本頁說明如何查看及管理 VM 威脅偵測結果。此外,也會說明如何啟用或停用服務及其模組。
總覽
Virtual Machine Threat Detection 是 Security Command Center 的內建服務,適用於 Enterprise 和 Premium 方案。這項服務會掃描虛擬機器,偵測潛在的惡意應用程式,例如加密貨幣挖礦軟體、核心模式 Rootkit,以及在遭駭雲端環境中執行的惡意軟體。
VM 威脅偵測是 Security Command Center 威脅偵測套件的一部分,旨在輔助 Event Threat Detection 和 Container Threat Detection 的現有功能。
詳情請參閱 VM 威脅偵測總覽。
費用
註冊 Security Command Center 進階版後,使用 VM 威脅偵測功能不會產生額外費用。
事前準備
如要取得管理虛擬機器威脅偵測服務及其模組所需的權限,請要求管理員為您授予機構、資料夾或專案的安全中心管理管理員 (roles/securitycentermanagement.admin) 身分與存取權管理角色。如要進一步瞭解如何授予角色,請參閱「管理專案、資料夾和機構的存取權」。
測試 VM 威脅偵測
如要測試 VM Threat Detection 加密貨幣挖礦偵測功能,您可以在 VM 上執行加密貨幣挖礦應用程式。如需會觸發調查結果的二進位檔名稱和 YARA 規則清單,請參閱「軟體名稱和 YARA 規則」。如果安裝及測試挖礦應用程式,建議您只在獨立測試環境中執行應用程式,密切監控應用程式的使用情況,並在測試後徹底移除。
如要測試 VM Threat Detection 的惡意軟體偵測功能,您可以在 VM 上下載惡意軟體應用程式。如果下載惡意軟體,建議您在獨立測試環境中執行,並在測試後徹底移除。
在 Google Cloud 控制台中查看發現項目
如要在 Google Cloud 控制台中查看 VM 威脅偵測結果,請按照下列步驟操作:
- 在 Google Cloud 控制台中,前往 Security Command Center 的「發現項目」頁面。
- 選取 Google Cloud 專案或機構。
- 在「快速篩選器」部分的「來源顯示名稱」子部分中,選取「虛擬機器威脅偵測」。發現項目查詢結果會更新,只顯示來自這個來源的發現項目。
- 如要查看特定發現項目的詳細資料,請按一下「類別」欄中的發現項目名稱。 系統會開啟發現項目的詳細資料面板,並顯示「摘要」分頁。
- 在「摘要」分頁中,查看發現項目的詳細資料,包括偵測到的內容、受影響的資源,以及 (如有) 可採取哪些步驟來修正發現項目。
- 選用:如要查看調查結果的完整 JSON 定義,請按一下「JSON」JSON分頁。
如要進一步瞭解如何回應各項 VM 威脅偵測結果,請參閱「VM 威脅偵測回應」。
如需 VM 威脅偵測結果清單,請參閱「結果」一文。
嚴重性
系統會根據威脅分類的信心程度,為 VM 威脅偵測結果指派「高」、「中」和「低」嚴重程度。
合併偵測
如果系統在一天內偵測到多個類別的發現項目,就會發生合併偵測。這些發現可能是一或多個惡意應用程式所致。
舉例來說,單一應用程式可同時觸發 Execution: Cryptocurrency Mining YARA Rule 和 Execution: Cryptocurrency
Mining Hash Match 發現項目。不過,如果同一天內從單一來源偵測到多項威脅,系統會將這些威脅彙整為一項聯合偵測發現項目。如果之後發現更多威脅 (即使是相同的威脅),系統也會附加到新的發現項目。
如需合併偵測結果的範例,請參閱「範例發現格式」。
尋找格式範例
這些 JSON 輸出範例包含 VM 威脅偵測結果的常見欄位。每個範例只會顯示與發現項目類型相關的欄位,不會提供完整欄位清單。
您可以透過 Security Command Center 控制台匯出發現項目,或透過 Security Command Center API 列出發現項目。
如要查看範例結果,請展開下列一或多個節點。如要瞭解調查結果中每個欄位的資訊,請參閱 Finding。
Defense Evasion: Rootkit
這個輸出範例顯示已知的核心模式 Rootkit 發現結果: Diamorphine。
{ "findings": { "access": {}, "assetDisplayName": "DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Defense Evasion: Rootkit", "createTime": "2023-01-12T00:39:33.007Z", "database": {}, "eventTime": "2023-01-11T21:24:05.326Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd", "indicator": {}, "kernelRootkit": { "name": "Diamorphine", "unexpected_kernel_code_pages": true, "unexpected_system_call_handler": true }, "kubernetes": {}, "mitreAttack": { "version": "9" }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Virtual Machine Threat Detection", "processes": [], "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "severity": "HIGH", "sourceDisplayName": "Virtual Machine Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "display_name": "DISPLAY_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "DISPLAY_NAME", "type": "google.compute.Instance", "folders": [] }, "sourceProperties": {} }
Defense Evasion: Unexpected ftrace handler
{ "findings": { "access": {}, "assetDisplayName": "DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Defense Evasion: Unexpected ftrace handler", "createTime": "2023-01-12T00:39:33.007Z", "database": {}, "eventTime": "2023-01-11T21:24:05.326Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "version": "9" }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Virtual Machine Threat Detection", "processes": [], "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "severity": "HIGH", "sourceDisplayName": "Virtual Machine Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "display_name": "DISPLAY_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "DISPLAY_NAME", "type": "google.compute.Instance", "folders": [] }, "sourceProperties": {} }
