01:39:36.876Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
"indicator": {
"signatures": [
{
"memoryHashSignature": {
"binaryFamily": "XMRig",
"detections": [
{
"binary": "linux-x86-64_xmrig_6.12.2",
"percentPagesMatched": 1
}
]
}
}
]
},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"version": "9"
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Virtual Machine Threat Detection",
"processes": [
{
"binary": {
"path": "BINARY_PATH"
},
"script": {},
"args": [
"./miner",
""
],
"pid": "123",
"parentPid": "456",
"name": "miner"
}
],
"resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"severity": "HIGH",
"sourceDisplayName": "Virtual Machine Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"display_name": "DISPLAY_NAME",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
"project_display_name": "DISPLAY_NAME",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
"parent_display_name": "DISPLAY_NAME",
"type": "google.compute.Instance",
"folders": []
},
"sourceProperties": {}
}
Execution: Cryptocurrency Mining YARA Rule
{
"findings": {
"access": {},
"assetDisplayName": "DISPLAY_NAME",
"assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
"canonicalName": "projects/PROJECT_ID/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Execution: Cryptocurrency Mining YARA Rule",
"createTime": "2023-01-05T00:37:38.450Z",
"database": {},
"eventTime": "2023-01-05T01:12:48.828Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
"indicator": {
"signatures": [
{
"yaraRuleSignature": {
"yaraRule": "YARA_RULE9"
}
},
{
"yaraRuleSignature": {
"yaraRule": "YARA_RULE10"
}
},
{
"yaraRuleSignature": {
"yaraRule": "YARA_RULE25"
}
}
]
},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"version": "9"
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Virtual Machine Threat Detection",
"processes": [
{
"binary": {
"path": "BINARY_PATH"
},
"script": {},
"args": [
"./miner",
""
],
"pid": "123",
"parentPid": "456",
"name": "miner"
}
],
"resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"severity": "HIGH",
"sourceDisplayName": "Virtual Machine Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"display_name": "DISPLAY_NAME",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
"project_display_name": "DISPLAY_NAME",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
"parent_display_name": "DISPLAY_NAME",
"type": "google.compute.Instance",
"folders": []
},
"sourceProperties": {}
}
Malware: Malicious file on disk (YARA)
{
"findings": {
"assetDisplayName": "DISPLAY_NAME",
"assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
"canonicalName": "projects/PROJECT_ID/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Malware: Malicious file on disk (YARA)",
"createTime": "2023-01-05T00:37:38.450Z",
"eventTime": "2023-01-05T01:12:48.828Z",
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
"indicator": {
"signatures": [
{
"yaraRuleSignature": {
"yaraRule": "M_Backdoor_REDSONJA_4"
},
"signatureType": "SIGNATURE_TYPE_FILE",
},
{
"yaraRuleSignature": {
"yaraRule": "M_Backdoor_REDSONJA_3"
},
"signatureType": "SIGNATURE_TYPE_FILE",
}
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Virtual Machine Threat Detection",
"files": [
{
"diskPath": {
"partition_uuid": "b411dc99-f0a0-4c87-9e05-184977be8539",
"relative_path": "RELATIVE_PATH"
},
"size": "21238",
"sha256": "65d860160bdc9b98abf72407e14ca40b609417de7939897d3b58d55787aaef69",
"hashedSize": "21238"
}
],
"resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"severity": "HIGH",
"sourceDisplayName": "Virtual Machine Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"display_name": "DISPLAY_NAME",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
"project_display_name": "DISPLAY_NAME",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
"parent_display_name": "DISPLAY_NAME",
"type": "google.compute.Instance",
"folders": []
},
"sourceProperties": {}
}
Change the state of findings
When you resolve threats identified by VM Threat Detection, the service does not automatically set a finding's state to Inactive in subsequent scans. Due to the nature of our threat domain, VM Threat Detection can't determine if a threat is mitigated or has changed to avoid detection.
When your security teams are satisfied that a threat is mitigated, they can perform the following steps to change the state of findings to inactive.
Go to Security Command Center's Findings page in the Google Cloud console.
Next to View by, click Source Type.
In the Source type list, select Virtual Machine Threat Detection. A table populates with findings for the source type you selected.
Select the checkbox next to the findings that are resolved.
Click Change Active State.
Click Inactive.
Enable or disable VM Threat Detection
VM Threat Detection is enabled by default for all customers that enroll in Security Command Center Premium after July 15, 2022, which is when this service became generally available. If needed, you can disable or re-enable it manually for your project or organization.
