Halaman ini menjelaskan cara melihat dan mengelola temuan Deteksi Ancaman VM. Bagian ini juga menunjukkan cara mengaktifkan atau menonaktifkan layanan dan modulnya.
Ringkasan
Virtual Machine Threat Detection, layanan bawaan Security Command Center Premium, menyediakan deteksi ancaman melalui instrumentasi level hypervisor dan analisis persistent disk. VM Threat Detection mendeteksi aplikasi yang berpotensi membahayakan, seperti software penambangan mata uang kripto, rootkit mode kernel, dan malware yang berjalan di lingkungan cloud yang disusupi.
VM Threat Detection adalah bagian dari rangkaian deteksi ancaman Security Command Center Premium dan dirancang untuk melengkapi kemampuan Event Threat Detection dan Container Threat Detection yang sudah ada.
Untuk mengetahui informasi selengkapnya, baca Ringkasan Deteksi Ancaman VM.
Biaya
Setelah Anda mendaftar di Security Command Center Premium, tidak ada biaya tambahan untuk menggunakan VM Threat Detection.
Sebelum memulai
Untuk menggunakan fitur ini, Anda harus terdaftar di Security Command Center Premium.
Selain itu, Anda memerlukan peran Identity and Access Management (IAM) yang memadai untuk melihat atau mengedit temuan, serta memodifikasi resource Google Cloud. Jika Anda mengalami error akses di Security Command Center, minta bantuan administrator Anda. Untuk mempelajari peran lebih lanjut, lihat Kontrol akses.
Uji Deteksi Ancaman VM
Untuk menguji deteksi penambangan mata uang kripto pada VM Threat Detection, Anda dapat menjalankan aplikasi penambangan mata uang kripto di VM. Untuk mengetahui daftar nama biner dan aturan YARA yang memicu temuan, lihat Nama software dan aturan YARA. Jika Anda menginstal dan menguji aplikasi penambangan, sebaiknya hanya jalankan aplikasi di lingkungan pengujian yang terisolasi, pantau dengan cermat penggunaannya, dan hapus sepenuhnya setelah pengujian.
Untuk menguji deteksi malware Deteksi Ancaman VM, Anda dapat mendownload aplikasi malware di VM. Jika Anda mendownload malware, sebaiknya lakukan di lingkungan pengujian yang terisolasi, dan hapus sepenuhnya setelah pengujian.
Meninjau temuan di konsol Google Cloud
Untuk meninjau temuan VM Threat Detection di Google Cloud Console, lakukan langkah berikut:
Buka halaman Findings Security Command Center di Konsol Google Cloud.
Jika perlu, pilih organisasi atau project Google Cloud Anda.
Di bagian Quick filters, pada subbagian Source display name, pilih Virtual Machine Threat Detection.
Jika Anda tidak melihat Virtual Machine Threat Detection, klik View more. Pada dialog, telusuri Virtual Machine Threat Detection.
Untuk melihat detail temuan tertentu, klik nama temuan di bagian Kategori. Panel detail untuk temuan akan terbuka dan menampilkan tab Ringkasan.
Pada tab Ringkasan, tinjau informasi tentang temuan tersebut, termasuk informasi tentang biner yang terdeteksi, resource yang terpengaruh, dan lainnya.
Pada panel detail, klik tab JSON untuk melihat JSON lengkap untuk temuan.
Untuk informasi lebih mendetail tentang cara merespons setiap penemuan Deteksi Ancaman VM, lihat Respons Deteksi Ancaman VM.
Untuk mengetahui daftar temuan Deteksi Ancaman VM, lihat Temuan.
Keseriusan
Temuan Deteksi Ancaman VM diberi tingkat keparahan Tinggi, Sedang, dan Rendah berdasarkan keyakinan klasifikasi ancaman.
Deteksi gabungan
Deteksi gabungan terjadi saat beberapa kategori temuan terdeteksi dalam sehari. Temuan ini dapat disebabkan oleh satu atau beberapa aplikasi
berbahaya. Misalnya, satu aplikasi dapat memicu
temuan Execution: Cryptocurrency Mining YARA Rule dan Execution: Cryptocurrency
Mining Hash Match secara bersamaan. Namun, semua ancaman yang terdeteksi dari satu sumber
dalam hari yang sama akan digabungkan menjadi satu temuan deteksi gabungan. Pada hari-hari berikutnya, jika lebih banyak ancaman ditemukan, bahkan ancaman yang sama, ancaman tersebut akan disertakan ke temuan baru.