Defense Evasion: Unexpected interrupt handler
{ "findings": { "access": {}, "assetDisplayName": "DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Defense Evasion: Unexpected interrupt handler", "createTime": "2023-01-12T00:39:33.007Z", "database": {}, "eventTime": "2023-01-11T21:24:05.326Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "version": "9" }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Virtual Machine Threat Detection", "processes": [], "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "severity": "HIGH", "sourceDisplayName": "Virtual Machine Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "display_name": "DISPLAY_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "DISPLAY_NAME", "type": "google.compute.Instance", "folders": [] }, "sourceProperties": {} }
Defense Evasion: Unexpected kernel modules
{ "findings": { "access": {}, "assetDisplayName": "DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Defense Evasion: Unexpected kernel modules", "createTime": "2023-01-12T00:39:33.007Z", "database": {}, "eventTime": "2023-01-11T21:24:05.326Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "version": "9" }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Virtual Machine Threat Detection", "processes": [], "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "severity": "HIGH", "sourceDisplayName": "Virtual Machine Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "display_name": "DISPLAY_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "DISPLAY_NAME", "type": "google.compute.Instance", "folders": [] }, "sourceProperties": {} }
Defense Evasion: Unexpected kernel read-only data modification
{ "findings": { "access": {}, "assetDisplayName": "DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Defense Evasion: Unexpected kernel read-only data modification", "createTime": "2023-01-12T00:39:33.007Z", "database": {}, "eventTime": "2023-01-11T21:24:05.326Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "version": "9" }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Virtual Machine Threat Detection", "processes": [], "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "severity": "HIGH", "sourceDisplayName": "Virtual Machine Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "display_name": "DISPLAY_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "DISPLAY_NAME", "type": "google.compute.Instance", "folders": [] }, "sourceProperties": {} }
Defense Evasion: Unexpected kprobe handler
{ "findings": { "access": {}, "assetDisplayName": "DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Defense Evasion: Unexpected kprobe handler", "createTime": "2023-01-12T00:39:33.007Z", "database": {}, "eventTime": "2023-01-11T21:24:05.326Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "version": "9" }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Virtual Machine Threat Detection", "processes": [], "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "severity": "HIGH", "sourceDisplayName": "Virtual Machine Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "display_name": "DISPLAY_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "DISPLAY_NAME", "type": "google.compute.Instance", "folders": [] }, "sourceProperties": {} }
