本页面介绍了如何查看和管理 VM Threat Detection 发现结果。此外还展示了如何启用或停用相关服务及其模块。
概览
Virtual Machine Threat Detection 是 Security Command Center 的一项内置服务,在企业版和高级版中提供。该服务会扫描虚拟机,以检测在遭到破解的云环境中运行的潜在恶意应用,例如加密货币挖矿软件、内核模式 rootkit 和恶意软件。
VM Threat Detection 是 Security Command Center 威胁检测套件的一部分,旨在补充 Event Threat Detection 和 Container Threat Detection 的现有功能。
如需了解详情,请参阅 VM Threat Detection 概览。
费用
注册 Security Command Center Premium 后,使用 VM Threat Detection 无需额外费用。
准备工作
如需获得管理虚拟机威胁检测服务及其模块所需的权限,请让管理员向您授予组织、文件夹或项目的 Security Center Management Admin (roles/securitycentermanagement.admin) IAM 角色。
如需详细了解如何授予角色,请参阅管理对项目、文件夹和组织的访问权限。
测试 VM Threat Detection
如需测试 VM Threat Detection 的加密货币挖矿检测功能,您可以在虚拟机上运行加密货币挖矿应用。如需查看触发发现结果的二进制文件名称和 YARA 规则的列表,请参阅软件名称和 YARA 规则。如果您安装和测试挖矿应用,建议您仅在隔离的测试环境中运行这些应用,密切监控其使用情况,并在测试后完全移除这些应用。
如需测试 VM Threat Detection 恶意软件检测功能,您可以在虚拟机上下载恶意软件应用。如果您下载恶意软件,建议您在隔离的测试环境中下载,并在测试后完全移除这些软件。
在 Google Cloud 控制台中查看发现结果
如需在 Google Cloud 控制台中查看 VM Threat Detection 发现结果,请执行以下操作:
- 在 Google Cloud 控制台中,前往 Security Command Center 的发现结果页面。
- 选择您的 Google Cloud 项目或组织。
- 在快速过滤条件部分的来源显示名称子部分中,选择 Virtual Machine Threat Detection。发现结果的查询结果会更新为仅显示此来源的发现结果。
- 如需查看特定发现结果的详细信息,请点击类别列中的发现结果名称。 系统会打开发现结果的详细信息面板,并显示摘要标签页。
- 在摘要标签页上,查看发现结果的详细信息,包括有关检测到的内容、受影响的资源的信息,以及您可以采取的发现结果修复步骤(如果有)。
- 可选:如需查看发现结果的完整 JSON 定义,请点击 JSON 标签页。
如需详细了解如何对每个 VM Threat Detection 发现结果做出相应的响应,请参阅 VM Threat Detection 响应。
如需查看 VM Threat Detection 发现结果列表,请参阅发现结果。
严重程度
VM Threat Detection 发现结果的严重程度会根据威胁分类置信度分为高、中和低。
组合检测
如果在一天内检测到多个类别的发现结果,就会进行组合检测。发现结果可能是由一个或多个恶意应用导致的。例如,单个应用可以同时触发 Execution: Cryptocurrency Mining YARA Rule 和 Execution: Cryptocurrency
Mining Hash Match 发现结果。但是,在当天从单个来源检测到的所有威胁都会汇总到一个组合检测发现结果中。在接下来的几天,如果发现更多威胁(即使是相同的威胁),则会附加到新发现结果。
如需查看组合检测发现结果的示例,请参阅发现结果格式示例。
发现结果格式示例
以下 JSON 输出示例包含 VM Threat Detection 发现结果中常见的字段。每个示例仅显示与发现类型相关的字段,而不会提供完整的字段列表。
您可以通过 Security Command Center 控制台导出发现结果,也可以通过 Security Command Center API 列出发现结果。
如需查看示例发现结果,请展开以下一个或多个节点。如需了解相应发现结果中的每个字段,请参阅 Finding。
Defense Evasion: Rootkit
以下输出示例显示了发现的已知内核模式 Rootkit:Diamorphine。
{ "findings": { "access": {}, "assetDisplayName": "DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Defense Evasion: Rootkit", "createTime": "2023-01-12T00:39:33.007Z", "database": {}, "eventTime": "2023-01-11T21:24:05.326Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd", "indicator": {}, "kernelRootkit": { "name": "Diamorphine", "unexpected_kernel_code_pages": true, "unexpected_system_call_handler": true }, "kubernetes": {}, "mitreAttack": { "version": "9" }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Virtual Machine Threat Detection", "processes": [], "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "severity": "HIGH", "sourceDisplayName": "Virtual Machine Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "display_name": "DISPLAY_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "DISPLAY_NAME", "type": "google.compute.Instance", "folders": [] }, "sourceProperties": {} }
Defense Evasion: Unexpected ftrace handler(预览版)
{ "findings": { "access": {}, "assetDisplayName": "DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Defense Evasion: Unexpected ftrace handler", "createTime": "2023-01-12T00:39:33.007Z", "database": {}, "eventTime": "2023-01-11T21:24:05.326Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "version": "9" }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Virtual Machine Threat Detection", "processes": [], "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "severity": "MEDIUM", "sourceDisplayName": "Virtual Machine Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "display_name": "DISPLAY_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "DISPLAY_NAME", "type": "google.compute.Instance", "folders": [] }, "sourceProperties": {} }
