Use Virtual Machine Threat Detection

This page describes how to view and manage VM Threat Detection findings. It also shows you how to enable or disable the service and its modules.

Overview

Virtual Machine Threat Detection, a built-in service of Security Command Center Premium, provides threat detection through hypervisor-level instrumentation and persistent disk analysis. VM Threat Detection detects potentially malicious applications, such as cryptocurrency mining software, kernel-mode rootkits, and malware running in compromised cloud environments.

VM Threat Detection is part of Security Command Center Premium's threat detection suite and is designed to complement the existing capabilities of Event Threat Detection and Container Threat Detection.

For more information, see VM Threat Detection overview.

Costs

After you enroll in Security Command Center Premium, there is no additional cost to use VM Threat Detection.

Before you begin

To use this feature, you must be enrolled in Security Command Center Premium.

In addition, you need adequate Identity and Access Management (IAM) roles to view or edit findings, and modify Google Cloud resources. If you encounter access errors in Security Command Center, ask your administrator for assistance. To learn more about roles, see Access control.

Test VM Threat Detection

To test VM Threat Detection cryptocurrency mining detection, you can run a cryptocurrency mining application on your VM. For a list of binary names and YARA rules that trigger findings, see Software names and YARA rules. If you install and test mining applications, we recommended that you only run applications in an isolated test environment, closely monitor their use, and remove them completely after testing.

To test VM Threat Detection malware detection, you can download malware applications on your VM. If you download malware, we recommend that you do so in an isolated test environment, and remove them completely after testing.

Review findings in the Google Cloud console

To review VM Threat Detection findings in the Google Cloud console, do the following:

In the Google Cloud console, go to the Findings page of Security Command Center.
Go to Findings
Select your Google Cloud project or organization.
In the Quick filters section, in the Source display name subsection, select Virtual Machine Threat Detection. The findings query results are updated to show only the findings from this source.
To view the details of a specific finding, click the finding name under Category. The details panel for the finding opens and displays the Summary tab.
On the Summary tab, review the details of the finding, including information about what was detected, the affected resource, and—if available—steps that you can take to remediate the finding.
Optional: To view the full JSON definition of the finding, click the JSON tab.

For more detailed information about how to respond to each VM Threat Detection finding, see VM Threat Detection response.

For a list of VM Threat Detection findings, see Findings.

Severity

VM Threat Detection findings are assigned High, Medium, and Low severity based on the threat classification confidence.

Combined detections

Combined detections occur when multiple categories of findings are detected within a day. The findings can be caused by one or more malicious applications. For example, a single application can simultaneously trigger Execution: Cryptocurrency Mining YARA Rule and Execution: Cryptocurrency Mining Hash Match findings. However, all threats detected from a single source within the same day are rolled into one combined detection finding. In the following days, if more threats are found, even the same ones, they are attached to new findings.

For an example of a combined detection finding, see Example finding formats.

Example finding formats

These JSON output examples contain fields common to VM Threat Detection findings. Each example shows only the fields relevant to the finding type; it doesn't provide an exhaustive list of fields.

You can export findings through the Security Command Center console or list findings through the Security Command Center API.

To see the example findings, expand one or more of the following nodes. For information about each field in the finding, see Finding.

`Defense Evasion: Rootkit` (Preview)

This output example shows a finding of a known kernel-mode rootkit: Diamorphine.

{
  "findings": {
    "access": {},
    "assetDisplayName": "DISPLAY_NAME",
    "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
    "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
    "category": "Defense Evasion: Rootkit",
    "createTime": "2023-01-12T00:39:33.007Z",
    "database": {},
    "eventTime": "2023-01-11T21:24:05.326Z",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
    "indicator": {},
    "kernelRootkit": {
      "name": "Diamorphine",
      "unexpected_kernel_code_pages": true,
      "unexpected_system_call_handler": true
    },
    "kubernetes": {},
    "mitreAttack": {
      "version": "9"
    },
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "parentDisplayName": "Virtual Machine Threat Detection",
    "processes": [],
    "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
    "severity": "HIGH",
    "sourceDisplayName": "Virtual Machine Threat Detection",
    "state": "ACTIVE",
    "vulnerability": {},
    "workflowState": "NEW"
  },
  "resource": {
    "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
    "display_name": "DISPLAY_NAME",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "project_display_name": "PROJECT_ID",
    "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
    "parent_display_name": "DISPLAY_NAME",
    "type": "google.compute.Instance",
    "folders": []
  },
  "sourceProperties": {}
}

`Defense Evasion: Unexpected ftrace handler` (Preview)

  {
    "findings": {
      "access": {},
      "assetDisplayName": "DISPLAY_NAME",
      "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
      "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
      "category": "Defense Evasion: Unexpected ftrace handler",
      "createTime": "2023-01-12T00:39:33.007Z",
      "database": {},
      "eventTime": "2023-01-11T21:24:05.326Z",
      "exfiltration": {},
      "findingClass": "THREAT",
      "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
      "indicator": {},
      "kernelRootkit": {},
      "kubernetes": {},
      "mitreAttack": {
        "version": "9"
      },
      "mute": "UNDEFINED",
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
      "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
      "parentDisplayName": "Virtual Machine Threat Detection",
      "processes": [],
      "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
      "severity": "MEDIUM",
      "sourceDisplayName": "Virtual Machine Threat Detection",
      "state": "ACTIVE",
      "vulnerability": {},
      "workflowState": "NEW"
    },
    "resource": {
      "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
      "display_name": "DISPLAY_NAME",
      "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "project_display_name": "PROJECT_ID",
      "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "parent_display_name": "DISPLAY_NAME",
      "type": "google.compute.Instance",
      "folders": []
    },
    "sourceProperties": {}
  }