Defense Evasion: Unexpected processes in runqueue
{ "findings": { "access": {}, "assetDisplayName": "DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Defense Evasion: Unexpected processes in runqueue", "createTime": "2023-01-12T00:39:33.007Z", "database": {}, "eventTime": "2023-01-11T21:24:05.326Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "version": "9" }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Virtual Machine Threat Detection", "processes": [], "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "severity": "HIGH", "sourceDisplayName": "Virtual Machine Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "display_name": "DISPLAY_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "DISPLAY_NAME", "type": "google.compute.Instance", "folders": [] }, "sourceProperties": {} }
Defense Evasion: Unexpected system call handler
{ "findings": { "access": {}, "assetDisplayName": "DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID", "category": "Defense Evasion: Unexpected system call handler", "createTime": "2023-01-12T00:39:33.007Z", "database": {}, "eventTime": "2023-01-11T21:24:05.326Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "version": "9" }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Virtual Machine Threat Detection", "processes": [], "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "severity": "HIGH", "sourceDisplayName": "Virtual Machine Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "display_name": "DISPLAY_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "project_display_name": "PROJECT_ID", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parent_display_name": "DISPLAY_NAME", "type": "google.compute.Instance", "folders": [] }, "sourceProperties": {} }
Execution: Cryptocurrency Mining Combined
Detection
這個輸出範例顯示 CRYPTOMINING_HASH 和 CRYPTOMINING_YARA 模組偵測到的威脅。
{ "findings": { "access": {}, "assetDisplayName": "DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_ID/sources/SOURCE_ID/findings/FINDING_ID", "category": "Execution: Cryptocurrency Mining Combined Detection", "createTime": "2023-01-05T01:40:48.994Z", "database": {}, "eventTime": "2023-01-05T01:39:36.876Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd", "indicator": { "signatures": [ { "yaraRuleSignature": { "yaraRule": "YARA_RULE1" } }, { "yaraRuleSignature": { "yaraRule": "YARA_RULE9" } }, { "yaraRuleSignature": { "yaraRule": "YARA_RULE10" } }, { "yaraRuleSignature": { "yaraRule": "YARA_RULE25" } }, { "memoryHashSignature": { "binaryFamily": "XMRig", "detections": [ { "binary": "linux-x86-64_xmrig_6.12.2", "percentPagesMatched": 1 } ] } } ] }, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "version": "9" }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Virtual Machine Threat Detection", "processes": [ { "binary": { "path": "BINARY_PATH" }, "script": {}, "args": [ "./miner", "" ], "pid": "123", "parentPid": "456", "name": "miner" } ], "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "severity": "HIGH", "sourceDisplayName": "Virtual Machine Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "display_name": "DISPLAY_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "project_display_name": "DISPLAY_NAME", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "parent_display_name": "DISPLAY_NAME", "type": "google.compute.Instance", "folders": [] }, "sourceProperties": {} }