Untuk contoh temuan deteksi gabungan, lihat Contoh format temuan.
Contoh format temuan
Contoh output JSON ini berisi kolom yang umum untuk temuan Deteksi Ancaman VM. Setiap contoh hanya menampilkan kolom yang relevan dengan jenis temuan; contoh ini tidak memberikan daftar lengkap kolom.
Anda dapat mengekspor temuan melalui dasbor Security Command Center atau temuan daftar melalui Security Command Center API.
Untuk melihat contoh temuan, luaskan satu atau beberapa node berikut. Untuk mengetahui informasi tentang setiap kolom dalam temuan, lihat Finding.
Nilai kolom—seperti nama aturan YARA—yang digunakan Deteksi Ancaman VM selama Pratinjau dapat berubah saat fitur ini mencapai Ketersediaan Umum.
Defense Evasion: RootkitPratinjau
Contoh output ini menunjukkan temuan rootkit mode kernel yang diketahui: Diamorphine.
{
"findings": {
"access": {},
"assetDisplayName": "DISPLAY_NAME",
"assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Defense Evasion: Rootkit",
"createTime": "2023-01-12T00:39:33.007Z",
"database": {},
"eventTime": "2023-01-11T21:24:05.326Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
"indicator": {},
"kernelRootkit": {
"name": "Diamorphine",
"unexpected_kernel_code_pages": true,
"unexpected_system_call_handler": true
},
"kubernetes": {},
"mitreAttack": {
"version": "9"
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Virtual Machine Threat Detection",
"processes": [],
"resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"severity": "HIGH",
"sourceDisplayName": "Virtual Machine Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"display_name": "DISPLAY_NAME",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parent_display_name": "DISPLAY_NAME",
"type": "google.compute.Instance",
"folders": []
},
"sourceProperties": {}
}
Defense Evasion: Unexpected ftrace handlerPratinjau
{
"findings": {
"access": {},
"assetDisplayName": "DISPLAY_NAME",
"assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Defense Evasion: Unexpected ftrace handler",
"createTime": "2023-01-12T00:39:33.007Z",
"database": {},
"eventTime": "2023-01-11T21:24:05.326Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"version": "9"
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Virtual Machine Threat Detection",
"processes": [],
"resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"severity": "MEDIUM",
"sourceDisplayName": "Virtual Machine Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"display_name": "DISPLAY_NAME",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parent_display_name": "DISPLAY_NAME",
"type": "google.compute.Instance",
"folders": []
},
"sourceProperties": {}
}
Defense Evasion: Unexpected interrupt handlerPratinjau
{
"findings": {
"access": {},
"assetDisplayName": "DISPLAY_NAME",
"assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Defense Evasion: Unexpected interrupt handler",
"createTime": "2023-01-12T00:39:33.007Z",
"database": {},
"eventTime": "2023-01-11T21:24:05.326Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"version": "9"
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Virtual Machine Threat Detection",
"processes": [],
"resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"severity": "MEDIUM",
"sourceDisplayName": "Virtual Machine Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"display_name": "DISPLAY_NAME",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parent_display_name": "DISPLAY_NAME",
"type": "google.compute.Instance",
"folders": []
},
"sourceProperties": {}
}
Defense Evasion: Unexpected kernel code modificationPratinjau
{
"findings": {
"access": {},
"assetDisplayName": "DISPLAY_NAME",
"assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Defense Evasion: Unexpected kernel code modification",
"createTime": "2023-01-12T00:39:33.007Z",
"database": {},
"eventTime": "2023-01-11T21:24:05.326Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"version": "9"
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Virtual Machine Threat Detection",
"processes": [],
"resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"severity": "MEDIUM",
"sourceDisplayName": "Virtual Machine Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"display_name": "DISPLAY_NAME",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parent_display_name": "DISPLAY_NAME",
"type": "google.compute.Instance",
"folders": []
},
"sourceProperties": {}
}
Defense Evasion: Unexpected kernel modulesPratinjau
{
"findings": {
"access": {},
"assetDisplayName": "DISPLAY_NAME",
"assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Defense Evasion: Unexpected kernel modules",
"createTime": "2023-01-12T00:39:33.007Z",
"database": {},
"eventTime": "2023-01-11T21:24:05.326Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"version": "9"
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Virtual Machine Threat Detection",
"processes": [],
"resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"severity": "MEDIUM",
"sourceDisplayName": "Virtual Machine Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"display_name": "DISPLAY_NAME",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parent_display_name": "DISPLAY_NAME",
"type": "google.compute.Instance",
"folders": []
},
"sourceProperties": {}
}
Defense Evasion: Unexpected kernel read-only data modificationPratinjau
{
"findings": {
"access": {},
"assetDisplayName": "DISPLAY_NAME",
"assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Defense Evasion: Unexpected kernel read-only data modification",
"createTime": "2023-01-12T00:39:33.007Z",
"database": {},
"eventTime": "2023-01-11T21:24:05.326Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"version": "9"
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Virtual Machine Threat Detection",
"processes": [],
"resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"severity": "MEDIUM",
"sourceDisplayName": "Virtual Machine Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"display_name": "DISPLAY_NAME",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parent_display_name": "DISPLAY_NAME",
"type": "google.compute.Instance",
"folders": []
},
"sourceProperties": {}
}
Defense Evasion: Unexpected kprobe handlerPratinjau
{
"findings": {
"access": {},
"assetDisplayName": "DISPLAY_NAME",
"assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Defense Evasion: Unexpected kprobe handler",
"createTime": "2023-01-12T00:39:33.007Z",
"database": {},
"eventTime": "2023-01-11T21:24:05.326Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"version": "9"
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Virtual Machine Threat Detection",
"processes": [],
"resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"severity": "MEDIUM",
"sourceDisplayName": "Virtual Machine Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"display_name": "DISPLAY_NAME",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parent_display_name": "DISPLAY_NAME",
"type": "google.compute.Instance",
"folders": []
},
"sourceProperties": {}
}
Defense Evasion: Unexpected processes in runqueuePratinjau
{
"findings": {
"access": {},
"assetDisplayName": "DISPLAY_NAME",
"assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Defense Evasion: Unexpected processes in runqueue",
"createTime": "2023-01-12T00:39:33.007Z",
"database": {},
"eventTime": "2023-01-11T21:24:05.326Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"version": "9"
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Virtual Machine Threat Detection",
"processes": [],
"resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"severity": "MEDIUM",
"sourceDisplayName": "Virtual Machine Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"display_name": "DISPLAY_NAME",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parent_display_name": "DISPLAY_NAME",
"type": "google.compute.Instance",
"folders": []
},
"sourceProperties": {}
}
Defense Evasion: Unexpected system call handlerPratinjau
{
"findings": {
"access": {},
"assetDisplayName": "DISPLAY_NAME",
"assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Defense Evasion: Unexpected system call handler",
"createTime": "2023-01-12T00:39:33.007Z",
"database": {},
"eventTime": "2023-01-11T21:24:05.326Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
"indicator": {},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"version": "9"
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Virtual Machine Threat Detection",
"processes": [],
"resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"severity": "MEDIUM",
"sourceDisplayName": "Virtual Machine Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"display_name": "DISPLAY_NAME",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"project_display_name": "PROJECT_ID",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parent_display_name": "DISPLAY_NAME",
"type": "google.compute.Instance",
"folders": []
},
"sourceProperties": {}
}
Execution: Cryptocurrency Mining Combined
Detection
Contoh output ini menunjukkan ancaman yang terdeteksi oleh modul CRYPTOMINING_HASH dan CRYPTOMINING_YARA.