Defense Evasion: Unexpected interrupt handler(预览版)
{ "findings": { "access": {}, "assetDisplayName": "DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Defense Evasion: Unexpected interrupt handler", "createTime": "2023-01-12T00:39:33.007Z", "database": {}, "eventTime": "2023-01-11T21:24:05.326Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "version": "9" }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Virtual Machine Threat Detection", "processes": [], "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "severity": "MEDIUM", "sourceDisplayName": "Virtual Machine Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "display_name": "DISPLAY_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "DISPLAY_NAME", "type": "google.compute.Instance", "folders": [] }, "sourceProperties": {} }
Defense Evasion: Unexpected kernel code modification(预览版)
{ "findings": { "access": {}, "assetDisplayName": "DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Defense Evasion: Unexpected kernel code modification", "createTime": "2023-01-12T00:39:33.007Z", "database": {}, "eventTime": "2023-01-11T21:24:05.326Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "version": "9" }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Virtual Machine Threat Detection", "processes": [], "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "severity": "MEDIUM", "sourceDisplayName": "Virtual Machine Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "display_name": "DISPLAY_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "DISPLAY_NAME", "type": "google.compute.Instance", "folders": [] }, "sourceProperties": {} }
Defense Evasion: Unexpected kernel modules(预览版)
{ "findings": { "access": {}, "assetDisplayName": "DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Defense Evasion: Unexpected kernel modules", "createTime": "2023-01-12T00:39:33.007Z", "database": {}, "eventTime": "2023-01-11T21:24:05.326Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "version": "9" }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Virtual Machine Threat Detection", "processes": [], "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "severity": "MEDIUM", "sourceDisplayName": "Virtual Machine Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "display_name": "DISPLAY_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "DISPLAY_NAME", "type": "google.compute.Instance", "folders": [] }, "sourceProperties": {} }
Defense Evasion: Unexpected kernel read-only data modification(预览版)
{ "findings": { "access": {}, "assetDisplayName": "DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Defense Evasion: Unexpected kernel read-only data modification", "createTime": "2023-01-12T00:39:33.007Z", "database": {}, "eventTime": "2023-01-11T21:24:05.326Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "version": "9" }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Virtual Machine Threat Detection", "processes": [], "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "severity": "MEDIUM", "sourceDisplayName": "Virtual Machine Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "display_name": "DISPLAY_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "DISPLAY_NAME", "type": "google.compute.Instance", "folders": [] }, "sourceProperties": {} }