Execution: Cryptocurrency Mining Hash Match
Detection
{ "findings": { "access": {}, "assetDisplayName": "DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_ID/sources/SOURCE_ID/findings/FINDING_ID", "category": "Execution: Cryptocurrency Mining Hash Match", "createTime": "2023-01-05T01:40:48.994Z", "database": {}, "eventTime": "2023-01-05T01:39:36.876Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd", "indicator": { "signatures": [ { "memoryHashSignature": { "binaryFamily": "XMRig", "detections": [ { "binary": "linux-x86-64_xmrig_6.12.2", "percentPagesMatched": 1 } ] } } ] }, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "version": "9" }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Virtual Machine Threat Detection", "processes": [ { "binary": { "path": "BINARY_PATH" }, "script": {}, "args": [ "./miner", "" ], "pid": "123", "parentPid": "456", "name": "miner" } ], "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "severity": "HIGH", "sourceDisplayName": "Virtual Machine Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "display_name": "DISPLAY_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "project_display_name": "DISPLAY_NAME", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "parent_display_name": "DISPLAY_NAME", "type": "google.compute.Instance", "folders": [] }, "sourceProperties": {} }
Execution: Cryptocurrency Mining YARA Rule
{ "findings": { "access": {}, "assetDisplayName": "DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_ID/sources/SOURCE_ID/findings/FINDING_ID", "category": "Execution: Cryptocurrency Mining YARA Rule", "createTime": "2023-01-05T00:37:38.450Z", "database": {}, "eventTime": "2023-01-05T01:12:48.828Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd", "indicator": { "signatures": [ { "yaraRuleSignature": { "yaraRule": "YARA_RULE9" } }, { "yaraRuleSignature": { "yaraRule": "YARA_RULE10" } }, { "yaraRuleSignature": { "yaraRule": "YARA_RULE25" } } ] }, "kernelRootkit": {}, "kubernetes": {}, "mitreAttack": { "version": "9" }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Virtual Machine Threat Detection", "processes": [ { "binary": { "path": "BINARY_PATH" }, "script": {}, "args": [ "./miner", "" ], "pid": "123", "parentPid": "456", "name": "miner" } ], "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "severity": "HIGH", "sourceDisplayName": "Virtual Machine Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "display_name": "DISPLAY_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "project_display_name": "DISPLAY_NAME", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "parent_display_name": "DISPLAY_NAME", "type": "google.compute.Instance", "folders": [] }, "sourceProperties": {} }
Malware: Malicious file on disk (YARA)
{ "findings": { "assetDisplayName": "DISPLAY_NAME", "assetId": "organizations/ORGANIZATION_ID/assets/ASSET_ID", "canonicalName": "projects/PROJECT_ID/sources/SOURCE_ID/findings/FINDING_ID", "category": "Malware: Malicious file on disk (YARA)", "createTime": "2023-01-05T00:37:38.450Z", "eventTime": "2023-01-05T01:12:48.828Z", "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/vmtd", "indicator": { "signatures": [ { "yaraRuleSignature": { "yaraRule": "M_Backdoor_REDSONJA_4" }, "signatureType": "SIGNATURE_TYPE_FILE", }, { "yaraRuleSignature": { "yaraRule": "M_Backdoor_REDSONJA_3" }, "signatureType": "SIGNATURE_TYPE_FILE", } ] }, "mute": "UNDEFINED", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID", "parentDisplayName": "Virtual