When you enable VM Threat Detection on an organization or project, the service automatically scans all supported resources in that organization or project. Conversely, when you disable VM Threat Detection on an organization or project, the service stops scanning all supported resources in it.
To enable or disable VM Threat Detection, do the following:
Console
In the Google Cloud console, go to the Virtual Machine Threat Detection Service Enablement page.
In the Virtual Machine Threat Detection column, select the current status, and then select one of the following:
- Enable: enable VM Threat Detection
- Disable: disable VM Threat Detection
- Inherit: inherit the enablement status from the parent folder or organization; available only for projects and folders
gcloud
The
gcloud scc manage services update
command updates the state of a Security Command Center service or module.
Before using any of the command data below, make the following replacements:
-
RESOURCE_TYPE: the type of resource to update (organization,folder, orproject) -
RESOURCE_ID: the numeric identifier of the organization, folder, or project to update; for projects, you can also use the alphanumeric project ID -
NEW_STATE:ENABLEDto enable VM Threat Detection;DISABLEDto disable VM Threat Detection; orINHERITEDto inherit the enablement status of the parent resource (valid only for projects and folders)
Execute the
gcloud scc manage services update
command:
Linux, macOS, or Cloud Shell
gcloud scc manage services update vm-threat-detection \
--RESOURCE_TYPE=RESOURCE_ID \
--enablement-state=NEW_STATE
Windows (PowerShell)
gcloud scc manage services update vm-threat-detection `
--RESOURCE_TYPE=RESOURCE_ID `
--enablement-state=NEW_STATE
Windows (cmd.exe)
gcloud scc manage services update vm-threat-detection ^
--RESOURCE_TYPE=RESOURCE_ID ^
--enablement-state=NEW_STATE
You should receive a response similar to the following:
effectiveEnablementState: ENABLED
modules:
CRYPTOMINING_HASH:
effectiveEnablementState: ENABLED
intendedEnablementState: ENABLED
CRYPTOMINING_YARA:
effectiveEnablementState: ENABLED
KERNEL_INTEGRITY_TAMPERING:
effectiveEnablementState: ENABLED
KERNEL_MEMORY_TAMPERING:
effectiveEnablementState: ENABLED
MALWARE_DISK_SCAN_YARA:
effectiveEnablementState: ENABLED
name: projects/1234567890123/locations/global/securityCenterServices/vm-threat-detection
updateTime: '2024-08-05T22:32:01.536452397Z'
REST
The Security Command Center Management API's
RESOURCE_TYPE.locations.securityCenterServices.patch
method updates the state of a Security Command Center service or module.
Before using any of the request data, make the following replacements:
-
RESOURCE_TYPE: the type of resource to update (organizations,folders, orprojects) -
QUOTA_PROJECT: the project ID to use for billing and quota tracking -
RESOURCE_ID: the numeric identifier of the organization, folder, or project to update; for projects, you can also use the alphanumeric project ID -
NEW_STATE:ENABLEDto enable VM Threat Detection;DISABLEDto disable VM Threat Detection; orINHERITEDto inherit the enablement status of the parent resource (valid only for projects and folders)
HTTP method and URL:
PATCH https://securitycentermanagement.googleapis.com/v1/RESOURCE_TYPE/RESOURCE_ID/locations/global/securityCenterServices/vm-threat-detection?updateMask=intendedEnablementState
Request JSON body:
{
"intendedEnablementState": "NEW_STATE"
}
To send your request, expand one of these options:
You should receive a JSON response similar to the following:
{
"name": "projects/1234567890123/locations/global/securityCenterServices/vm-threat-detection",
"effectiveEnablementState": "ENABLED",
"modules": {
"CRYPTOMINING_YARA": {
"effectiveEnablementState": "ENABLED"
},
"KERNEL_MEMORY_TAMPERING": {
"effectiveEnablementState": "ENABLED"
},
"KERNEL_INTEGRITY_TAMPERING": {
"effectiveEnablementState": "ENABLED"
},
"CRYPTOMINING_HASH": {
"intendedEnablementState": "ENABLED",
"effectiveEnablementState": "ENABLED"
},
"MALWARE_DISK_SCAN_YARA": {
"effectiveEnablementState": "ENABLED"
}
},
"updateTime": "2024-08-05T22:32:01.536452397Z"
}
Enable or disable a VM Threat Detection module
To enable or disable an individual VM Threat Detection detector, also known as a module, do the following. It can take up to an hour for your changes to take effect.
For information about all VM Threat Detection threat findings and the modules that generate them, see Threat findings.