{
"findings": {
"access": {},
"assetDisplayName": "DISPLAY_NAME",
"assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
"canonicalName": "projects/PROJECT_ID/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Execution: Cryptocurrency Mining Combined Detection",
"createTime": "2023-01-05T01:40:48.994Z",
"database": {},
"eventTime": "2023-01-05T01:39:36.876Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
"indicator": {
"signatures": [
{
"yaraRuleSignature": {
"yaraRule": "YARA_RULE1"
}
},
{
"yaraRuleSignature": {
"yaraRule": "YARA_RULE9"
}
},
{
"yaraRuleSignature": {
"yaraRule": "YARA_RULE10"
}
},
{
"yaraRuleSignature": {
"yaraRule": "YARA_RULE25"
}
},
{
"memoryHashSignature": {
"binaryFamily": "XMRig",
"detections": [
{
"binary": "linux-x86-64_xmrig_6.12.2",
"percentPagesMatched": 1
}
]
}
}
]
},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"version": "9"
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Virtual Machine Threat Detection",
"processes": [
{
"binary": {
"path": "BINARY_PATH"
},
"script": {},
"args": [
"./miner",
""
],
"pid": "123",
"parentPid": "456",
"name": "miner"
}
],
"resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"severity": "HIGH",
"sourceDisplayName": "Virtual Machine Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"display_name": "DISPLAY_NAME",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
"project_display_name": "DISPLAY_NAME",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
"parent_display_name": "DISPLAY_NAME",
"type": "google.compute.Instance",
"folders": []
},
"sourceProperties": {}
}
Execution: Cryptocurrency Mining Hash Match
Detection
{
"findings": {
"access": {},
"assetDisplayName": "DISPLAY_NAME",
"assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
"canonicalName": "projects/PROJECT_ID/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Execution: Cryptocurrency Mining Hash Match",
"createTime": "2023-01-05T01:40:48.994Z",
"database": {},
"eventTime": "2023-01-05T01:39:36.876Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
"indicator": {
"signatures": [
{
"memoryHashSignature": {
"binaryFamily": "XMRig",
"detections": [
{
"binary": "linux-x86-64_xmrig_6.12.2",
"percentPagesMatched": 1
}
]
}
}
]
},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"version": "9"
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Virtual Machine Threat Detection",
"processes": [
{
"binary": {
"path": "BINARY_PATH"
},
"script": {},
"args": [
"./miner",
""
],
"pid": "123",
"parentPid": "456",
"name": "miner"
}
],
"resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"severity": "HIGH",
"sourceDisplayName": "Virtual Machine Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"display_name": "DISPLAY_NAME",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
"project_display_name": "DISPLAY_NAME",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
"parent_display_name": "DISPLAY_NAME",
"type": "google.compute.Instance",
"folders": []
},
"sourceProperties": {}
}
Execution: Cryptocurrency Mining YARA Rule
{
"findings": {
"access": {},
"assetDisplayName": "DISPLAY_NAME",
"assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
"canonicalName": "projects/PROJECT_ID/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Execution: Cryptocurrency Mining YARA Rule",
"createTime": "2023-01-05T00:37:38.450Z",
"database": {},
"eventTime": "2023-01-05T01:12:48.828Z",
"exfiltration": {},
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
"indicator": {
"signatures": [
{
"yaraRuleSignature": {
"yaraRule": "YARA_RULE9"
}
},
{
"yaraRuleSignature": {
"yaraRule": "YARA_RULE10"
}
},
{
"yaraRuleSignature": {
"yaraRule": "YARA_RULE25"
}
}
]
},
"kernelRootkit": {},
"kubernetes": {},
"mitreAttack": {
"version": "9"
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Virtual Machine Threat Detection",
"processes": [
{
"binary": {
"path": "BINARY_PATH"
},
"script": {},
"args": [
"./miner",
""
],
"pid": "123",
"parentPid": "456",
"name": "miner"
}
],
"resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"severity": "HIGH",
"sourceDisplayName": "Virtual Machine Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"display_name": "DISPLAY_NAME",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