Defense Evasion: Unexpected kprobe handler(预览版)
{ "findings": { "access": {}, "assetDisplayName": "DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Defense Evasion: Unexpected kprobe handler", "createTime": "2023-01-12T00:39:33.007Z", "database": {}, "eventTime": "2023-01-11T21:24:05.326Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "version": "9" }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Virtual Machine Threat Detection", "processes": [], "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "severity": "MEDIUM", "sourceDisplayName": "Virtual Machine Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "display_name": "DISPLAY_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "DISPLAY_NAME", "type": "google.compute.Instance", "folders": [] }, "sourceProperties": {} }
Defense Evasion: Unexpected processes in runqueue(预览版)
{ "findings": { "access": {}, "assetDisplayName": "DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Defense Evasion: Unexpected processes in runqueue", "createTime": "2023-01-12T00:39:33.007Z", "database": {}, "eventTime": "2023-01-11T21:24:05.326Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "version": "9" }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Virtual Machine Threat Detection", "processes": [], "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "severity": "MEDIUM", "sourceDisplayName": "Virtual Machine Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "display_name": "DISPLAY_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "DISPLAY_NAME", "type": "google.compute.Instance", "folders": [] }, "sourceProperties": {} }
Defense Evasion: Unexpected system call handler(预览版)
{ "findings": { "access": {}, "assetDisplayName": "DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Defense Evasion: Unexpected system call handler", "createTime": "2023-01-12T00:39:33.007Z", "database": {}, "eventTime": "2023-01-11T21:24:05.326Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "version": "9" }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Virtual Machine Threat Detection", "processes": [], "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "severity": "MEDIUM", "sourceDisplayName": "Virtual Machine Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "display_name": "DISPLAY_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "DISPLAY_NAME", "type": "google.compute.Instance", "folders": [] }, "sourceProperties": {} }
Execution: Cryptocurrency Mining Combined
Detection
以下输出示例显示了 CRYPTOMINING_HASH 和 CRYPTOMINING_YARA 模块都检测到的威胁。
{ "findings": { "access": {}, "assetDisplayName": "DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_ID/sources/SOURCE_ID/findings/FINDING_ID", "category": "Execution: Cryptocurrency Mining Combined Detection", "createTime": "2023-01-05T01:40:48.994Z", "database": {}, "eventTime": "2023-01-05T01:39:36.876Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd", "indicator": { "signatures": [ { "yaraRuleSignature": { "yaraRule": "YARA_RULE1" } }, { "yaraRuleSignature": { "yaraRule": "YARA_RULE9" } }, { "yaraRuleSignature": { "yaraRule": "YARA_RULE10" } }, { "yaraRuleSignature": { "yaraRule": "YARA_RULE25" } }, { "memoryHashSignature": { "binaryFamily": "XMRig", "detections": [ { "binary": "linux-x86-64_xmrig_6.12.2", "percentPagesMatched": 1 } ] } } ] }, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "version": "9" }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Virtual Machine Threat Detection", "processes": [ { "binary": { "path": "BINARY_PATH" }, "script": {}, "args": [ "./miner", "" ], "pid": "123", "parentPid": "456", "name": "miner" } ], "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "severity": "HIGH", "sourceDisplayName": "Virtual Machine Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "display_name": "DISPLAY_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "project_display_name": "DISPLAY_NAME", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "parent_display_name": "DISPLAY_NAME", "type": "google.compute.Instance", "folders": [] }, "sourceProperties": {} }
Execution: Cryptocurrency Mining Hash Match
Detection
{ "findings": { "access": {}, "assetDisplayName": "DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_ID/sources/SOURCE_ID/findings/FINDING_ID", "category": "Execution: Cryptocurrency Mining Hash Match", "createTime": "2023-01-05T01:40:48.994Z", "database": {}, "eventTime": "2023-01-05T01:39:36.876Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd", "indicator": { "signatures": [ { "memoryHashSignature": { "binaryFamily": "XMRig", "detections": [ { "binary": "linux-x86-64_xmrig_6.12.2", "percentPagesMatched": 1 } ] } } ] }, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "version": "9" }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Virtual Machine Threat Detection", "processes": [ { "binary": { "path": "BINARY_PATH" }, "script": {}, "args": [ "./miner", "" ], "pid": "123", "parentPid": "456", "name": "miner" } ], "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "severity": "HIGH", "sourceDisplayName": "Virtual Machine Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "display_name": "DISPLAY_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "project_display_name": "DISPLAY_NAME", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "parent_display_name": "DISPLAY_NAME", "type": "google.compute.Instance", "folders": [] }, "sourceProperties": {} }
Execution: Cryptocurrency Mining YARA Rule
{ "findings": { "access": {}, "assetDisplayName": "DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_ID/sources/SOURCE_ID/findings/FINDING_ID", "category": "Execution: Cryptocurrency Mining YARA Rule", "createTime": "2023-01-05T00:37:38.450Z", "database": {}, "eventTime": "2023-01-05T01:12:48.828Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd", "indicator": { "signatures": [ { "yaraRuleSignature": { "yaraRule": "YARA_RULE9" } }, { "yaraRuleSignature": { "yaraRule": "YARA_RULE10" } }, { "yaraRuleSignature": { "yaraRule": "YARA_RULE25" } } ] }, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "version": "9" }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Virtual Machine Threat Detection", "processes": [ { "binary": { "path": "BINARY_PATH" }, "script": {}, "args": [ "./miner", "" ], "pid": "123", "parentPid": "456", "name": "miner" } ], "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "severity": "HIGH", "sourceDisplayName": "Virtual Machine Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "display_name": "DISPLAY_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "project_display_name": "DISPLAY_NAME", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "parent_display_name": "DISPLAY_NAME", "type": "google.compute.Instance", "folders": [] }, "sourceProperties": {} }