Console
The Google Cloud console lets you enable or disable VM Threat Detection modules at the organization level. To enable or disable VM Threat Detection modules at the folder or project level, use the gcloud CLI or the REST API.
In the Google Cloud console, go to the Virtual Machine Threat Detection Modules page.
In the Status column, select the current status of the module that you want to enable or disable, and then select one of the following:
- Enable: Enable the module.
- Disable: Disable the module.
gcloud
The
gcloud scc manage services update
command updates the state of a Security Command Center service or module.
Before using any of the command data below, make the following replacements:
-
RESOURCE_TYPE: the type of resource to update (organization,folder, orproject) -
RESOURCE_ID: the numeric identifier of the organization, folder, or project to update; for projects, you can also use the alphanumeric project ID -
MODULE_NAME: the name of the module to enable or disable; for valid values, see Threat findings -
NEW_STATE:ENABLEDto enable the module;DISABLEDto disable the module; orINHERITEDto inherit the enablement status of the parent resource (valid only for projects and folders)
Save the following content in a file called request.json:
{
"MODULE_NAME": {
"intendedEnablementState": "NEW_STATE"
}
}
Execute the
gcloud scc manage services update
command:
Linux, macOS, or Cloud Shell
gcloud scc manage services update vm-threat-detection \
--RESOURCE_TYPE=RESOURCE_ID \
--enablement-state=ENABLED \
--module-config-file=request.json
Windows (PowerShell)
gcloud scc manage services update vm-threat-detection `
--RESOURCE_TYPE=RESOURCE_ID `
--enablement-state=ENABLED \
--module-config-file=request.json
Windows (cmd.exe)
gcloud scc manage services update vm-threat-detection ^
--RESOURCE_TYPE=RESOURCE_ID ^
--enablement-state=ENABLED \
--module-config-file=request.json
You should receive a response similar to the following:
effectiveEnablementState: ENABLED
modules:
CRYPTOMINING_HASH:
effectiveEnablementState: ENABLED
intendedEnablementState: ENABLED
CRYPTOMINING_YARA:
effectiveEnablementState: ENABLED
KERNEL_INTEGRITY_TAMPERING:
effectiveEnablementState: ENABLED
KERNEL_MEMORY_TAMPERING:
effectiveEnablementState: ENABLED
MALWARE_DISK_SCAN_YARA:
effectiveEnablementState: ENABLED
name: projects/1234567890123/locations/global/securityCenterServices/vm-threat-detection
updateTime: '2024-08-05T22:32:01.536452397Z'
REST
The Security Command Center Management API's
RESOURCE_TYPE.locations.securityCenterServices.patch
method updates the state of a Security Command Center service or module.
Before using any of the request data, make the following replacements:
-
RESOURCE_TYPE: the type of resource to update (organizations,folders, orprojects) -
QUOTA_PROJECT: the project ID to use for billing and quota tracking -
RESOURCE_ID: the numeric identifier of the organization, folder, or project to update; for projects, you can also use the alphanumeric project ID -
MODULE_NAME: the name of the module to enable or disable; for valid values, see Threat findings -
NEW_STATE:ENABLEDto enable the module;DISABLEDto disable the module; orINHERITEDto inherit the enablement status of the parent resource (valid only for projects and folders)
HTTP method and URL:
PATCH https://securitycentermanagement.googleapis.com/v1/RESOURCE_TYPE/RESOURCE_ID/locations/global/securityCenterServices/vm-threat-detection?updateMask=modules
Request JSON body:
{
"modules": {
"MODULE_NAME": {
"intendedEnablementState": "NEW_STATE"
}
}
}
To send your request, expand one of these options:
You should receive a JSON response similar to the following:
{
"name": "projects/1234567890123/locations/global/securityCenterServices/vm-threat-detection",
"effectiveEnablementState": "ENABLED",
"modules": {
"CRYPTOMINING_YARA": {
"effectiveEnablementState": "ENABLED"
},
"KERNEL_MEMORY_TAMPERING": {
"effectiveEnablementState": "ENABLED"
},
"KERNEL_INTEGRITY_TAMPERING": {
"effectiveEnablementState": "ENABLED"
},
"CRYPTOMINING_HASH": {
"intendedEnablementState": "ENABLED",
"effectiveEnablementState": "ENABLED"
},
"MALWARE_DISK_SCAN_YARA": {
"effectiveEnablementState": "ENABLED"
}
},
"updateTime": "2024-08-05T22:32:01.536452397Z"
}
View the settings of the VM Threat Detection modules
For information about all VM Threat Detection threat findings and the modules that generate them, see the Threat findings table.