`Defense Evasion: Unexpected interrupt handler` (Preview)

  {
    "findings": {
      "access": {},
      "assetDisplayName": "DISPLAY_NAME",
      "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
      "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
      "category": "Defense Evasion: Unexpected interrupt handler",
      "createTime": "2023-01-12T00:39:33.007Z",
      "database": {},
      "eventTime": "2023-01-11T21:24:05.326Z",
      "exfiltration": {},
      "findingClass": "THREAT",
      "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
      "indicator": {},
      "kernelRootkit": {},
      "kubernetes": {},
      "mitreAttack": {
        "version": "9"
      },
      "mute": "UNDEFINED",
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
      "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
      "parentDisplayName": "Virtual Machine Threat Detection",
      "processes": [],
      "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
      "severity": "MEDIUM",
      "sourceDisplayName": "Virtual Machine Threat Detection",
      "state": "ACTIVE",
      "vulnerability": {},
      "workflowState": "NEW"
    },
    "resource": {
      "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
      "display_name": "DISPLAY_NAME",
      "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "project_display_name": "PROJECT_ID",
      "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "parent_display_name": "DISPLAY_NAME",
      "type": "google.compute.Instance",
      "folders": []
    },
    "sourceProperties": {}
  }

`Defense Evasion: Unexpected kernel code modification` (Preview)

  {
    "findings": {
      "access": {},
      "assetDisplayName": "DISPLAY_NAME",
      "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
      "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
      "category": "Defense Evasion: Unexpected kernel code modification",
      "createTime": "2023-01-12T00:39:33.007Z",
      "database": {},
      "eventTime": "2023-01-11T21:24:05.326Z",
      "exfiltration": {},
      "findingClass": "THREAT",
      "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
      "indicator": {},
      "kernelRootkit": {},
      "kubernetes": {},
      "mitreAttack": {
        "version": "9"
      },
      "mute": "UNDEFINED",
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
      "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
      "parentDisplayName": "Virtual Machine Threat Detection",
      "processes": [],
      "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
      "severity": "MEDIUM",
      "sourceDisplayName": "Virtual Machine Threat Detection",
      "state": "ACTIVE",
      "vulnerability": {},
      "workflowState": "NEW"
    },
    "resource": {
      "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
      "display_name": "DISPLAY_NAME",
      "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "project_display_name": "PROJECT_ID",
      "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "parent_display_name": "DISPLAY_NAME",
      "type": "google.compute.Instance",
      "folders": []
    },
    "sourceProperties": {}
  }

`Defense Evasion: Unexpected kernel modules` (Preview)

  {
    "findings": {
      "access": {},
      "assetDisplayName": "DISPLAY_NAME",
      "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
      "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
      "category": "Defense Evasion: Unexpected kernel modules",
      "createTime": "2023-01-12T00:39:33.007Z",
      "database": {},
      "eventTime": "2023-01-11T21:24:05.326Z",
      "exfiltration": {},
      "findingClass": "THREAT",
      "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
      "indicator": {},
      "kernelRootkit": {},
      "kubernetes": {},
      "mitreAttack": {
        "version": "9"
      },
      "mute": "UNDEFINED",
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
      "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
      "parentDisplayName": "Virtual Machine Threat Detection",
      "processes": [],
      "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
      "severity": "MEDIUM",
      "sourceDisplayName": "Virtual Machine Threat Detection",
      "state": "ACTIVE",
      "vulnerability": {},
      "workflowState": "NEW"
    },
    "resource": {
      "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
      "display_name": "DISPLAY_NAME",
      "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "project_display_name": "PROJECT_ID",
      "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "parent_display_name": "DISPLAY_NAME",
      "type": "google.compute.Instance",
      "folders": []
    },
    "sourceProperties": {}
  }

`Defense Evasion: Unexpected kernel read-only data modification` (Preview)

  {
    "findings": {
      "access": {},
      "assetDisplayName": "DISPLAY_NAME",
      "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
      "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
      "category": "Defense Evasion: Unexpected kernel read-only data modification",
      "createTime": "2023-01-12T00:39:33.007Z",
      "database": {},
      "eventTime": "2023-01-11T21:24:05.326Z",
      "exfiltration": {},
      "findingClass": "THREAT",
      "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
      "indicator": {},
      "kernelRootkit": {},
      "kubernetes": {},
      "mitreAttack": {
        "version": "9"
      },
      "mute": "UNDEFINED",
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
      "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
      "parentDisplayName": "Virtual Machine Threat Detection",
      "processes": [],
      "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
      "severity": "MEDIUM",
      "sourceDisplayName": "Virtual Machine Threat Detection",
      "state": "ACTIVE",
      "vulnerability": {},
      "workflowState": "NEW"
    },
    "resource": {
      "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
      "display_name": "DISPLAY_NAME",
      "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "project_display_name": "PROJECT_ID",
      "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "parent_display_name": "DISPLAY_NAME",
      "type": "google.compute.Instance",
      "folders": []
    },
    "sourceProperties": {}
  }

`Defense Evasion: Unexpected kprobe handler` (Preview)

  {
    "findings": {
      "access": {},
      "assetDisplayName": "DISPLAY_NAME",
      "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
      "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
      "category": "Defense Evasion: Unexpected kprobe handler",
      "createTime": "2023-01-12T00:39:33.007Z",
      "database": {},
      "eventTime": "2023-01-11T21:24:05.326Z",
      "exfiltration": {},
      "findingClass": "THREAT",
      "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
      "indicator": {},
      "kernelRootkit": {},
      "kubernetes": {},
      "mitreAttack": {
        "version": "9"
      },
      "mute": "UNDEFINED",
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
      "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
      "parentDisplayName": "Virtual Machine Threat Detection",
      "processes": [],
      "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
      "severity": "MEDIUM",
      "sourceDisplayName": "Virtual Machine Threat Detection",
      "state": "ACTIVE",
      "vulnerability": {},
      "workflowState": "NEW"
    },
    "resource": {
      "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
      "display_name": "DISPLAY_NAME",
      "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "project_display_name": "PROJECT_ID",
      "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "parent_display_name": "DISPLAY_NAME",
      "type": "google.compute.Instance",
      "folders": []
    },
    "sourceProperties": {}
  }

