本页面介绍了如何查看和管理 VM Threat Detection 发现结果。此外还展示了如何启用或停用相关服务及其模块。
概览
虚拟机威胁检测是 Security Command Center 高级方案的内置服务, 通过 Hypervisor 级别的插桩和永久性磁盘进行威胁检测 分析。 VM 威胁检测可检测潜在的恶意应用,例如 加密货币挖矿软件、内核模式 rootkit 以及 遭到入侵的云环境
VM Threat Detection 是 Security Command Center Premium 的威胁检测套件的一部分,旨在补充 Event Threat Detection 和 Container Threat Detection 的现有功能。
如需了解详情,请参阅 VM Threat Detection 概览。
费用
注册 Security Command Center Premium 后,使用 VM Threat Detection 无需额外费用。
准备工作
如需使用此功能,您必须注册 Security Command Center Premium。
此外,您需要足够的 Identity and Access Management (IAM) 角色才能查看或修改发现结果以及修改 Google Cloud 资源。如果您在 Security Command Center 中遇到访问错误,请让您的管理员寻求帮助。如需详细了解角色,请参阅访问权限控制。
测试 VM Threat Detection
如需测试虚拟机威胁检测加密货币挖矿检测,您可以运行 加密货币挖矿应用有关二进制文件名称和 YARA 规则 请参阅软件名称和 YARA 规则。如果您安装并测试采矿应用 我们建议只在独立的测试环境中运行应用 请密切监控它们的使用情况,并在测试后彻底移除它们。
如需测试 VM Threat Detection 恶意软件检测,您可以下载恶意软件 部署应用如果您下载了恶意软件,我们建议您 并在隔离的测试环境中进行删除 测试。
在 Google Cloud 控制台中查看发现结果
如需在 Google Cloud 控制台中查看虚拟机威胁检测发现结果,请执行以下操作: 执行以下操作:
转到 Google Cloud 控制台中的 Security Command Center 发现结果页面。
如有必要,请选择您的 Google Cloud 项目或组织。
在快速过滤条件部分的来源显示名子部分中,选择 Virtual Machine Threat Detection。
如果您没有看到 Virtual Machine Threat Detection,请点击查看更多。在该对话框中搜索 Virtual Machine Threat Detection。
如需查看特定发现结果的详细信息,请点击类别下的发现结果名称。系统会打开发现结果的详细信息面板,并显示摘要标签页。
在摘要标签页上,查看发现结果的相关信息,包括检测到的二进制文件、受影响的资源等信息。
在详细信息面板上,点击 JSON 标签页以查看发现结果的完整 JSON 文件。
如需详细了解如何对每个 VM Threat Detection 发现结果做出相应的响应,请参阅 VM Threat Detection 响应。
如需查看 VM Threat Detection 发现结果列表,请参阅发现结果。
严重程度
虚拟机威胁检测发现结果的等级为高、中和低 根据威胁分类置信度评估严重程度。
组合检测
如果在一天内检测到多个类别的发现结果,就会进行组合检测。发现结果可能是由一个或多个恶意应用导致的。例如,单个应用可以同时触发 Execution: Cryptocurrency Mining YARA Rule
和 Execution: Cryptocurrency
Mining Hash Match
发现结果。但是,在当天从单个来源检测到的所有威胁都会汇总到一个组合检测发现结果中。在接下来的几天,如果发现更多威胁(即使是相同的威胁),则会附加到新发现结果。
如需查看组合检测发现结果的示例,请参阅发现结果示例 格式。
发现结果格式示例
这些 JSON 输出示例包含虚拟机威胁检测的通用字段 结果。每个示例仅显示与发现结果类型相关的字段;它 并未详尽列出 字段。
您可以通过 Security Command Center 导出发现结果 信息中心或列出 通过 Security Command Center API 发现问题。
如需查看示例发现结果,请展开以下一个或多个节点。对于
每个字段的信息,请参阅
Finding
。
Defense Evasion: Rootkit
预览版
此输出示例展示了一项已知的内核模式 rootkit:Diamorphine。
{ "findings": { "access": {}, "assetDisplayName": "DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Defense Evasion: Rootkit", "createTime": "2023-01-12T00:39:33.007Z", "database": {}, "eventTime": "2023-01-11T21:24:05.326Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd", "indicator": {}, "kernelRootkit": { "name": "Diamorphine", "unexpected_kernel_code_pages": true, "unexpected_system_call_handler": true }, "kubernetes": {}, "mitreAttack": { "version": "9" }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Virtual Machine Threat Detection", "processes": [], "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "severity": "HIGH", "sourceDisplayName": "Virtual Machine Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "display_name": "DISPLAY_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "DISPLAY_NAME", "type": "google.compute.Instance", "folders": [] }, "sourceProperties": {} }
Defense Evasion: Unexpected ftrace handler
预览版
