This document describes a threat finding type in Security Command Center. Threat findings are generated by threat detectors when they detect a potential threat in your cloud resources. For a full list of available threat findings, see Threat findings index.
Finding description
VM Threat Detection detected a combination of signals that match a known kernel-mode rootkit in a Compute Engine VM instance.
The Defense Evasion: Rootkit finding category is a superset of the following
finding categories. Therefore, this section applies to these finding categories
as well.
Defense Evasion: Unexpected ftrace handlerDefense Evasion: Unexpected interrupt handlerDefense Evasion: Unexpected kernel modulesDefense Evasion: Unexpected kernel read-only data modificationDefense Evasion: Unexpected kprobe handlerDefense Evasion: Unexpected processes in runqueueDefense Evasion: Unexpected system call handler
To respond to these findings, do the following.
Step 1: Review finding details
Open finding, as directed in Review findings. The details panel for the finding opens to the Summary tab.
On the Summary tab, review the information in the following sections:
What was detected, especially the following fields:
- Kernel rootkit name: the family name of the rootkit that was
detected—for example,
Diamorphine. - Unexpected kernel code pages: whether kernel code pages are present in kernel or module code regions where they aren't expected.
- Unexpected system call handler: whether system call handlers are present in kernel or module code regions where they aren't expected.
- Kernel rootkit name: the family name of the rootkit that was
detected—for example,
Affected resource, especially the following field:
- Resource full name: the full resource name of the affected VM instance, including the ID of the project that contains it.
To see the complete JSON for this finding, in the detail view of the finding, click the JSON tab.
Step 2: Check logs
In the Google Cloud console, go to Logs Explorer.
On the Google Cloud console toolbar, select the project that contains the VM instance, as specified on the Resource full name row in the Summary tab of the finding details.
Check the logs for signs of intrusion on the affected VM instance. For example, check for suspicious or unknown activities and signs of compromised credentials.
Step 3: Review permissions and settings
- On the Summary tab of the finding details, in the Resource full name field, click the link.
- Review the details of the VM instance, including the network and access settings.
Step 4: Inspect the affected VM
Follow the instructions in Inspect a VM for signs of kernel memory tampering.
Step 5: Research attack and response methods
- Review MITRE ATT&CK framework entries for Defense Evasion.
- To develop a response plan, combine your investigation results with MITRE research.
Step 6: Implement your response
The following response plan might be appropriate for this finding, but might also impact operations. Carefully evaluate the information you gather in your investigation to determine the best way to resolve findings.
Contact the owner of the VM.
If necessary, stop the compromised instance and replace it with a new instance.
For forensic analysis, consider backing up the virtual machines and persistent disks. For more information, see Data protection options in the Compute Engine documentation.
Delete the VM instance.
For further investigation, consider using incident response services like Mandiant.
What's next
- Learn how to work with threat findings in Security Command Center.
- Refer to the Threat findings index.
- Learn how to review a finding through the Google Cloud console.
- Learn about the services that generate threat findings.