`Defense Evasion: Unexpected processes in runqueue` (Preview)

  {
    "findings": {
      "access": {},
      "assetDisplayName": "DISPLAY_NAME",
      "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
      "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
      "category": "Defense Evasion: Unexpected processes in runqueue",
      "createTime": "2023-01-12T00:39:33.007Z",
      "database": {},
      "eventTime": "2023-01-11T21:24:05.326Z",
      "exfiltration": {},
      "findingClass": "THREAT",
      "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
      "indicator": {},
      "kernelRootkit": {},
      "kubernetes": {},
      "mitreAttack": {
        "version": "9"
      },
      "mute": "UNDEFINED",
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
      "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
      "parentDisplayName": "Virtual Machine Threat Detection",
      "processes": [],
      "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
      "severity": "MEDIUM",
      "sourceDisplayName": "Virtual Machine Threat Detection",
      "state": "ACTIVE",
      "vulnerability": {},
      "workflowState": "NEW"
    },
    "resource": {
      "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
      "display_name": "DISPLAY_NAME",
      "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "project_display_name": "PROJECT_ID",
      "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "parent_display_name": "DISPLAY_NAME",
      "type": "google.compute.Instance",
      "folders": []
    },
    "sourceProperties": {}
  }

`Defense Evasion: Unexpected system call handler` (Preview)

  {
    "findings": {
      "access": {},
      "assetDisplayName": "DISPLAY_NAME",
      "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
      "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
      "category": "Defense Evasion: Unexpected system call handler",
      "createTime": "2023-01-12T00:39:33.007Z",
      "database": {},
      "eventTime": "2023-01-11T21:24:05.326Z",
      "exfiltration": {},
      "findingClass": "THREAT",
      "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
      "indicator": {},
      "kernelRootkit": {},
      "kubernetes": {},
      "mitreAttack": {
        "version": "9"
      },
      "mute": "UNDEFINED",
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
      "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
      "parentDisplayName": "Virtual Machine Threat Detection",
      "processes": [],
      "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
      "severity": "MEDIUM",
      "sourceDisplayName": "Virtual Machine Threat Detection",
      "state": "ACTIVE",
      "vulnerability": {},
      "workflowState": "NEW"
    },
    "resource": {
      "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
      "display_name": "DISPLAY_NAME",
      "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "project_display_name": "PROJECT_ID",
      "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "parent_display_name": "DISPLAY_NAME",
      "type": "google.compute.Instance",
      "folders": []
    },
    "sourceProperties": {}
  }

`Execution: Cryptocurrency Mining Combined Detection`

This output example shows a threat that was detected by both the CRYPTOMINING_HASH and CRYPTOMINING_YARA modules.

{
  "findings": {
    "access": {},
    "assetDisplayName": "DISPLAY_NAME",
    "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
    "canonicalName": "projects/PROJECT_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "category": "Execution: Cryptocurrency Mining Combined Detection",
    "createTime": "2023-01-05T01:40:48.994Z",
    "database": {},
    "eventTime": "2023-01-05T01:39:36.876Z",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
    "indicator": {
      "signatures": [
        {
          "yaraRuleSignature": {
            "yaraRule": "YARA_RULE1"
          }
        },
        {
          "yaraRuleSignature": {
            "yaraRule": "YARA_RULE9"
          }
        },
        {
          "yaraRuleSignature": {
            "yaraRule": "YARA_RULE10"
          }
        },
        {
          "yaraRuleSignature": {
            "yaraRule": "YARA_RULE25"
          }
        },
        {
          "memoryHashSignature": {
            "binaryFamily": "XMRig",
            "detections": [
              {
                "binary": "linux-x86-64_xmrig_6.12.2",
                "percentPagesMatched": 1
              }
            ]
          }
        }
      ]
    },
    "kernelRootkit": {},
    "kubernetes": {},
    "mitreAttack": {
      "version": "9"
    },
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "parentDisplayName": "Virtual Machine Threat Detection",
    "processes": [
      {
        "binary": {
          "path": "BINARY_PATH"
        },
        "script": {},
        "args": [
          "./miner",
          ""
        ],
        "pid": "123",
        "parentPid": "456",
        "name": "miner"
      }
    ],
    "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
    "severity": "HIGH",
    "sourceDisplayName": "Virtual Machine Threat Detection",
    "state": "ACTIVE",
    "vulnerability": {},
    "workflowState": "NEW"
  },
  "resource": {
    "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
    "display_name": "DISPLAY_NAME",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
    "project_display_name": "DISPLAY_NAME",
    "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
    "parent_display_name": "DISPLAY_NAME",
    "type": "google.compute.Instance",
    "folders": []
  },
  "sourceProperties": {}
}