{ "findings": { "access": {}, "assetDisplayName": "DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Defense Evasion: Unexpected ftrace handler", "createTime": "2023-01-12T00:39:33.007Z", "database": {}, "eventTime": "2023-01-11T21:24:05.326Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "version": "9" }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Virtual Machine Threat Detection", "processes": [], "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "severity": "MEDIUM", "sourceDisplayName": "Virtual Machine Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "display_name": "DISPLAY_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "DISPLAY_NAME", "type": "google.compute.Instance", "folders": [] }, "sourceProperties": {} }
Defense Evasion: Unexpected interrupt handler
预览版
{ "findings": { "access": {}, "assetDisplayName": "DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Defense Evasion: Unexpected interrupt handler", "createTime": "2023-01-12T00:39:33.007Z", "database": {}, "eventTime": "2023-01-11T21:24:05.326Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "version": "9" }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Virtual Machine Threat Detection", "processes": [], "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "severity": "MEDIUM", "sourceDisplayName": "Virtual Machine Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "display_name": "DISPLAY_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "DISPLAY_NAME", "type": "google.compute.Instance", "folders": [] }, "sourceProperties": {} }
Defense Evasion: Unexpected kernel code modification
预览版
{ "findings": { "access": {}, "assetDisplayName": "DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Defense Evasion: Unexpected kernel code modification", "createTime": "2023-01-12T00:39:33.007Z", "database": {}, "eventTime": "2023-01-11T21:24:05.326Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "version": "9" }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Virtual Machine Threat Detection", "processes": [], "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "severity": "MEDIUM", "sourceDisplayName": "Virtual Machine Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "display_name": "DISPLAY_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "DISPLAY_NAME", "type": "google.compute.Instance", "folders": [] }, "sourceProperties": {} }
Defense Evasion: Unexpected kernel modules
预览版
{ "findings": { "access": {}, "assetDisplayName": "DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Defense Evasion: Unexpected kernel modules", "createTime": "2023-01-12T00:39:33.007Z", "database": {}, "eventTime": "2023-01-11T21:24:05.326Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "version": "9" }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Virtual Machine Threat Detection", "processes": [], "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "severity": "MEDIUM", "sourceDisplayName": "Virtual Machine Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "display_name": "DISPLAY_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "DISPLAY_NAME", "type": "google.compute.Instance", "folders": [] }, "sourceProperties": {} }
Defense Evasion: Unexpected kernel read-only data modification
预览版