Malware: Malicious file on disk (YARA)
{ "findings": { "assetDisplayName": "DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_ID/sources/SOURCE_ID/findings/FINDING_ID", "category": "Malware: Malicious file on disk (YARA)", "createTime": "2023-01-05T00:37:38.450Z", "eventTime": "2023-01-05T01:12:48.828Z", "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd", "indicator": { "signatures": [ { "yaraRuleSignature": { "yaraRule": "M_Backdoor_REDSONJA_4" }, "signatureType": "SIGNATURE_TYPE_FILE", }, { "yaraRuleSignature": { "yaraRule": "M_Backdoor_REDSONJA_3" }, "signatureType": "SIGNATURE_TYPE_FILE", } ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Virtual Machine Threat Detection", "files": [ { "diskPath": { "partition_uuid": "b411dc99-f0a0-4c87-9e05-184977be8539", "relative_path": "RELATIVE_PATH" }, "size": "21238", "sha256": "65d860160bdc9b98abf72407e14ca40b609417de7939897d3b58d55787aaef69", "hashedSize": "21238" } ], "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "severity": "HIGH", "sourceDisplayName": "Virtual Machine Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "display_name": "DISPLAY_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "project_display_name": "DISPLAY_NAME", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "parent_display_name": "DISPLAY_NAME", "type": "google.compute.Instance", "folders": [] }, "sourceProperties": {} }
更改发现结果的状态
解决了由 VM Threat Detection 识别出的威胁后,该服务不会在后续扫描中自动将发现结果状态设置为非活跃。由于我们的威胁网域的性质,VM Threat Detection 无法确定威胁是否已被缓解或发生变化,以免被检测出。
当安全团队认为威胁得到缓解时,可以执行以下步骤,将发现结果状态更改为非活跃。
在 Google Cloud 控制台中,进入 Security Command Center 的发现结果页面。
在查看方式旁边,点击来源类型。
在来源类型列表中,选择 Virtual Machine Threat Detection。系统会根据所选来源类型在表中填充发现结果。
选中已解决的发现结果旁边的复选框。
点击更改活跃状态。
点击无效。
为 Google Cloud启用或停用 VM Threat Detection
本部分介绍了如何为 Compute Engine 虚拟机启用或停用 VM Threat Detection。如需为 AWS 虚拟机启用 VM Threat Detection,请改为参阅为 AWS 启用 VM Threat Detection。
VM Threat Detection 对 2022 年 7 月 15 日(此服务正式发布的时间)之后注册 Security Command Center Premium 的所有客户默认启用。如果需要,您可以为项目或组织手动停用或重新启用此服务。
如果您在组织或项目中启用 VM Threat Detection,该服务会自动扫描该组织或项目中的所有受支持的资源。相反,当您对组织或项目停用 VM Threat Detection 时,此服务会停止扫描其中所有支持的资源。
如需启用或停用 VM Threat Detection,请执行以下操作:
控制台
在 Google Cloud 控制台中,前往 Virtual Machine Threat Detection Service Enablement 页面。
选择您的组织或项目。
在服务启用标签页的 Virtual Machine Threat Detection 列中,选择要修改的组织、文件夹或项目的启用状态,然后选择以下任一选项:
- 启用:启用 VM Threat Detection
- 停用:停用 VM Threat Detection
- 继承:从父级文件夹或组织继承启用状态;仅适用于项目和文件夹
gcloud
gcloud scc manage services update 命令用于更新 Security Command Center 服务或模块的状态。
在使用下面的命令数据之前,请先进行以下替换:
-
RESOURCE_TYPE:要更新的资源类型(organization、folder或project) -
RESOURCE_ID:要更新的组织、文件夹或项目的数字标识符;对于项目,您还可以使用字母数字项目 ID -
NEW_STATE:ENABLED表示启用 VM Threat Detection;DISABLED表示停用 VM Threat Detection;INHERITED表示继承父级资源的启用状态(仅适用于项目和文件夹)
执行 gcloud scc manage services update 命令:
Linux、macOS 或 Cloud Shell
gcloud scc manage services update vm-threat-detection \ --RESOURCE_TYPE=RESOURCE_ID \ --enablement-state=NEW_STATE
Windows (PowerShell)
gcloud scc manage services update vm-threat-detection ` --RESOURCE_TYPE=RESOURCE_ID ` --enablement-state=NEW_STATE
Windows (cmd.exe)
gcloud scc manage services update vm-threat-detection ^ --RESOURCE_TYPE=RESOURCE_ID ^ --enablement-state=NEW_STATE
您应该会收到类似如下所示的响应:
effectiveEnablementState: ENABLED
modules:
CRYPTOMINING_HASH:
effectiveEnablementState: ENABLED
intendedEnablementState: ENABLED
CRYPTOMINING_YARA:
effectiveEnablementState: ENABLED
KERNEL_INTEGRITY_TAMPERING:
effectiveEnablementState: ENABLED
KERNEL_MEMORY_TAMPERING:
effectiveEnablementState: ENABLED
MALWARE_DISK_SCAN_YARA:
effectiveEnablementState: ENABLED
name: projects/1234567890123/locations/global/securityCenterServices/vm-threat-detection
updateTime: '2024-08-05T22:32:01.536452397Z'
REST
Security Command Center Management API 的 RESOURCE_TYPE.locations.securityCenterServices.patch 方法用于更新 Security Command Center 服务或模块的状态。
在使用任何请求数据之前,请先进行以下替换:
-
RESOURCE_TYPE:要更新的资源类型(organizations、folders或projects) -
QUOTA_PROJECT:用于结算和配额跟踪的项目 ID -
RESOURCE_ID:要更新的组织、文件夹或项目的数字标识符;对于项目,您还可以使用字母数字项目 ID -
NEW_STATE:ENABLED表示启用 VM Threat Detection;DISABLED表示停用 VM Threat Detection;INHERITED表示继承父级资源的启用状态(仅适用于项目和文件夹)
HTTP 方法和网址:
PATCH https://securitycentermanagement.googleapis.com/v1/RESOURCE_TYPE/RESOURCE_ID/locations/global/securityCenterServices/vm-threat-detection?updateMask=intendedEnablementState
请求 JSON 正文:
{
"intendedEnablementState": "NEW_STATE"
}
如需发送您的请求,请展开以下选项之一:
您应该收到类似以下内容的 JSON 响应:
{
"name": "projects/1234567890123/locations/global/securityCenterServices/vm-threat-detection",
"effectiveEnablementState": "ENABLED",
"modules": {
"CRYPTOMINING_YARA": {
"effectiveEnablementState": "ENABLED"
},
"KERNEL_MEMORY_TAMPERING": {
"effectiveEnablementState": "ENABLED"
},
"KERNEL_INTEGRITY_TAMPERING": {
"effectiveEnablementState": "ENABLED"
},
"CRYPTOMINING_HASH": {
"intendedEnablementState": "ENABLED",
"effectiveEnablementState": "ENABLED"
},
"MALWARE_DISK_SCAN_YARA": {
"effectiveEnablementState": "ENABLED"
}
},
"updateTime": "2024-08-05T22:32:01.536452397Z"
}
启用或停用 VM Threat Detection 模块
如需启用或停用单个 VM Threat Detection 检测器(也称为“模块”),请执行以下操作。您的更改最长可能需要 1 小时才会生效。
如需了解所有 VM Threat Detection 威胁发现结果及其生成模块,请参阅威胁发现结果。
控制台
您可以在 Google Cloud 控制台中在组织级别启用或停用 VM Threat Detection 模块。如需在文件夹级或项目级启用或停用虚拟机威胁检测模块,请使用 gcloud CLI 或 REST API。
在 Google Cloud 控制台中,前往 Virtual Machine Threat Detection Modules(虚拟机威胁检测模块)页面。
点击要为其启用或停用模块的云服务提供商的标签页,例如 Google Cloud。
在模块标签页的状态列中,选择要启用或停用的模块的当前状态,然后选择以下任一选项:
- 启用:启用模块。
- 停用:停用模块。
gcloud
gcloud scc manage services update 命令用于更新 Security Command Center 服务或模块的状态。
在使用下面的命令数据之前,请先进行以下替换:
-
RESOURCE_TYPE:要更新的资源类型(organization、folder或project) -
RESOURCE_ID:要更新的组织、文件夹或项目的数字标识符;对于项目,您还可以使用字母数字项目 ID -
MODULE_NAME:要启用或停用的模块的名称;如需了解有效值,请参阅威胁发现 -
NEW_STATE:ENABLED用于启用模块;DISABLED用于停用模块;INHERITED用于继承父级资源的启用状态(仅适用于项目和文件夹)
将以下内容保存在名为 request.json 的文件中:
{ "MODULE_NAME": { "intendedEnablementState": "NEW_STATE" } }
执行 gcloud scc manage services update 命令:
Linux、macOS 或 Cloud Shell
gcloud scc manage services update vm-threat-detection \ --RESOURCE_TYPE=RESOURCE_ID \ --enablement-state=ENABLED \ --module-config-file=request.json
Windows (PowerShell)
gcloud scc manage services update vm-threat-detection ` --RESOURCE_TYPE=RESOURCE_ID ` --enablement-state=ENABLED \ --module-config-file=request.json
Windows (cmd.exe)
gcloud scc manage services update vm-threat-detection ^ --RESOURCE_TYPE=RESOURCE_ID ^ --enablement-state=ENABLED \ --module-config-file=request.json
您应该会收到类似如下所示的响应:
effectiveEnablementState: ENABLED
modules:
CRYPTOMINING_HASH:
effectiveEnablementState: ENABLED
intendedEnablementState: ENABLED
CRYPTOMINING_YARA:
effectiveEnablementState: ENABLED
KERNEL_INTEGRITY_TAMPERING:
effectiveEnablementState: ENABLED
KERNEL_MEMORY_TAMPERING:
effectiveEnablementState: ENABLED
MALWARE_DISK_SCAN_YARA:
effectiveEnablementState: ENABLED
name: projects/1234567890123/locations/global/securityCenterServices/vm-threat-detection