"project_display_name": "DISPLAY_NAME",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
"parent_display_name": "DISPLAY_NAME",
"type": "google.compute.Instance",
"folders": []
},
"sourceProperties": {}
}
Malware: Malicious file on disk (YARA)Pratinjau
{
"findings": {
"assetDisplayName": "DISPLAY_NAME",
"assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
"canonicalName": "projects/PROJECT_ID/sources/SOURCE_ID/findings/FINDING_ID",
"category": "Malware: Malicious file on disk (YARA)",
"createTime": "2023-01-05T00:37:38.450Z",
"eventTime": "2023-01-05T01:12:48.828Z",
"findingClass": "THREAT",
"findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd",
"indicator": {
"signatures": [
{
"yaraRuleSignature": {
"yaraRule": "M_Backdoor_REDSONJA_1"
},
"signatureType": "SIGNATURE_TYPE_FILE",
},
{
"yaraRuleSignature": {
"yaraRule": "M_Backdoor_REDSONJA_2"
},
"signatureType": "SIGNATURE_TYPE_FILE",
}
]
},
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"parentDisplayName": "Virtual Machine Threat Detection",
"files": [
{
"diskPath": {
"partition_uuid": "b411dc99-f0a0-4c87-9e05-184977be8539",
"relative_path": "RELATIVE_PATH"
},
"size": "21238",
"sha256": "65d860160bdc9b98abf72407e14ca40b609417de7939897d3b58d55787aaef69",
"hashedSize": "21238"
}
],
"resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"severity": "HIGH",
"sourceDisplayName": "Virtual Machine Threat Detection",
"state": "ACTIVE",
"vulnerability": {},
"workflowState": "NEW"
},
"resource": {
"name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
"display_name": "DISPLAY_NAME",
"project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
"project_display_name": "DISPLAY_NAME",
"parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
"parent_display_name": "DISPLAY_NAME",
"type": "google.compute.Instance",
"folders": []
},
"sourceProperties": {}
}
Mengubah status temuan
Saat Anda mengatasi ancaman yang diidentifikasi oleh VM Threat Detection, layanan tidak akan otomatis menetapkan status temuan ke Tidak aktif dalam pemindaian berikutnya. Karena sifat domain ancaman kami, Deteksi Ancaman VM tidak dapat menentukan apakah ancaman dimitigasi atau telah diubah untuk menghindari deteksi.
Setelah puas dengan ancaman dimitigasi, tim keamanan dapat melakukan langkah-langkah berikut untuk mengubah status temuan menjadi tidak aktif.
Buka halaman Findings Security Command Center di Konsol Google Cloud.
Di samping Lihat menurut, klik Jenis Sumber.
Dalam daftar Source type, pilih Virtual Machine Threat Detection. Tabel diisi dengan temuan untuk jenis sumber yang Anda pilih.
Pilih kotak centang di samping temuan yang telah diselesaikan.
Klik Ubah Status Aktif.
Klik Tidak aktif.
Mengaktifkan atau menonaktifkan Deteksi Ancaman VM
VM Threat Detection diaktifkan secara default untuk semua pelanggan yang mendaftar di Security Command Center Premium setelah 15 Juli 2022, yaitu saat layanan ini akan tersedia secara umum. Jika perlu, Anda dapat menonaktifkan atau mengaktifkannya kembali secara manual untuk project atau organisasi.
Saat Anda mengaktifkan VM Threat Detection di organisasi atau project, layanan ini akan otomatis memindai semua resource yang didukung dalam organisasi atau project tersebut. Sebaliknya, jika Anda menonaktifkan VM Threat Detection di organisasi atau project, layanan akan berhenti memindai semua resource yang didukung di dalamnya.
Untuk mengaktifkan atau menonaktifkan VM Threat Detection, lakukan langkah berikut:
Konsol
Di konsol Google Cloud, Anda dapat mengaktifkan atau menonaktifkan VM Threat Detection melalui tab Services di halaman Settings.
Untuk informasi selengkapnya, lihat Mengaktifkan atau menonaktifkan layanan bawaan.
cURL
Kirim permintaan PATCH:
curl -X PATCH -H "Authorization: Bearer \"$(gcloud auth print-access-token)\"" \
-H "Content-Type: application/json; charset=utf-8" \
-H "X-Goog-User-Project: X_GOOG_USER_PROJECT" \
https://securitycenter.googleapis.com/v1beta2/RESOURCE/RESOURCE_ID/virtualMachineThreatDetectionSettings \
-d '{"serviceEnablementState": "NEW_STATE"}'
Ganti kode berikut:
- X_GOOG_USER_PROJECT: project yang akan menagih biaya akses yang terkait dengan pemindaian VM Threat Detection.