{ "findings": { "access": {}, "assetDisplayName": "DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Defense Evasion: Unexpected kernel read-only data modification", "createTime": "2023-01-12T00:39:33.007Z", "database": {}, "eventTime": "2023-01-11T21:24:05.326Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "version": "9" }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Virtual Machine Threat Detection", "processes": [], "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "severity": "MEDIUM", "sourceDisplayName": "Virtual Machine Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "display_name": "DISPLAY_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "DISPLAY_NAME", "type": "google.compute.Instance", "folders": [] }, "sourceProperties": {} }
Defense Evasion: Unexpected kprobe handler
预览版
{ "findings": { "access": {}, "assetDisplayName": "DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Defense Evasion: Unexpected kprobe handler", "createTime": "2023-01-12T00:39:33.007Z", "database": {}, "eventTime": "2023-01-11T21:24:05.326Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "version": "9" }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Virtual Machine Threat Detection", "processes": [], "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "severity": "MEDIUM", "sourceDisplayName": "Virtual Machine Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "display_name": "DISPLAY_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "DISPLAY_NAME", "type": "google.compute.Instance", "folders": [] }, "sourceProperties": {} }
Defense Evasion: Unexpected processes in runqueue
预览版
{ "findings": { "access": {}, "assetDisplayName": "DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Defense Evasion: Unexpected processes in runqueue", "createTime": "2023-01-12T00:39:33.007Z", "database": {}, "eventTime": "2023-01-11T21:24:05.326Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "version": "9" }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Virtual Machine Threat Detection", "processes": [], "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "severity": "MEDIUM", "sourceDisplayName": "Virtual Machine Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "display_name": "DISPLAY_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "DISPLAY_NAME", "type": "google.compute.Instance", "folders": [] }, "sourceProperties": {} }
Defense Evasion: Unexpected system call handler
预览版
{ "findings": { "access": {}, "assetDisplayName": "DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Defense Evasion: Unexpected system call handler", "createTime": "2023-01-12T00:39:33.007Z", "database": {}, "eventTime": "2023-01-11T21:24:05.326Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "version": "9" }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Virtual Machine Threat Detection", "processes": [], "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "severity": "MEDIUM", "sourceDisplayName": "Virtual Machine Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "display_name": "DISPLAY_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "DISPLAY_NAME", "type": "google.compute.Instance", "folders": [] }, "sourceProperties": {} }
Execution: Cryptocurrency Mining Combined
Detection
此输出示例显示了
CRYPTOMINING_HASH