`Execution: Cryptocurrency Mining Hash Match Detection`

{
  "findings": {
    "access": {},
    "assetDisplayName": "DISPLAY_NAME",
    "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
    "canonicalName": "projects/PROJECT_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "category": "Execution: Cryptocurrency Mining Hash Match",
    "createTime": "2023-01-05T01:40:48.994Z",
    "database": {},
    "eventTime": "2023-01-05T01:39:36.876Z",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
    "indicator": {
      "signatures": [
        {
          "memoryHashSignature": {
            "binaryFamily": "XMRig",
            "detections": [
              {
                "binary": "linux-x86-64_xmrig_6.12.2",
                "percentPagesMatched": 1
              }
            ]
          }
        }
      ]
    },
    "kernelRootkit": {},
    "kubernetes": {},
    "mitreAttack": {
      "version": "9"
    },
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "parentDisplayName": "Virtual Machine Threat Detection",
    "processes": [
      {
        "binary": {
          "path": "BINARY_PATH"
        },
        "script": {},
        "args": [
          "./miner",
          ""
        ],
        "pid": "123",
        "parentPid": "456",
        "name": "miner"
      }
    ],
    "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
    "severity": "HIGH",
    "sourceDisplayName": "Virtual Machine Threat Detection",
    "state": "ACTIVE",
    "vulnerability": {},
    "workflowState": "NEW"
  },
  "resource": {
    "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
    "display_name": "DISPLAY_NAME",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
    "project_display_name": "DISPLAY_NAME",
    "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
    "parent_display_name": "DISPLAY_NAME",
    "type": "google.compute.Instance",
    "folders": []
  },
  "sourceProperties": {}
}

`Execution: Cryptocurrency Mining YARA Rule`

{
  "findings": {
    "access": {},
    "assetDisplayName": "DISPLAY_NAME",
    "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
    "canonicalName": "projects/PROJECT_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "category": "Execution: Cryptocurrency Mining YARA Rule",
    "createTime": "2023-01-05T00:37:38.450Z",
    "database": {},
    "eventTime": "2023-01-05T01:12:48.828Z",
    "exfiltration": {},
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
    "indicator": {
      "signatures": [
        {
          "yaraRuleSignature": {
            "yaraRule": "YARA_RULE9"
          }
        },
        {
          "yaraRuleSignature": {
            "yaraRule": "YARA_RULE10"
          }
        },
        {
          "yaraRuleSignature": {
            "yaraRule": "YARA_RULE25"
          }
        }
      ]
    },
    "kernelRootkit": {},
    "kubernetes": {},
    "mitreAttack": {
      "version": "9"
    },
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "parentDisplayName": "Virtual Machine Threat Detection",
    "processes": [
      {
        "binary": {
          "path": "BINARY_PATH"
        },
        "script": {},
        "args": [
          "./miner",
          ""
        ],
        "pid": "123",
        "parentPid": "456",
        "name": "miner"
      }
    ],
    "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
    "severity": "HIGH",
    "sourceDisplayName": "Virtual Machine Threat Detection",
    "state": "ACTIVE",
    "vulnerability": {},
    "workflowState": "NEW"
  },
  "resource": {
    "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
    "display_name": "DISPLAY_NAME",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
    "project_display_name": "DISPLAY_NAME",
    "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
    "parent_display_name": "DISPLAY_NAME",
    "type": "google.compute.Instance",
    "folders": []
  },
  "sourceProperties": {}
}

`Malware: Malicious file on disk (YARA)`

{
  "findings": {
    "assetDisplayName": "DISPLAY_NAME",
    "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
    "canonicalName": "projects/PROJECT_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "category": "Malware: Malicious file on disk (YARA)",
    "createTime": "2023-01-05T00:37:38.450Z",
    "eventTime": "2023-01-05T01:12:48.828Z",
    "findingClass": "THREAT",
    "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
    "indicator": {
      "signatures": [
        {
          "yaraRuleSignature": {
            "yaraRule": "M_Backdoor_REDSONJA_1"
          },
          "signatureType": "SIGNATURE_TYPE_FILE",
        },
        {
          "yaraRuleSignature": {
            "yaraRule": "M_Backdoor_REDSONJA_2"
          },
          "signatureType": "SIGNATURE_TYPE_FILE",
        }
      ]
    },
    "mute": "UNDEFINED",
    "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
    "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "parentDisplayName": "Virtual Machine Threat Detection",
    "files": [
      {
        "diskPath": {
          "partition_uuid": "b411dc99-f0a0-4c87-9e05-184977be8539",
          "relative_path": "RELATIVE_PATH"
        },
        "size": "21238",
        "sha256": "65d860160bdc9b98abf72407e14ca40b609417de7939897d3b58d55787aaef69",
        "hashedSize": "21238"
      }
    ],
    "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
    "severity": "HIGH",
    "sourceDisplayName": "Virtual Machine Threat Detection",
    "state": "ACTIVE",
    "vulnerability": {},
    "workflowState": "NEW"
  },
  "resource": {
    "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
    "display_name": "DISPLAY_NAME",
    "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
    "project_display_name": "DISPLAY_NAME",
    "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
    "parent_display_name": "DISPLAY_NAME",
    "type": "google.compute.Instance",
    "folders": []
  },
  "sourceProperties": {}
}

Change the state of findings

When you resolve threats identified by VM Threat Detection, the service does not automatically set a finding's state to Inactive in subsequent scans. Due to the nature of our threat domain, VM Threat Detection can't determine if a threat is mitigated or has changed to avoid detection.

When your security teams are satisfied that a threat is mitigated, they can perform the following steps to change the state of findings to inactive.

Go to Security Command Center's Findings page in the Google Cloud console.

Go to Findings
Next to View by, click Source Type.
In the Source type list, select Virtual Machine Threat Detection. A table populates with findings for the source type you selected.
Select the checkbox next to the findings that are resolved.
Click Change Active State.
Click Inactive.

Enable or disable VM Threat Detection

VM Threat Detection is enabled by default for all customers that enroll in Security Command Center Premium after July 15, 2022, which is when this service became generally available. If needed, you can disable or re-enable it manually for your project or organization.