- RESOURCE: jenis resource yang akan dipindai (
organizationsatauprojects). - RESOURCE_ID: ID organisasi atau project yang ingin Anda aktifkan atau nonaktifkan Deteksi Ancaman VM.
- NEW_STATE: status yang Anda inginkan untuk VM Threat Detection (
ENABLEDatauDISABLED).
gcloud
Jalankan perintah berikut:
gcloud alpha scc settings services ACTION --RESOURCE RESOURCE_ID \
--service VIRTUAL_MACHINE_THREAT_DETECTION
Ganti kode berikut:
- ACTION: tindakan yang ingin Anda lakukan pada layanan
VM Threat Detection (
enableataudisable). - RESOURCE: jenis resource yang ingin Anda aktifkan atau nonaktifkan
Deteksi Ancaman VM (
organizationatauproject). - RESOURCE_ID: ID organisasi atau project yang ingin Anda aktifkan atau nonaktifkan Deteksi Ancaman VM.
Mengaktifkan atau menonaktifkan modul Deteksi Ancaman VM
Untuk mengaktifkan atau menonaktifkan setiap detektor Deteksi Ancaman VM, yang juga dikenal sebagai modul, lakukan hal berikut. Diperlukan waktu hingga satu jam agar perubahan diterapkan.
Untuk mengetahui informasi tentang semua temuan ancaman Deteksi Ancaman VM dan modul yang menghasilkannya, lihat tabel Temuan ancaman.
Konsol
cURL
Untuk mengaktifkan atau menonaktifkan modul Deteksi Ancaman VM di organisasi atau
project Anda, kirim permintaan PATCH:
curl -X PATCH -H "Authorization: Bearer \"$(gcloud auth print-access-token)\"" \
-H "Content-Type: application/json; charset=utf-8" \
-H "X-Goog-User-Project: X_GOOG_USER_PROJECT" \
https://securitycenter.googleapis.com/v1beta2/RESOURCE/RESOURCE_ID/virtualMachineThreatDetectionSettings \
-d '{"modules": {"MODULE": {"module_enablement_state": "NEW_STATE"}}}'
Ganti kode berikut:
- X_GOOG_USER_PROJECT: project yang ditagih untuk biaya akses yang terkait dengan pemindaian Deteksi Ancaman VM.
- RESOURCE: jenis resource yang ingin Anda aktifkan atau nonaktifkan
modul (
organizationsatauprojects). - RESOURCE_ID: ID organisasi atau project yang ingin Anda aktifkan atau nonaktifkan modulnya.
- MODULE: modul yang ingin Anda aktifkan atau nonaktifkan—misalnya,
CRYPTOMINING_HASH. - NEW_STATE: status yang Anda inginkan untuk modul (
ENABLEDatauDISABLED).
gcloud
Untuk mengaktifkan atau menonaktifkan modul Deteksi Ancaman VM di organisasi atau project Anda, jalankan perintah berikut:
gcloud alpha scc settings services modules ACTION --RESOURCE RESOURCE_ID \
--service VIRTUAL_MACHINE_THREAT_DETECTION --module MODULE
Ganti kode berikut:
- ACTION: tindakan yang ingin Anda lakukan pada modul (
enableataudisable). - RESOURCE: jenis resource yang ingin Anda aktifkan atau nonaktifkan
modul (
organizationatauproject). - RESOURCE_ID: ID organisasi atau project yang ingin Anda aktifkan atau nonaktifkan modulnya.
- MODULE: modul yang ingin Anda aktifkan atau nonaktifkan—misalnya,
CRYPTOMINING_HASH.
Lihat setelan modul VM Threat Detection
Untuk mengetahui informasi tentang semua temuan ancaman Deteksi Ancaman VM dan modul yang menghasilkannya, lihat tabel Temuan ancaman.