和 CRYPTOMINING_YARA
模块。
{ "findings": { "access": {}, "assetDisplayName": "DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_ID/sources/SOURCE_ID/findings/FINDING_ID", "category": "Execution: Cryptocurrency Mining Combined Detection", "createTime": "2023-01-05T01:40:48.994Z", "database": {}, "eventTime": "2023-01-05T01:39:36.876Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd", "indicator": { "signatures": [ { "yaraRuleSignature": { "yaraRule": "YARA_RULE1" } }, { "yaraRuleSignature": { "yaraRule": "YARA_RULE9" } }, { "yaraRuleSignature": { "yaraRule": "YARA_RULE10" } }, { "yaraRuleSignature": { "yaraRule": "YARA_RULE25" } }, { "memoryHashSignature": { "binaryFamily": "XMRig", "detections": [ { "binary": "linux-x86-64_xmrig_6.12.2", "percentPagesMatched": 1 } ] } } ] }, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "version": "9" }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Virtual Machine Threat Detection", "processes": [ { "binary": { "path": "BINARY_PATH" }, "script": {}, "args": [ "./miner", "" ], "pid": "123", "parentPid": "456", "name": "miner" } ], "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "severity": "HIGH", "sourceDisplayName": "Virtual Machine Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "display_name": "DISPLAY_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "project_display_name": "DISPLAY_NAME", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "parent_display_name": "DISPLAY_NAME", "type": "google.compute.Instance", "folders": [] }, "sourceProperties": {} }
Execution: Cryptocurrency Mining Hash Match
Detection
{ "findings": { "access": {}, "assetDisplayName": "DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_ID/sources/SOURCE_ID/findings/FINDING_ID", "category": "Execution: Cryptocurrency Mining Hash Match", "createTime": "2023-01-05T01:40:48.994Z", "database": {}, "eventTime": "2023-01-05T01:39:36.876Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd", "indicator": { "signatures": [ { "memoryHashSignature": { "binaryFamily": "XMRig", "detections": [ { "binary": "linux-x86-64_xmrig_6.12.2", "percentPagesMatched": 1 } ] } } ] }, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "version": "9" }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Virtual Machine Threat Detection", "processes": [ { "binary": { "path": "BINARY_PATH" }, "script": {}, "args": [ "./miner", "" ], "pid": "123", "parentPid": "456", "name": "miner" } ], "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "severity": "HIGH", "sourceDisplayName": "Virtual Machine Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "display_name": "DISPLAY_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "project_display_name": "DISPLAY_NAME", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "parent_display_name": "DISPLAY_NAME", "type": "google.compute.Instance", "folders": [] }, "sourceProperties": {} }
Execution: Cryptocurrency Mining YARA Rule