When you enable VM Threat Detection on an organization or project, the service automatically scans all supported resources in that organization or project. Conversely, when you disable VM Threat Detection on an organization or project, the service stops scanning all supported resources in it.

To enable or disable VM Threat Detection, do the following:

Console

In the Google Cloud console, go to the Virtual Machine Threat Detection Service Enablement page.

Go to Service Enablement
In the Virtual Machine Threat Detection column, select the current status, and then select one of the following:
- Enable: enable VM Threat Detection
- Disable: disable VM Threat Detection
- Inherit: inherit the enablement status from the parent folder or organization; available only for projects and folders

gcloud

The gcloud scc manage services update command updates the state of a Security Command Center service or module.

Before using any of the command data below, make the following replacements:

RESOURCE_TYPE: the type of resource to update (organization, folder, or project)
RESOURCE_ID: the numeric identifier of the organization, folder, or project to update; for projects, you can also use the alphanumeric project ID
NEW_STATE: ENABLED to enable VM Threat Detection; DISABLED to disable VM Threat Detection; or INHERITED to inherit the enablement status of the parent resource (valid only for projects and folders)

Execute the gcloud scc manage services update command:

Linux, macOS, or Cloud Shell

gcloud scc manage services update vm-threat-detection \
    --RESOURCE_TYPE=RESOURCE_ID \
    --enablement-state=NEW_STATE

Windows (PowerShell)

gcloud scc manage services update vm-threat-detection `
    --RESOURCE_TYPE=RESOURCE_ID `
    --enablement-state=NEW_STATE

Windows (cmd.exe)

gcloud scc manage services update vm-threat-detection ^
    --RESOURCE_TYPE=RESOURCE_ID ^
    --enablement-state=NEW_STATE

You should receive a response similar to the following:

effectiveEnablementState: ENABLED
modules:
  CRYPTOMINING_HASH:
    effectiveEnablementState: ENABLED
    intendedEnablementState: ENABLED
  CRYPTOMINING_YARA:
    effectiveEnablementState: ENABLED
  KERNEL_INTEGRITY_TAMPERING:
    effectiveEnablementState: ENABLED
  KERNEL_MEMORY_TAMPERING:
    effectiveEnablementState: ENABLED
  MALWARE_DISK_SCAN_YARA:
    effectiveEnablementState: ENABLED
name: projects/1234567890123/locations/global/securityCenterServices/vm-threat-detection
updateTime: '2024-08-05T22:32:01.536452397Z'

REST

The Security Center Management API's RESOURCE_TYPE.locations.securityCenterServices.patch method updates the state of a Security Command Center service or module.

Before using any of the request data, make the following replacements:

RESOURCE_TYPE: the type of resource to update (organizations, folders, or projects)
QUOTA_PROJECT: the project ID to use for billing and quota tracking
RESOURCE_ID: the numeric identifier of the organization, folder, or project to update; for projects, you can also use the alphanumeric project ID
NEW_STATE: ENABLED to enable VM Threat Detection; DISABLED to disable VM Threat Detection; or INHERITED to inherit the enablement status of the parent resource (valid only for projects and folders)

HTTP method and URL:

PATCH https://securitycentermanagement.googleapis.com/v1/RESOURCE_TYPE/RESOURCE_ID/locations/global/securityCenterServices/vm-threat-detection?updateMask=intendedEnablementState

Request JSON body:

{
  "intendedEnablementState": "NEW_STATE"
}

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login , or by using Cloud Shell, which automatically logs you into the gcloud CLI . You can check the currently active account by running gcloud auth list.

Save the request body in a file named request.json, and execute the following command:

curl -X PATCH \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "x-goog-user-project: QUOTA_PROJECT" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://securitycentermanagement.googleapis.com/v1/RESOURCE_TYPE/RESOURCE_ID/locations/global/securityCenterServices/vm-threat-detection?updateMask=intendedEnablementState"

PowerShell (Windows)

Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login . You can check the currently active account by running gcloud auth list.

Save the request body in a file named request.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred"; "x-goog-user-project" = "QUOTA_PROJECT" }

Invoke-WebRequest `
    -Method PATCH `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://securitycentermanagement.googleapis.com/v1/RESOURCE_TYPE/RESOURCE_ID/locations/global/securityCenterServices/vm-threat-detection?updateMask=intendedEnablementState" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{
  "name": "projects/1234567890123/locations/global/securityCenterServices/vm-threat-detection",
  "effectiveEnablementState": "ENABLED",
  "modules": {
    "CRYPTOMINING_YARA": {
      "effectiveEnablementState": "ENABLED"
    },
    "KERNEL_MEMORY_TAMPERING": {
      "effectiveEnablementState": "ENABLED"
    },
    "KERNEL_INTEGRITY_TAMPERING": {
      "effectiveEnablementState": "ENABLED"
    },
    "CRYPTOMINING_HASH": {
      "intendedEnablementState": "ENABLED",
      "effectiveEnablementState": "ENABLED"
    },
    "MALWARE_DISK_SCAN_YARA": {
      "effectiveEnablementState": "ENABLED"
    }
  },
  "updateTime": "2024-08-05T22:32:01.536452397Z"
}

Enable or disable a VM Threat Detection module

To enable or disable an individual VM Threat Detection detector, also known as a module, do the following. It can take up to an hour for your changes to take effect.

For information about all VM Threat Detection threat findings and the modules that generate them, see Threat findings.

Console

The Google Cloud console lets you enable or disable VM Threat Detection modules at the organization level. To enable or disable VM Threat Detection modules at the folder or project level, use the gcloud CLI or the REST API.

In the Google Cloud console, go to the Virtual Machine Threat Detection Modules page.