updateTime: '2024-08-05T22:32:01.536452397Z'
REST
Security Command Center Management API 的 RESOURCE_TYPE.locations.securityCenterServices.patch 方法用于更新 Security Command Center 服务或模块的状态。
在使用任何请求数据之前,请先进行以下替换:
-
RESOURCE_TYPE:要更新的资源类型(organizations、folders或projects) -
QUOTA_PROJECT:用于结算和配额跟踪的项目 ID -
RESOURCE_ID:要更新的组织、文件夹或项目的数字标识符;对于项目,您还可以使用字母数字项目 ID -
MODULE_NAME:要启用或停用的模块的名称;如需了解有效值,请参阅威胁发现 -
NEW_STATE:ENABLED用于启用模块;DISABLED用于停用模块;INHERITED用于继承父级资源的启用状态(仅适用于项目和文件夹)
HTTP 方法和网址:
PATCH https://securitycentermanagement.googleapis.com/v1/RESOURCE_TYPE/RESOURCE_ID/locations/global/securityCenterServices/vm-threat-detection?updateMask=modules
请求 JSON 正文:
{
"modules": {
"MODULE_NAME": {
"intendedEnablementState": "NEW_STATE"
}
}
}
如需发送您的请求,请展开以下选项之一:
您应该收到类似以下内容的 JSON 响应:
{
"name": "projects/1234567890123/locations/global/securityCenterServices/vm-threat-detection",
"effectiveEnablementState": "ENABLED",
"modules": {
"CRYPTOMINING_YARA": {
"effectiveEnablementState": "ENABLED"
},
"KERNEL_MEMORY_TAMPERING": {
"effectiveEnablementState": "ENABLED"
},
"KERNEL_INTEGRITY_TAMPERING": {
"effectiveEnablementState": "ENABLED"
},
"CRYPTOMINING_HASH": {
"intendedEnablementState": "ENABLED",
"effectiveEnablementState": "ENABLED"
},
"MALWARE_DISK_SCAN_YARA": {
"effectiveEnablementState": "ENABLED"
}
},
"updateTime": "2024-08-05T22:32:01.536452397Z"
}
查看 VM Threat Detection 模块的设置
如需了解所有 VM Threat Detection 威胁发现结果及其生成模块,请参阅威胁发现结果表格。
控制台
借助 Google Cloud 控制台,您可以在组织级查看 VM Threat Detection 模块的设置。如需在文件夹级或项目级查看虚拟机威胁检测模块的设置,请使用 gcloud CLI 或 REST API。
如需在 Google Cloud 控制台中查看设置,请前往虚拟机威胁检测模块页面。
gcloud
gcloud scc manage services describe 命令用于获取 Security Command Center 服务或模块的状态。
在使用下面的命令数据之前,请先进行以下替换:
-
RESOURCE_TYPE:要获取的资源类型(organization、folder或project) -
QUOTA_PROJECT:用于结算和配额跟踪的项目 ID -
RESOURCE_ID:要获取的组织、文件夹或项目的数字标识符;对于项目,您还可以使用字母数字项目 ID
执行 gcloud scc manage services describe 命令:
Linux、macOS 或 Cloud Shell
gcloud scc manage services describe vm-threat-detection \ --RESOURCE_TYPE=RESOURCE_ID
Windows (PowerShell)
gcloud scc manage services describe vm-threat-detection ` --RESOURCE_TYPE=RESOURCE_ID
Windows (cmd.exe)
gcloud scc manage services describe vm-threat-detection ^ --RESOURCE_TYPE=RESOURCE_ID
您应该会收到类似如下所示的响应:
effectiveEnablementState: ENABLED
modules:
CRYPTOMINING_HASH:
effectiveEnablementState: ENABLED
intendedEnablementState: ENABLED
CRYPTOMINING_YARA:
effectiveEnablementState: ENABLED
KERNEL_INTEGRITY_TAMPERING:
effectiveEnablementState: ENABLED
KERNEL_MEMORY_TAMPERING:
effectiveEnablementState: ENABLED
MALWARE_DISK_SCAN_YARA:
effectiveEnablementState: ENABLED
name: projects/1234567890123/locations/global/securityCenterServices/vm-threat-detection
updateTime: '2024-08-05T22:32:01.536452397Z'
REST
Security Command Center Management API 的 RESOURCE_TYPE.locations.securityCenterServices.get 方法可获取 Security Command Center 服务或模块的状态。
在使用任何请求数据之前,请先进行以下替换:
-
RESOURCE_TYPE:要获取的资源类型(organizations、folders或projects) -
QUOTA_PROJECT:用于结算和配额跟踪的项目 ID -
RESOURCE_ID:要获取的组织、文件夹或项目的数字标识符;对于项目,您还可以使用字母数字项目 ID
HTTP 方法和网址:
GET https://securitycentermanagement.googleapis.com/v1/RESOURCE_TYPE/RESOURCE_ID/locations/global/securityCenterServices/vm-threat-detection
如需发送您的请求,请展开以下选项之一:
您应该收到类似以下内容的 JSON 响应:
{
"name": "projects/1234567890123/locations/global/securityCenterServices/vm-threat-detection",
"effectiveEnablementState": "ENABLED",
"modules": {
"CRYPTOMINING_YARA": {
"effectiveEnablementState": "ENABLED"
},
"KERNEL_MEMORY_TAMPERING": {