{ "findings": { "access": {}, "assetDisplayName": "DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_ID/sources/SOURCE_ID/findings/FINDING_ID", "category": "Execution: Cryptocurrency Mining YARA Rule", "createTime": "2023-01-05T00:37:38.450Z", "database": {}, "eventTime": "2023-01-05T01:12:48.828Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd", "indicator": { "signatures": [ { "yaraRuleSignature": { "yaraRule": "YARA_RULE9" } }, { "yaraRuleSignature": { "yaraRule": "YARA_RULE10" } }, { "yaraRuleSignature": { "yaraRule": "YARA_RULE25" } } ] }, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "version": "9" }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Virtual Machine Threat Detection", "processes": [ { "binary": { "path": "BINARY_PATH" }, "script": {}, "args": [ "./miner", "" ], "pid": "123", "parentPid": "456", "name": "miner" } ], "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "severity": "HIGH", "sourceDisplayName": "Virtual Machine Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "display_name": "DISPLAY_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "project_display_name": "DISPLAY_NAME", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "parent_display_name": "DISPLAY_NAME", "type": "google.compute.Instance", "folders": [] }, "sourceProperties": {} }
Malware: Malicious file on disk (YARA)
{ "findings": { "assetDisplayName": "DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_ID/sources/SOURCE_ID/findings/FINDING_ID", "category": "Malware: Malicious file on disk (YARA)", "createTime": "2023-01-05T00:37:38.450Z", "eventTime": "2023-01-05T01:12:48.828Z", "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd", "indicator": { "signatures": [ { "yaraRuleSignature": { "yaraRule": "M_Backdoor_REDSONJA_1" }, "signatureType": "SIGNATURE_TYPE_FILE", }, { "yaraRuleSignature": { "yaraRule": "M_Backdoor_REDSONJA_2" }, "signatureType": "SIGNATURE_TYPE_FILE", } ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Virtual Machine Threat Detection", "files": [ { "diskPath": { "partition_uuid": "b411dc99-f0a0-4c87-9e05-184977be8539", "relative_path": "RELATIVE_PATH" }, "size": "21238", "sha256": "65d860160bdc9b98abf72407e14ca40b609417de7939897d3b58d55787aaef69", "hashedSize": "21238" } ], "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "severity": "HIGH", "sourceDisplayName": "Virtual Machine Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "display_name": "DISPLAY_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "project_display_name": "DISPLAY_NAME", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "parent_display_name": "DISPLAY_NAME", "type": "google.compute.Instance", "folders": [] }, "sourceProperties": {} }
更改发现结果的状态
解决了由 VM Threat Detection 识别出的威胁后,该服务不会在后续扫描中自动将发现结果状态设置为非活跃。由于我们的威胁网域的性质,VM Threat Detection 无法确定威胁是否已被缓解或发生变化,以免被检测出。
当安全团队认为威胁得到缓解时,可以执行以下步骤,将发现结果状态更改为非活跃。
在 Google Cloud 控制台中,进入 Security Command Center 的发现结果页面。
在查看方式旁边,点击来源类型。
在来源类型列表中,选择 Virtual Machine Threat Detection。系统会根据所选来源类型在表中填充发现结果。
选中已解决的发现结果旁边的复选框。
点击更改活跃状态。
点击无效。
启用或停用 VM Threat Detection
VM Threat Detection 对 2022 年 7 月 15 日(此服务正式发布的时间)之后注册 Security Command Center Premium 的所有客户默认启用。如果需要,您可以为项目或组织手动停用或重新启用此服务。
如果您在组织或项目中启用 VM Threat Detection,该服务会自动扫描该组织或项目中的所有受支持的资源。相反,当您对组织或项目停用 VM Threat Detection 时,此服务会停止扫描其中所有支持的资源。
如需启用或停用 VM Threat Detection,请执行以下操作:
控制台
在 Google Cloud 控制台中,您可以通过设置页面上的服务标签页启用或停用 VM Threat Detection。