Go to Modules
In the Status column, select the current status of the module that you want to enable or disable, and then select one of the following:
- Enable: Enable the module.
- Disable: Disable the module.

gcloud

The gcloud scc manage services update command updates the state of a Security Command Center service or module.

Before using any of the command data below, make the following replacements:

RESOURCE_TYPE: the type of resource to update (organization, folder, or project)
RESOURCE_ID: the numeric identifier of the organization, folder, or project to update; for projects, you can also use the alphanumeric project ID
MODULE_NAME: the name of the module to enable or disable; for valid values, see Threat findings
NEW_STATE: ENABLED to enable the module; DISABLED to disable the module; or INHERITED to inherit the enablement status of the parent resource (valid only for projects and folders)

Save the following content in a file called request.json:

{
  "MODULE_NAME": {
    "intendedEnablementState": "NEW_STATE"
  }
}

Execute the gcloud scc manage services update command:

Linux, macOS, or Cloud Shell

gcloud scc manage services update vm-threat-detection \
    --RESOURCE_TYPE=RESOURCE_ID \
    --enablement-state=ENABLED \  
    --module-config-file=request.json

Windows (PowerShell)

gcloud scc manage services update vm-threat-detection `
    --RESOURCE_TYPE=RESOURCE_ID `
    --enablement-state=ENABLED \  
    --module-config-file=request.json

Windows (cmd.exe)

gcloud scc manage services update vm-threat-detection ^
    --RESOURCE_TYPE=RESOURCE_ID ^
    --enablement-state=ENABLED \  
    --module-config-file=request.json

You should receive a response similar to the following:

effectiveEnablementState: ENABLED
modules:
  CRYPTOMINING_HASH:
    effectiveEnablementState: ENABLED
    intendedEnablementState: ENABLED
  CRYPTOMINING_YARA:
    effectiveEnablementState: ENABLED
  KERNEL_INTEGRITY_TAMPERING:
    effectiveEnablementState: ENABLED
  KERNEL_MEMORY_TAMPERING:
    effectiveEnablementState: ENABLED
  MALWARE_DISK_SCAN_YARA:
    effectiveEnablementState: ENABLED
name: projects/1234567890123/locations/global/securityCenterServices/vm-threat-detection
updateTime: '2024-08-05T22:32:01.536452397Z'

REST

The Security Center Management API's RESOURCE_TYPE.locations.securityCenterServices.patch method updates the state of a Security Command Center service or module.

Before using any of the request data, make the following replacements:

RESOURCE_TYPE: the type of resource to update (organizations, folders, or projects)
QUOTA_PROJECT: the project ID to use for billing and quota tracking
RESOURCE_ID: the numeric identifier of the organization, folder, or project to update; for projects, you can also use the alphanumeric project ID
MODULE_NAME: the name of the module to enable or disable; for valid values, see Threat findings
NEW_STATE: ENABLED to enable the module; DISABLED to disable the module; or INHERITED to inherit the enablement status of the parent resource (valid only for projects and folders)

HTTP method and URL:

PATCH https://securitycentermanagement.googleapis.com/v1/RESOURCE_TYPE/RESOURCE_ID/locations/global/securityCenterServices/vm-threat-detection?updateMask=modules

Request JSON body:

{
  "modules": {
    "MODULE_NAME": {
      "intendedEnablementState": "NEW_STATE"
    }
  }
}

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Save the request body in a file named request.json, and execute the following command:

curl -X PATCH \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "x-goog-user-project: QUOTA_PROJECT" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://securitycentermanagement.googleapis.com/v1/RESOURCE_TYPE/RESOURCE_ID/locations/global/securityCenterServices/vm-threat-detection?updateMask=modules"

PowerShell (Windows)

Save the request body in a file named request.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred"; "x-goog-user-project" = "QUOTA_PROJECT" }

Invoke-WebRequest `
    -Method PATCH `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://securitycentermanagement.googleapis.com/v1/RESOURCE_TYPE/RESOURCE_ID/locations/global/securityCenterServices/vm-threat-detection?updateMask=modules" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{
  "name": "projects/1234567890123/locations/global/securityCenterServices/vm-threat-detection",
  "effectiveEnablementState": "ENABLED",
  "modules": {
    "CRYPTOMINING_YARA": {
      "effectiveEnablementState": "ENABLED"
    },
    "KERNEL_MEMORY_TAMPERING": {
      "effectiveEnablementState": "ENABLED"
    },
    "KERNEL_INTEGRITY_TAMPERING": {
      "effectiveEnablementState": "ENABLED"
    },
    "CRYPTOMINING_HASH": {
      "intendedEnablementState": "ENABLED",
      "effectiveEnablementState": "ENABLED"
    },
    "MALWARE_DISK_SCAN_YARA": {
      "effectiveEnablementState": "ENABLED"
    }
  },
  "updateTime": "2024-08-05T22:32:01.536452397Z"
}

View the settings of the VM Threat Detection modules

For information about all VM Threat Detection threat findings and the modules that generate them, see the Threat findings table.

Console

The Google Cloud console lets you view settings for VM Threat Detection modules at the organization level. To view settings for VM Threat Detection modules at the folder or project level, use the gcloud CLI or the REST API.

To view the settings in the Google Cloud console, go to the Virtual Machine Threat Detection Modules page.

Go to Modules

gcloud

The gcloud scc manage services update command gets the state of a Security Command Center service or module.