Konsol
Lihat Melihat modul layanan.
cURL
Kirim permintaan GET:
curl -X GET -H "Authorization: Bearer \"$(gcloud auth print-access-token)\"" \
-H "Content-Type: application/json; charset=utf-8" \
-H "X-Goog-User-Project: X_GOOG_USER_PROJECT" \
https://securitycenter.googleapis.com/v1beta2/RESOURCE/RESOURCE_ID/virtualMachineThreatDetectionSettings:calculate
Ganti kode berikut:
- X_GOOG_USER_PROJECT: project yang ditagih untuk biaya akses yang terkait dengan pemindaian Deteksi Ancaman VM.
- RESOURCE: jenis resource yang setelan modulnya ingin Anda lihat.
- RESOURCE_ID: ID organisasi atau project yang setelan modulnya ingin Anda lihat.
gcloud
Untuk melihat setelan untuk satu modul, jalankan perintah berikut:
gcloud alpha scc settings services modules describe --RESOURCE RESOURCE_ID \
--service VIRTUAL_MACHINE_THREAT_DETECTION --module MODULE
Untuk melihat setelan semua modul, jalankan perintah berikut:
gcloud alpha scc settings services describe --RESOURCE RESOURCE_ID \
--service VIRTUAL_MACHINE_THREAT_DETECTION
Ganti kode berikut:
- RESOURCE: jenis resource yang setelan modulnya ingin Anda lihat (
organizationatauproject). - RESOURCE_ID: ID organisasi atau project yang setelan modulnya ingin Anda lihat.
- MODULE: modul yang ingin Anda lihat—misalnya,
CRYPTOMINING_HASH.
Nama software dan aturan YARA untuk deteksi penambangan mata uang kripto
Daftar berikut mencakup nama biner dan aturan YARA yang memicu temuan penambangan mata uang kripto. Untuk melihat daftar, luaskan node.
Execution: Cryptocurrency Mining Hash Match
- Arionum CPU miner: software menambang untuk mata uang kripto Arionum
- Avermore: software penambangan untuk mata uang kripto berbasis scrypt
- Beam CUDA miner: software penambangan untuk mata uang kripto berbasis Equihash
- beam OpenCL miner: software penambangan mata uang kripto berbasis Equihash
- BFGMiner: Software penambangan berbasis ASIC/FPGA untuk Bitcoin
- BMiner: software penambangan untuk berbagai mata uang kripto
- Cast XMR: software penambangan untuk mata uang kripto berbasis CryptoNight
- ccminer: software penambangan berbasis CUDA
- cgminer: Software penambangan berbasis ASIC/FPGA untuk Bitcoin
- Penambang Claymore: Software penambangan berbasis GPU untuk berbagai mata uang kripto
- CPUMiner: kelompok software penambangan berbasis CPU
- CryptoDredge: kelompok software penambangan untuk CryptoDredge
- CryptoGoblin: software penambangan untuk mata uang kripto berbasis CryptoNight
- DamoMiner: Software penambangan berbasis GPU untuk Ethereum dan mata uang kripto lainnya
- DigitsMiner: software penambangan Digits
- EasyMiner: software penambangan Bitcoin dan mata uang kripto lainnya
- Ethminer: software penambangan untuk Ethereum dan mata uang kripto lainnya
- EWBF: software penambangan untuk mata uang kripto berbasis Equihash
- FinMiner: software penambangan mata uang kripto berbasis CryptoNight dan Ethash
- Funakoshi Miner: software penambangan untuk mata uang kripto Bitcoin-Gold
- Geth: menambang software untuk Ethereum
- GMiner: software penambangan untuk berbagai mata uang kripto
- gominer: software penambangan untuk Decred
- GrinGoldMiner: software penambangan untuk Grin
- Hush: software penambangan untuk mata uang kripto berbasis Zcash
- IxiMiner: software penambangan untuk Ixian
- kawpowminer: software menambang untuk Ravencoin
- Komodo: kelompok software pertambangan untuk Komodo
- lolMiner: software penambangan untuk berbagai mata uang kripto
- lukMiner: software penambangan untuk berbagai mata uang kripto
- MinerGate: software penambangan untuk berbagai mata uang kripto