如需了解详情,请参阅启用或停用内置服务。
cURL
请发送 PATCH
请求:
curl -X PATCH -H "Authorization: Bearer \"$(gcloud auth print-access-token)\"" \
-H "Content-Type: application/json; charset=utf-8" \
-H "X-Goog-User-Project: X_GOOG_USER_PROJECT" \
https://securitycenter.googleapis.com/v1beta2/RESOURCE/RESOURCE_ID/virtualMachineThreatDetectionSettings \
-d '{"serviceEnablementState": "NEW_STATE"}'
替换以下内容:
- X_GOOG_USER_PROJECT:结算与 VM Threat Detection 扫描相关的访问费用的项目。
- RESOURCE:要扫描的资源类型(
organizations
或projects
)。 - RESOURCE_ID:要对其启用或停用 VM Threat Detection 的组织或项目的标识符。
- NEW_STATE:您希望 VM Threat Detection 所处的状态(
ENABLED
或DISABLED
)。
gcloud
运行以下命令:
gcloud alpha scc settings services ACTION --RESOURCE RESOURCE_ID \
--service VIRTUAL_MACHINE_THREAT_DETECTION
替换以下内容:
- ACTION:您希望对 VM Threat Detection 服务执行的操作(
enable
或disable
)。 - RESOURCE:要对其启用或停用 VM Threat Detection 的资源的类型(
organization
或project
)。 - RESOURCE_ID:要对其启用或停用 VM Threat Detection 的组织或项目的标识符。
启用或停用 VM Threat Detection 模块
如需启用或停用单个 VM Threat Detection 检测器(也称为“模块”),请执行以下操作。您的更改最长可能需要 1 小时才会生效。
有关所有 VM Threat Detection 威胁发现结果和模块的信息 请参阅威胁 发现结果 表格。
控制台
请参阅启用或停用模块。
cURL
如需对组织或项目启用或停用 VM Threat Detection 模块,请发送 PATCH
请求:
curl -X PATCH -H "Authorization: Bearer \"$(gcloud auth print-access-token)\"" \
-H "Content-Type: application/json; charset=utf-8" \
-H "X-Goog-User-Project: X_GOOG_USER_PROJECT" \
https://securitycenter.googleapis.com/v1beta2/RESOURCE/RESOURCE_ID/virtualMachineThreatDetectionSettings \
-d '{"modules": {"MODULE": {"module_enablement_state": "NEW_STATE"}}}'
替换以下内容:
- X_GOOG_USER_PROJECT:结算与 VM Threat Detection 扫描相关的访问费用的项目。
- RESOURCE:要对其启用或停用模块的资源类型(
organizations
或projects
)。 - RESOURCE_ID:要对其启用或停用模块的组织或项目的 ID。
- MODULE:您要启用或停用的模块。
示例:
CRYPTOMINING_HASH
。 - NEW_STATE:您希望模块所处的状态(
ENABLED
或DISABLED
)。
gcloud
如需对组织或项目启用或停用 VM Threat Detection 模块,请运行以下命令:
gcloud alpha scc settings services modules ACTION --RESOURCE RESOURCE_ID \
--service VIRTUAL_MACHINE_THREAT_DETECTION --module MODULE
替换以下内容:
- ACTION:您要对模块执行的操作(
enable
或disable
)。 - RESOURCE:要对其启用或停用模块的资源类型(
organization
或project
)。 - RESOURCE_ID:要对其启用或停用模块的组织或项目的 ID。
- MODULE:您要启用或停用的模块。
示例:
CRYPTOMINING_HASH
。
查看 VM Threat Detection 模块的设置
有关所有 VM Threat Detection 威胁发现结果和模块的信息 请参阅威胁 发现结果 表格。
控制台
请参阅查看服务的模块。
cURL
请发送 GET
请求:
curl -X GET -H "Authorization: Bearer \"$(gcloud auth print-access-token)\"" \
-H "Content-Type: application/json; charset=utf-8" \
-H "X-Goog-User-Project: X_GOOG_USER_PROJECT" \
https://securitycenter.googleapis.com/v1beta2/RESOURCE/RESOURCE_ID/virtualMachineThreatDetectionSettings:calculate
替换以下内容:
- X_GOOG_USER_PROJECT:结算与 VM Threat Detection 扫描相关的访问费用的项目。
- RESOURCE:要查看其模块设置的资源类型。
- RESOURCE_ID:要查看其模块的设置的组织或项目 ID。
gcloud
如需查看单个模块的设置,请运行以下命令:
gcloud alpha scc settings services modules describe --RESOURCE RESOURCE_ID \
--service VIRTUAL_MACHINE_THREAT_DETECTION --module MODULE
要查看所有模块的设置,请运行以下命令:
gcloud alpha scc settings services describe --RESOURCE RESOURCE_ID \
--service VIRTUAL_MACHINE_THREAT_DETECTION
替换以下内容:
- RESOURCE:要查看其模块设置的资源类型(
organization
或project
)。 - RESOURCE_ID:要查看其模块的设置的组织或项目 ID。
- MODULE:您要查看的模块,
示例:
CRYPTOMINING_HASH
。
用于加密货币挖矿检测的软件名称和 YARA 规则
以下列表包含会触发二进制文件和 YARA 规则的 加密货币挖矿发现。如需查看列表,请展开节点。