Before using any of the command data below, make the following replacements:

RESOURCE_TYPE: the type of resource to get (organizations, folders, or projects)
QUOTA_PROJECT: the project ID to use for billing and quota tracking
RESOURCE_ID: the numeric identifier of the organization, folder, or project to get; for projects, you can also use the alphanumeric project ID

Save the following content in a file called request.json:

{
  "MODULE_NAME": {
    "intendedEnablementState": "NEW_STATE"
  }
}

Execute the gcloud scc manage services update command:

Linux, macOS, or Cloud Shell

gcloud scc manage services update vm-threat-detection \
    --RESOURCE_TYPE=RESOURCE_ID

Windows (PowerShell)

gcloud scc manage services update vm-threat-detection `
    --RESOURCE_TYPE=RESOURCE_ID

Windows (cmd.exe)

gcloud scc manage services update vm-threat-detection ^
    --RESOURCE_TYPE=RESOURCE_ID

You should receive a response similar to the following:

effectiveEnablementState: ENABLED
modules:
  CRYPTOMINING_HASH:
    effectiveEnablementState: ENABLED
    intendedEnablementState: ENABLED
  CRYPTOMINING_YARA:
    effectiveEnablementState: ENABLED
  KERNEL_INTEGRITY_TAMPERING:
    effectiveEnablementState: ENABLED
  KERNEL_MEMORY_TAMPERING:
    effectiveEnablementState: ENABLED
  MALWARE_DISK_SCAN_YARA:
    effectiveEnablementState: ENABLED
name: projects/1234567890123/locations/global/securityCenterServices/vm-threat-detection
updateTime: '2024-08-05T22:32:01.536452397Z'

REST

The Security Center Management API's RESOURCE_TYPE.locations.securityCenterServices.get method gets the state of a Security Command Center service or module.

Before using any of the request data, make the following replacements:

RESOURCE_TYPE: the type of resource to get (organizations, folders, or projects)
QUOTA_PROJECT: the project ID to use for billing and quota tracking
RESOURCE_ID: the numeric identifier of the organization, folder, or project to get; for projects, you can also use the alphanumeric project ID

HTTP method and URL:

GET https://securitycentermanagement.googleapis.com/v1/RESOURCE_TYPE/RESOURCE_ID/locations/global/securityCenterServices/vm-threat-detection

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Execute the following command:

curl -X GET \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "x-goog-user-project: QUOTA_PROJECT" \
     "https://securitycentermanagement.googleapis.com/v1/RESOURCE_TYPE/RESOURCE_ID/locations/global/securityCenterServices/vm-threat-detection"

PowerShell (Windows)

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred"; "x-goog-user-project" = "QUOTA_PROJECT" }

Invoke-WebRequest `
    -Method GET `
    -Headers $headers `
    -Uri "https://securitycentermanagement.googleapis.com/v1/RESOURCE_TYPE/RESOURCE_ID/locations/global/securityCenterServices/vm-threat-detection" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{
  "name": "projects/1234567890123/locations/global/securityCenterServices/vm-threat-detection",
  "effectiveEnablementState": "ENABLED",
  "modules": {
    "CRYPTOMINING_YARA": {
      "effectiveEnablementState": "ENABLED"
    },
    "KERNEL_MEMORY_TAMPERING": {
      "effectiveEnablementState": "ENABLED"
    },
    "KERNEL_INTEGRITY_TAMPERING": {
      "effectiveEnablementState": "ENABLED"
    },
    "CRYPTOMINING_HASH": {
      "intendedEnablementState": "ENABLED",
      "effectiveEnablementState": "ENABLED"
    },
    "MALWARE_DISK_SCAN_YARA": {
      "effectiveEnablementState": "ENABLED"
    }
  },
  "updateTime": "2024-08-05T22:32:01.536452397Z"
}

Software names and YARA rules for cryptocurrency mining detection

The following lists include the names of binaries and YARA rules that trigger cryptocurrency mining findings. To see the lists, expand the nodes.

`Execution: Cryptocurrency Mining Hash Match`

Arionum CPU miner: mining software for Arionum cryptocurrency
Avermore: mining software for scrypt-based cryptocurrencies
Beam CUDA miner: mining software for Equihash-based cryptocurrencies
Beam OpenCL miner: mining software for Equihash-based cryptocurrencies
BFGMiner: ASIC/FPGA-based mining software for Bitcoin
BMiner: mining software for various cryptocurrencies
Cast XMR: mining software for CryptoNight-based cryptocurrencies
ccminer: CUDA-based mining software
cgminer: ASIC/FPGA-based mining software for Bitcoin
Claymore's miner: GPU-based mining software for various cryptocurrencies
CPUMiner: family of CPU-based mining software
CryptoDredge: family of mining software for CryptoDredge
CryptoGoblin: mining software for CryptoNight-based cryptocurrencies
DamoMiner: GPU-based mining software for Ethereum and other cryptocurrencies
DigitsMiner: mining software for Digits
EasyMiner: mining software for Bitcoin and other cryptocurrencies
Ethminer: mining software for Ethereum and other cryptocurrencies
EWBF: mining software for Equihash-based cryptocurrencies
FinMiner: mining software for Ethash and CryptoNight-based cryptocurrencies
Funakoshi Miner: mining software for Bitcoin-Gold cryptocurrencies
Geth: mining software for Ethereum
GMiner: mining software for various cryptocurrencies
gominer: mining software for Decred
GrinGoldMiner: mining software for Grin
Hush: mining software for Zcash-based cryptocurrencies
IxiMiner: mining software for Ixian
kawpowminer: mining software for Ravencoin
Komodo: family of mining software for Komodo
lolMiner: mining software for various cryptocurrencies
lukMiner: mining software for various cryptocurrencies
MinerGate: mining software for various cryptocurrencies
miniZ: mining software for Equihash-based cryptocurrencies
Mirai: malware that can be used to mine cryptocurrencies
MultiMiner: mining software for various cryptocurrencies
nanominer: mining software for various cryptocurrencies
NBMiner: mining software for various cryptocurrencies
Nevermore: mining software for various cryptocurrencies
nheqminer: mining software for NiceHash
NinjaRig: mining software for Argon2-based cryptocurrencies
NodeCore PoW CUDA Miner: mining software for VeriBlock
NoncerPro: mining software for Nimiq
Optiminer/Equihash: mining software for Equihash-based cryptocurrencies
PascalCoin: family of mining software for PascalCoin
PhoenixMiner: mining software for Ethereum
Pooler CPU Miner: mining software for Litecoin and Bitcoin
ProgPoW Miner: mining software for Ethereum and other cryptocurrencies
rhminer: mining software for PascalCoin
sgminer: mining software for scrypt-based cryptocurrencies
simplecoin: family of mining software for scrypt-based SimpleCoin
Skypool Nimiq Miner: mining software for Nimiq
SwapReferenceMiner: mining software for Grin
Team Red Miner: AMD-based mining software for various cryptocurrencies
T-Rex: mining software for various cryptocurrencies
TT-Miner: mining software for various cryptocurrencies
Ubqminer: mining software for Ubqhash-based cryptocurrencies
VersusCoin: mining software for VersusCoin
violetminer: mining software for Argon2-based cryptocurrencies
webchain-miner: mining software for MintMe
WildRig: mining software for various cryptocurrencies
XCASH_ALL_Miner: mining software for XCASH
xFash: mining software for MinerGate
XLArig: mining software for CryptoNight-based cryptocurrencies
XMRig: mining software for various cryptocurrencies
Xmr-Stak: mining software for CryptoNight-based cryptocurrencies
XMR-Stak TurtleCoin: mining software for CryptoNight-based cryptocurrencies
Xtl-Stak: mining software for CryptoNight-based cryptocurrencies
Yam Miner: mining software for MinerGate
YCash: mining software for YCash
ZCoin: mining software for ZCoin/Fire
Zealot/Enemy: mining software for various cryptocurrencies
Cryptocurrency miner signal¹