"effectiveEnablementState": "ENABLED"
},
"KERNEL_INTEGRITY_TAMPERING": {
"effectiveEnablementState": "ENABLED"
},
"CRYPTOMINING_HASH": {
"intendedEnablementState": "ENABLED",
"effectiveEnablementState": "ENABLED"
},
"MALWARE_DISK_SCAN_YARA": {
"effectiveEnablementState": "ENABLED"
}
},
"updateTime": "2024-08-05T22:32:01.536452397Z"
}
用于检测加密货币挖矿的软件名称和 YARA 规则
以下列表包含触发加密货币挖矿发现结果的二进制文件和 YARA 规则的名称。如需查看列表,请展开节点。
Execution: Cryptocurrency Mining Hash Match
- Arionum CPU Miner:面向 Arionum 加密货币的挖矿软件
- Avermore:面向基于 Scrypt 加密货币的挖矿软件
- Beam CUDA Miner:面向基于 Equihash 的加密货币的挖矿软件
- Beam OpenCL Miner:面向基于 Equihash 的加密货币的挖矿软件
- BFGMiner:面向比特币的 ASIC/FPGA 挖矿软件
- BMiner:面向各种加密货币的挖矿软件
- Cast XMR:面向 基于 CryptoNight 的加密货币的挖矿软件
- ccminer:基于 CUDA 的挖矿软件
- cgminer:面向比特币的 ASIC/FPGA 挖矿软件
- Claymore's Miner:面向各种加密货币的基于 GPU 的挖掘软件
- CPUMiner:基于 CPU 的挖掘软件系列
- CryptoDredge:面向 CryptoDredge 的挖矿软件系列
- CryptoGoblin:面向 基于 CryptoNight 的加密货币的挖矿软件
- DamoMiner:面向 Ethereum 和其他加密货币的基于 GPU 的挖矿软件
- DigitsMiner:面向 Digits 的挖掘软件
- EasyMiner:面向比特币和其他加密货币的挖矿软件
- Ethminer:面向 Etherum 和其他加密货币的挖矿软件
- EWBF:面向基于 Equihash 的加密货币的挖矿软件
- FinMiner:面向 Ethash 和基于 CryptoNight 的加密货币的挖矿软件
- Funakoshi Miner:面向 Bitcoin-Gold 加密货币的挖矿软件
- Geth:面向 Ethereum 的挖矿软件
- GMiner:面向各种加密货币的挖矿软件
- gominer:面向 Decred 的挖矿软件
- GrinGoldMiner:面向 Grin 的挖矿软件
- Hush:面向基于 Zcash 的加密货币的挖矿软件
- IxiMiner:面向 Ixian 的挖矿软件
- kawpowminer:面向 Ravencoin 的挖矿软件
- Komodo:面向 Komodo 的采矿软件系列
- lolMiner:面向各种加密货币的挖矿软件
- lukMiner:面向各种加密货币的挖矿软件
- MinerGate:面向各种加密货币的挖矿软件
- miniZ:面向基于 Equihash 的加密货币的挖矿软件
- Mirai:可用于挖掘加密货币的恶意软件
- MultiMiner:面向各种加密货币的挖矿软件
- nanominer:面向各种加密货币的挖矿软件
- NBMiner:面向各种加密货币的挖矿软件
- Nevermore:面向各种加密货币的挖矿软件
- nheqminer:面向 NiceHash 的挖矿软件
- NinjaRig:面向基于 Argon2 的加密货币的挖矿软件
- NodeCore PoW CUDA Miner:面向 VeriBlock 的挖矿软件
- NoncerPro:面向 Nimiq 的挖矿软件
- Optiminer/Equihash:面向基于 Equihash 的加密货币的挖矿软件
- PascalCoin:面向 PascalCoin 的挖矿软件系列
- PhoenixMiner:面向 Ethereum 的挖矿软件
- Pooler CPU Miner:面向 Litecoin 和 Bitcoin 的挖矿软件
- ProgPoW Miner:面向 Ethereum 和其他加密货币的挖矿软件
- rhminer:面向 PascalCoin 的挖矿软件
- sgminer:面向基于 scrypt 加密货币的挖矿软件
- simplecoin:面向基于 scrypt 的 SimpleCoin 的挖矿软件系列
- Skypool Nimiq Miner:面向 Nimiq 的挖矿软件
- SwapReferenceMiner:面向 Grin 的挖矿软件
- Team Red Miner:面向各种加密货币的基于 AMD 的挖矿软件
- T-Rex:面向各种加密货币的挖矿软件
- TT-Miner:面向各种加密货币的挖矿软件
- Ubqminer:面向基于 Ubqhash 的加密货币的挖矿软件
- VersusCoin:面向 VersusCoin 的挖矿软件
- violetminer:面向基于 Argon2 的加密货币的挖矿软件
- webchain-miner:面向 MintMe 的挖矿软件
- WildRig:面向各种加密货币的挖矿软件
- XCASH_ALL_Miner:面向 XCASH 的挖矿软件
- xFash:面向 MinerGate 的挖矿软件
- XLArig:面向基于 CryptoNight 的加密货币的挖矿软件
- XMRig:面向各种加密货币的挖矿软件
- Xmr-Stak:面向基于 CryptoNight 的加密货币的挖矿软件
- XMR-Stak TurtleCoin:面向基于 CryptoNight 的加密货币的挖矿软件
- Xtl-Stak:面向基于 CryptoNight 的加密货币的挖矿软件
- Yam Miner:面向 MinerGate 的挖矿软件
- YCash:面向 YCash 的挖矿软件
- ZCoin:面向 ZCoin/Fire 的挖矿软件
- Zealot/Enemy:面向各种加密货币的挖矿软件
- 加密货币挖矿机信号1
1 此通用威胁名称表示虚拟机中可能运行未知的加密货币挖矿机活动,但 VM Threat Detection 没有关于该挖矿机的具体信息。
Execution: Cryptocurrency Mining YARA Rule
- YARA_RULE1:与面向 Monero 的挖矿软件匹配
- YARA_RULE9:与使用 Blake2 和 AES 加密的挖矿软件匹配
- YARA_RULE10:与使用 CryptoNight 工作证明例程的挖矿软件匹配
- YARA_RULE15:与面向 NBMiner 的挖矿软件匹配
- YARA_RULE17:与使用 Scrypt 工作证明例程的挖矿软件匹配
- YARA_RULE18:与使用 Scrypt 工作证明例程的挖矿软件匹配
- YARA_RULE19:与面向 BFGMiner 的挖矿软件匹配
- YARA_RULE24:与面向 XMR-Stak 的挖矿软件匹配
- YARA_RULE25:与面向 XMRig 的挖矿软件匹配
- DYNAMIC_YARA_RULE_BFGMINER_2:与面向 BFGMiner 的挖矿软件匹配
后续步骤
- 详细了解 VM Threat Detection。
- 了解如何允许 VM Threat Detection 扫描 VPC Service Controls 边界中的虚拟机。
- 了解如何为 AWS 启用 VM Threat Detection。
- 了解如何调查 VM Threat Detection 发现结果。