Console
The Google Cloud console lets you view settings for VM Threat Detection modules at the organization level. To view settings for VM Threat Detection modules at the folder or project level, use the gcloud CLI or the REST API.
To view the settings in the Google Cloud console, go to the Virtual Machine Threat Detection Modules page.
gcloud
The
gcloud scc manage services update
command gets the state of a Security Command Center service or module.
Before using any of the command data below, make the following replacements:
-
RESOURCE_TYPE: the type of resource to get (organizations,folders, orprojects) -
QUOTA_PROJECT: the project ID to use for billing and quota tracking -
RESOURCE_ID: the numeric identifier of the organization, folder, or project to get; for projects, you can also use the alphanumeric project ID
Save the following content in a file called request.json:
{
"MODULE_NAME": {
"intendedEnablementState": "NEW_STATE"
}
}
Execute the
gcloud scc manage services update
command:
Linux, macOS, or Cloud Shell
gcloud scc manage services update vm-threat-detection \
--RESOURCE_TYPE=RESOURCE_ID
Windows (PowerShell)
gcloud scc manage services update vm-threat-detection `
--RESOURCE_TYPE=RESOURCE_ID
Windows (cmd.exe)
gcloud scc manage services update vm-threat-detection ^
--RESOURCE_TYPE=RESOURCE_ID
You should receive a response similar to the following:
effectiveEnablementState: ENABLED
modules:
CRYPTOMINING_HASH:
effectiveEnablementState: ENABLED
intendedEnablementState: ENABLED
CRYPTOMINING_YARA:
effectiveEnablementState: ENABLED
KERNEL_INTEGRITY_TAMPERING:
effectiveEnablementState: ENABLED
KERNEL_MEMORY_TAMPERING:
effectiveEnablementState: ENABLED
MALWARE_DISK_SCAN_YARA:
effectiveEnablementState: ENABLED
name: projects/1234567890123/locations/global/securityCenterServices/vm-threat-detection
updateTime: '2024-08-05T22:32:01.536452397Z'
REST
The Security Command Center Management API's
RESOURCE_TYPE.locations.securityCenterServices.get
method gets the state of a Security Command Center service or module.
Before using any of the request data, make the following replacements:
-
RESOURCE_TYPE: the type of resource to get (organizations,folders, orprojects) -
QUOTA_PROJECT: the project ID to use for billing and quota tracking -
RESOURCE_ID: the numeric identifier of the organization, folder, or project to get; for projects, you can also use the alphanumeric project ID
HTTP method and URL:
GET https://securitycentermanagement.googleapis.com/v1/RESOURCE_TYPE/RESOURCE_ID/locations/global/securityCenterServices/vm-threat-detection
To send your request, expand one of these options:
You should receive a JSON response similar to the following:
{
"name": "projects/1234567890123/locations/global/securityCenterServices/vm-threat-detection",
"effectiveEnablementState": "ENABLED",
"modules": {
"CRYPTOMINING_YARA": {
"effectiveEnablementState": "ENABLED"
},
"KERNEL_MEMORY_TAMPERING": {
"effectiveEnablementState": "ENABLED"
},
"KERNEL_INTEGRITY_TAMPERING": {
"effectiveEnablementState": "ENABLED"
},
"CRYPTOMINING_HASH": {
"intendedEnablementState": "ENABLED",
"effectiveEnablementState": "ENABLED"
},
"MALWARE_DISK_SCAN_YARA": {
"effectiveEnablementState": "ENABLED"
}
},
"updateTime": "2024-08-05T22:32:01.536452397Z"
}
Software names and YARA rules for cryptocurrency mining detection
The following lists include the names of binaries and YARA rules that trigger cryptocurrency mining findings. To see the lists, expand the nodes.