¹ This generic threat name indicates that an unknown cryptocurrency miner might be operating in the VM, but VM Threat Detection does not have specific information about the miner.

`Execution: Cryptocurrency Mining YARA Rule`

YARA_RULE1: matches mining software for Monero
YARA_RULE9: matches mining software that uses the Blake2 and AES cipher
YARA_RULE10: matches mining software that uses the CryptoNight proof-of-work routine
YARA_RULE15: matches mining software for NBMiner
YARA_RULE17: matches mining software that uses the Scrypt proof-of-work routine
YARA_RULE18: matches mining software that uses the Scrypt proof-of-work routine
YARA_RULE19: matches mining software for BFGMiner
YARA_RULE24: matches mining software for XMR-Stak
YARA_RULE25: matches mining software for XMRig
DYNAMIC_YARA_RULE_BFGMINER_2: matches mining software for BFGMiner

What's next

Learn more about VM Threat Detection.
Learn how to investigate VM Threat Detection findings.

Use Virtual Machine Threat Detection

Overview

Costs

Before you begin

Test VM Threat Detection

Review findings in the Google Cloud console

Severity

Combined detections

Example finding formats

Defense Evasion: Rootkit (Preview)

Defense Evasion: Unexpected ftrace handler (Preview)

Defense Evasion: Unexpected interrupt handler (Preview)

Defense Evasion: Unexpected kernel code modification (Preview)

Defense Evasion: Unexpected kernel modules (Preview)

Defense Evasion: Unexpected kernel read-only data modification (Preview)

Defense Evasion: Unexpected kprobe handler (Preview)

Defense Evasion: Unexpected processes in runqueue (Preview)

Defense Evasion: Unexpected system call handler (Preview)

Execution: Cryptocurrency Mining Combined Detection

Execution: Cryptocurrency Mining Hash Match Detection

Execution: Cryptocurrency Mining YARA Rule

Malware: Malicious file on disk (YARA)

Change the state of findings

Enable or disable VM Threat Detection

Console

gcloud

Linux, macOS, or Cloud Shell

Windows (PowerShell)

Windows (cmd.exe)

REST

curl (Linux, macOS, or Cloud Shell)

PowerShell (Windows)

Enable or disable a VM Threat Detection module

Console

gcloud

Linux, macOS, or Cloud Shell

Windows (PowerShell)

Windows (cmd.exe)

REST

curl (Linux, macOS, or Cloud Shell)

PowerShell (Windows)

View the settings of the VM Threat Detection modules

Console

gcloud

Linux, macOS, or Cloud Shell

Windows (PowerShell)

Windows (cmd.exe)

REST

curl (Linux, macOS, or Cloud Shell)

PowerShell (Windows)

Software names and YARA rules for cryptocurrency mining detection

Execution: Cryptocurrency Mining Hash Match

Execution: Cryptocurrency Mining YARA Rule

What's next

`Defense Evasion: Rootkit` (Preview)

`Defense Evasion: Unexpected ftrace handler` (Preview)

`Defense Evasion: Unexpected interrupt handler` (Preview)

`Defense Evasion: Unexpected kernel code modification` (Preview)

`Defense Evasion: Unexpected kernel modules` (Preview)

`Defense Evasion: Unexpected kernel read-only data modification` (Preview)

`Defense Evasion: Unexpected kprobe handler` (Preview)

`Defense Evasion: Unexpected processes in runqueue` (Preview)

`Defense Evasion: Unexpected system call handler` (Preview)

`Execution: Cryptocurrency Mining Combined Detection`

`Execution: Cryptocurrency Mining Hash Match Detection`

`Execution: Cryptocurrency Mining YARA Rule`

`Malware: Malicious file on disk (YARA)`

`Execution: Cryptocurrency Mining Hash Match`

`Execution: Cryptocurrency Mining YARA Rule`