Execution: Cryptocurrency Mining Hash Match
- Arionum CPU Miner:面向 Arionum 加密货币的挖矿软件
- Avermore:面向基于 Scrypt 加密货币的挖矿软件
- Beam CUDA Miner:面向基于 Equihash 的加密货币的挖矿软件
- Beam OpenCL Miner:面向基于 Equihash 的加密货币的挖矿软件
- BFGMiner:面向 Bitcoin 的 ASIC/FPGA 挖矿软件
- BMiner:面向各种加密货币的挖矿软件
- <ph type="x-smartling-placeholder"></ph> Cast XMR: 矿业软件 基于 CryptoNight 加密货币
- ccccer:面向基于 CUDA 的挖矿软件
- cgminer:面向 Bitcoin 的 ASIC/FPGA 挖矿软件
- Claymore's Miner:面向各种加密货币的基于 GPU 的挖掘软件
- CPUMiner:基于 CPU 的挖掘软件系列
- CryptoDredge:面向 CryptoDredge 的挖矿软件系列
- <ph type="x-smartling-placeholder"></ph> CryptoGoblin: 矿业软件 基于 CryptoNight 加密货币
- DamoMiner:面向 Ehereum 和其他加密货币的基于 GPU 的挖矿软件
- DigitsMiner:面向 Digits 的挖掘软件
- EasyMiner:面向比特币和其他加密货币的挖矿软件
- Ethminer:面向 Etherum 和其他加密货币的挖矿软件
- EWBF:面向基于 Equihash 的加密货币的挖矿软件
- <ph type="x-smartling-placeholder"></ph> FinMiner: 用于 Ethash 和 基于 CryptoNight 加密货币
- Funakoshi Miner:面向 Bitcoin-Gold 加密货币的挖矿软件
- Geth:面向 Ehereum 挖矿软件
- GMiner:面向各种加密货币的挖矿软件
- gominer:面向 Decred 的挖矿软件
- GrinGoldMiner:面向 Grin 的挖掘软件
- Hush:面向基于 Zcash 的加密货币的挖矿软件
- IxiMiner:面向 Ixian 的挖矿软件
- kawpowminer:面向 Ravencoin 挖矿软件
- Komodo:面向 Komodo 的采矿软件系列
- lolMiner:面向各种加密货币的挖矿软件
- lukMiner:面向各种加密货币的挖矿软件
- MinerGate:面向各种加密货币的挖矿软件
- miniZ:面向基于 Equihash 的加密货币的挖矿软件
- Mirai:可用于挖掘加密货币的恶意软件
- MultiMiner:面向各种加密货币的挖矿软件
- nanominer:面向各种加密货币的挖矿软件
- NBMiner:面向各种加密货币的挖矿软件
- Never:面向各种加密货币的挖矿软件
- nheqminer:面向 NiceHash 的挖矿软件
- NinjaRig:面向基于 Argon2 的加密货币的挖矿软件
- NodeCore PoW CUDA Miner:面向 VeriBlock 挖矿软件
- NoncerPro:面向 Nmiq 的挖矿软件
- Optiminer/Equihash:面向 Equihash 的加密货币的挖矿软件
- PascalCoin:面向 PascalCoin 的挖矿软件系列
- PhoenixMiner:面向 Ethereum 的挖矿软件
- Pooler CPU Miner:面向 Litecoin 和 Bitcoin 的挖矿软件
- ProgPoW Miner:面向 Ehereum 和其他加密货币的挖矿软件
- rrminer:面向 PascalCoin 的挖矿软件
- sgminer:面向基于 scrypt 加密货币的挖矿软件
- simplecoin:面向基于 scrypt 的 SimpleCoin 的挖矿软件系列
- Skypool Namiq Miner:面向 Nimq 的挖矿软件
- SwapReferenceMiner:面向 Grin 的挖矿软件
- Red Red 团队:面向各种加密货币的基于 AMD 的挖矿软件
- T-Rex:面向各种加密货币的挖矿软件
- TT-Miner:面向各种加密货币的挖矿软件
- Ubqminer:面向基于 Ubqhash 的加密货币的挖矿软件
- VersusCoin:面向 VersusCoin 的挖矿软件
- violetminer:面向基于 Argon2 的加密货币的挖矿软件
- webchain-miner:面向 MintMe 的挖矿软件
- WildRig:面向各种加密货币的挖矿软件
- XCASH_ALL_Miner:面向 XCASH 的挖矿软件
- xFash:面向 MinerGate 的挖矿软件
- <ph type="x-smartling-placeholder"></ph> XLArig): 矿业软件 基于 CryptoNight 加密货币
- XMRig:面向各种加密货币的挖矿软件
- <ph type="x-smartling-placeholder"></ph> Xmr-Stak: 矿业软件 基于 CryptoNight 加密货币
- <ph type="x-smartling-placeholder"></ph> XMR-Stak TurtleCoin: 矿业软件 基于 CryptoNight 加密货币
- <ph type="x-smartling-placeholder"></ph> Xtl-Stak: 矿业软件 基于 CryptoNight 加密货币
- Yam Miner:面向 MinerGate 的挖矿软件
- YCash:面向 YCash 的挖掘软件
- ZCoin:面向 ZCoin/Fire 挖矿软件
- Zealot/Enemy:面向各种加密货币的挖矿软件
- 加密货币挖矿机信号1
1 此通用威胁名称表示虚拟机中可能运行未知的加密货币挖矿机活动,但 VM Threat Detection 没有关于该挖矿机的具体信息。
Execution: Cryptocurrency Mining YARA Rule
- YARA_RULE1:与面向 Monero 的挖矿软件匹配
- YARA_RULE9:与使用 Blake2 和 AES 加密的挖矿软件匹配
- YARA_RULE10:与使用 CryptoNight 工作验证例程
- YARA_RULE15:与面向 NBMiner 的挖矿软件匹配
- YARA_RULE17:与使用 Scrypt 工作证明 日常安排
- YARA_RULE18:与使用 Scrypt 工作证明 日常安排
- YARA_RULE19:与面向 BFGMiner 的挖矿软件匹配
- YARA_RULE24:与面向 XMR-Stak 的挖矿软件匹配
- YARA_RULE25:与面向 XMRig 的挖矿软件匹配
- DYNAMIC_YARA_RULE_BFGMINER_2:与挖矿软件匹配 适用于 BFGMiner
后续步骤
- 详细了解 VM Threat Detection。
- 了解如何调查虚拟机威胁检测发现结果。