- miniZ: software penambangan untuk mata uang kripto berbasis Equihash
- Mirai: malware yang dapat digunakan untuk menambang mata uang kripto
- MultiMiner: software penambangan untuk berbagai mata uang kripto
- nanominer: software penambangan untuk berbagai mata uang kripto
- NBMiner: software penambangan untuk berbagai mata uang kripto
- Tidak lagi: software penambangan untuk berbagai mata uang kripto
- nheqminer: software penambangan untuk NiceHash
- NinjaRig: software penambangan untuk mata uang kripto berbasis Argon2
- NodeCore PoW CUDA Miner: software penambangan untuk VeriBlock
- NoncerPro: software menambang untuk Nimiq
- Optiminer/Equihash: software penambangan untuk mata uang kripto berbasis Equihash
- PascalCoin: kelompok software penambangan untuk PascalCoin
- PhoenixMiner: software penambangan untuk Ethereum
- Pooler CPU Miner: software menambang untuk Litecoin dan Bitcoin
- ProgPoW Miner: software penambangan untuk Ethereum dan mata uang kripto lainnya
- rhminer: software penambangan untuk PascalCoin
- sgminer: software penambangan mata uang kripto berbasis scrypt
- simplecoin: kelompok software penambangan untuk SimpleCoin berbasis scrypt
- Skypool Nimiq Miner: software penambangan untuk Nimiq
- SwapReferenceMiner: software menambang untuk Grin
- Team Red Miner: Software penambangan berbasis AMD untuk berbagai mata uang kripto
- T-Rex: software penambangan untuk berbagai mata uang kripto
- TT-Miner: software penambangan untuk berbagai mata uang kripto
- Ubqminer: software penambangan mata uang kripto berbasis Ubqhash
- VersusCoin: software penambangan untuk VersusCoin
- violetminer: software penambangan untuk mata uang kripto berbasis Argon2
- webchain-miner: software menambang untuk MintMe
- WildRig: software penambangan untuk berbagai mata uang kripto
- XCASH_ALL_Miner: software penambangan untuk XCASH
- xFash: software menambang untuk MinerGate
- XLArig: software penambangan untuk mata uang kripto berbasis CryptoNight
- XMRig: software penambangan untuk berbagai mata uang kripto
- Xmr-Stak: software penambangan mata uang kripto berbasis CryptoNight
- XMR-Stak TurtleCoin: software penambangan mata uang kripto berbasis CryptoNight
- Xtl-Stak: software penambangan untuk mata uang kripto berbasis CryptoNight
- Yam Miner: software menambang untuk MinerGate
- YCash: software penambangan untuk YCash
- ZCoin: software penambangan untuk ZCoin/Fire
- Zealot/Enemy: software penambangan untuk berbagai mata uang kripto
- Sinyal penambang mata uang kripto1
1 Nama ancaman umum ini menunjukkan bahwa penambang mata uang kripto yang tidak dikenal mungkin beroperasi di VM, tetapi Deteksi Ancaman VM tidak memiliki informasi spesifik tentang penambang tersebut.
Execution: Cryptocurrency Mining YARA Rule
- YARA_RULE1: mencocokkan software penambangan untuk Monero
- YARA_RULE9: mencocokkan software penambangan yang menggunakan cipher Blake2 dan AES
- YARA_RULE10: mencocokkan software penambangan yang menggunakan rutinitas bukti kerja CryptoNight
- YARA_RULE15: mencocokkan software penambangan untuk NBMiner
- YARA_RULE17: mencocokkan software penambangan yang menggunakan rutinitas bukti kerja Scrypt
- YARA_RULE18: mencocokkan software penambangan yang menggunakan rutinitas bukti kerja Scrypt
- YARA_RULE19: cocok dengan software penambangan untuk BFGMiner
- YARA_RULE24: mencocokkan software penambangan untuk XMR-Stak
- YARA_RULE25: cocok dengan software penambangan untuk XMRig
- DYNAMIC_YARA_RULE_BFGMINER_2: mencocokkan software penambangan untuk BFGMiner
Langkah selanjutnya
- Pelajari Deteksi Ancaman VM lebih lanjut.
- Pelajari cara menyelidiki temuan Deteksi Ancaman VM.