Execution: Cryptocurrency Mining Hash Match
- Arionum CPU miner: mining software for Arionum cryptocurrency
- Avermore: mining software for scrypt-based cryptocurrencies
- Beam CUDA miner: mining software for Equihash-based cryptocurrencies
- Beam OpenCL miner: mining software for Equihash-based cryptocurrencies
- BFGMiner: ASIC/FPGA-based mining software for Bitcoin
- BMiner: mining software for various cryptocurrencies
- Cast XMR: mining software for CryptoNight-based cryptocurrencies
- ccminer: CUDA-based mining software
- cgminer: ASIC/FPGA-based mining software for Bitcoin
- Claymore's miner: GPU-based mining software for various cryptocurrencies
- CPUMiner: family of CPU-based mining software
- CryptoDredge: family of mining software for CryptoDredge
- CryptoGoblin: mining software for CryptoNight-based cryptocurrencies
- DamoMiner: GPU-based mining software for Ethereum and other cryptocurrencies
- DigitsMiner: mining software for Digits
- EasyMiner: mining software for Bitcoin and other cryptocurrencies
- Ethminer: mining software for Ethereum and other cryptocurrencies
- EWBF: mining software for Equihash-based cryptocurrencies
- FinMiner: mining software for Ethash and CryptoNight-based cryptocurrencies
- Funakoshi Miner: mining software for Bitcoin-Gold cryptocurrencies
- Geth: mining software for Ethereum
- GMiner: mining software for various cryptocurrencies
- gominer: mining software for Decred
- GrinGoldMiner: mining software for Grin
- Hush: mining software for Zcash-based cryptocurrencies
- IxiMiner: mining software for Ixian
- kawpowminer: mining software for Ravencoin
- Komodo: family of mining software for Komodo
- lolMiner: mining software for various cryptocurrencies
- lukMiner: mining software for various cryptocurrencies
- MinerGate: mining software for various cryptocurrencies
- miniZ: mining software for Equihash-based cryptocurrencies
- Mirai: malware that can be used to mine cryptocurrencies
- MultiMiner: mining software for various cryptocurrencies
- nanominer: mining software for various cryptocurrencies
- NBMiner: mining software for various cryptocurrencies
- Nevermore: mining software for various cryptocurrencies
- nheqminer: mining software for NiceHash
- NinjaRig: mining software for Argon2-based cryptocurrencies
- NodeCore PoW CUDA Miner: mining software for VeriBlock
- NoncerPro: mining software for Nimiq
- Optiminer/Equihash: mining software for Equihash-based cryptocurrencies
- PascalCoin: family of mining software for PascalCoin
- PhoenixMiner: mining software for Ethereum
- Pooler CPU Miner: mining software for Litecoin and Bitcoin
- ProgPoW Miner: mining software for Ethereum and other cryptocurrencies
- rhminer: mining software for PascalCoin
- sgminer: mining software for scrypt-based cryptocurrencies
- simplecoin: family of mining software for scrypt-based SimpleCoin
- Skypool Nimiq Miner: mining software for Nimiq
- SwapReferenceMiner: mining software for Grin
- Team Red Miner: AMD-based mining software for various cryptocurrencies
- T-Rex: mining software for various cryptocurrencies
- TT-Miner: mining software for various cryptocurrencies
- Ubqminer: mining software for Ubqhash-based cryptocurrencies
- VersusCoin: mining software for VersusCoin
- violetminer: mining software for Argon2-based cryptocurrencies
- webchain-miner: mining software for MintMe
- WildRig: mining software for various cryptocurrencies
- XCASH_ALL_Miner: mining software for XCASH
- xFash: mining software for MinerGate
- XLArig: mining software for CryptoNight-based cryptocurrencies
- XMRig: mining software for various cryptocurrencies
- Xmr-Stak: mining software for CryptoNight-based cryptocurrencies
- XMR-Stak TurtleCoin: mining software for CryptoNight-based cryptocurrencies
- Xtl-Stak: mining software for CryptoNight-based cryptocurrencies
- Yam Miner: mining software for MinerGate
- YCash: mining software for YCash
- ZCoin: mining software for ZCoin/Fire
- Zealot/Enemy: mining software for various cryptocurrencies
- Cryptocurrency miner signal1
1 This generic threat name indicates that an unknown cryptocurrency miner might be operating in the VM, but VM Threat Detection does not have specific information about the miner.
Execution: Cryptocurrency Mining YARA Rule
- YARA_RULE1: matches mining software for Monero
- YARA_RULE9: matches mining software that uses the Blake2 and AES cipher
- YARA_RULE10: matches mining software that uses the CryptoNight proof-of-work routine
- YARA_RULE15: matches mining software for NBMiner
- YARA_RULE17: matches mining software that uses the Scrypt proof-of-work routine
- YARA_RULE18: matches mining software that uses the Scrypt proof-of-work routine
- YARA_RULE19: matches mining software for BFGMiner
- YARA_RULE24: matches mining software for XMR-Stak
- YARA_RULE25: matches mining software for XMRig
- DYNAMIC_YARA_RULE_BFGMINER_2: matches mining software for BFGMiner
What's next
- Learn more about VM Threat Detection.
- Learn how to investigate VM Threat Detection findings.