Machine Threat Detection", "files": [ { "diskPath": { "partition_uuid": "b411dc99-f0a0-4c87-9e05-184977be8539", "relative_path": "RELATIVE_PATH" }, "size": "21238", "sha256": "65d860160bdc9b98abf72407e14ca40b609417de7939897d3b58d55787aaef69", "hashedSize": "21238" } ], "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "severity": "HIGH", "sourceDisplayName": "Virtual Machine Threat Detection", "state": "ACTIVE", "vulnerability": {}, "workflowState": "NEW" }, "resource": { "name": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID", "display_name": "DISPLAY_NAME", "project_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "project_display_name": "DISPLAY_NAME", "parent_name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "parent_display_name": "DISPLAY_NAME", "type": "google.compute.Instance", "folders": [] }, "sourceProperties": {} }
變更發現項目的狀態
解決 VM 威脅偵測服務識別出的威脅後,服務不會在後續掃描中自動將發現項目的狀態設為「Inactive」(不活躍)。由於威脅網域的性質,VM 威脅偵測無法判斷威脅是否已緩解,或是否已變更以避免偵測。
安全團隊確認威脅已減輕後,可以執行下列步驟,將調查結果的狀態變更為「非使用中」。
在 Google Cloud 控制台中,前往 Security Command Center 的「發現項目」頁面。
按一下「查看依據」旁的「來源類型」。
在「來源類型」清單中,選取「虛擬機器威脅偵測」。 系統會根據所選來源類型,在表格中填入發現項目。
找出已解決的調查結果,然後勾選旁邊的核取方塊。
按一下「變更有效狀態」。
按一下「未啟用」。
為 Google Cloud啟用或停用 VM 威脅偵測
本節說明如何為 Compute Engine VM 啟用或停用 VM Threat Detection。如要為 AWS VM 啟用 VM 威脅偵測,請改為參閱「為 AWS 啟用 VM 威脅偵測」。
2022 年 7 月 15 日這項服務正式發布後,凡是註冊使用 Security Command Center Premium 的客戶,系統都會預設啟用 VM 威脅偵測功能。如有需要,您可以為專案或機構手動停用或重新啟用這項功能。
在機構或專案中啟用 VM 威脅偵測後,這項服務會自動掃描該機構或專案中的所有支援資源。反之,如果停用機構或專案的 VM 威脅偵測功能,服務就會停止掃描其中的所有支援資源。
如要啟用或停用 VM 威脅偵測,請按照下列步驟操作:
控制台
前往 Google Cloud 控制台的「Virtual Machine Threat Detection Service Enablement」(虛擬機器威脅偵測服務啟用) 頁面。
選取您的機構或專案。
在「Service Enablement」(啟用服務) 分頁的「Virtual Machine Threat Detection」(虛擬機器威脅偵測) 欄中,選取要修改的機構、資料夾或專案啟用狀態,然後選取下列其中一個選項:
- 啟用:啟用 VM 威脅偵測
- 停用:停用 VM 威脅偵測
- 沿用:沿用上層資料夾或機構的啟用狀態;僅適用於專案和資料夾
gcloud
gcloud scc manage services update
指令會更新 Security Command Center 服務或模組的狀態。
使用下方的任何指令資料之前,請先替換以下項目:
-
RESOURCE_TYPE:要更新的資源類型 (organization、folder或project) -
RESOURCE_ID:要更新的機構、資料夾或專案的數值 ID;如果是專案,您也可以使用英數字元的專案 ID -
NEW_STATE:ENABLED啟用 VM 威脅偵測;DISABLED停用 VM 威脅偵測;或INHERITED沿用父項資源的啟用狀態 (僅適用於專案和資料夾)
執行
gcloud scc manage services update
指令:
Linux、macOS 或 Cloud Shell
gcloud scc manage services update vm-threat-detection \ --RESOURCE_TYPE=RESOURCE_ID \ --enablement-state=NEW_STATE
Windows (PowerShell)
gcloud scc manage services update vm-threat-detection ` --RESOURCE_TYPE=RESOURCE_ID ` --enablement-state=NEW_STATE
Windows (cmd.exe)
gcloud scc manage services update vm-threat-detection ^ --RESOURCE_TYPE=RESOURCE_ID ^ --enablement-state=NEW_STATE
您應該會收到類似以下的回應:
effectiveEnablementState: ENABLED
modules:
CRYPTOMINING_HASH:
effectiveEnablementState: ENABLED
intendedEnablementState: ENABLED
CRYPTOMINING_YARA:
effectiveEnablementState: ENABLED
KERNEL_INTEGRITY_TAMPERING:
effectiveEnablementState: ENABLED
KERNEL_MEMORY_TAMPERING:
effectiveEnablementState: ENABLED
MALWARE_DISK_SCAN_YARA:
effectiveEnablementState: ENABLED
name: projects/1234567890123/locations/global/securityCenterServices/vm-threat-detection
updateTime: '2024-08-05T22:32:01.536452397Z'
REST
Security Command Center Management API 的 RESOURCE_TYPE.locations.securityCenterServices.patch 方法會更新 Security Command Center 服務或模組的狀態。
使用任何要求資料之前,請先替換以下項目:
-
RESOURCE_TYPE:要更新的資源類型 (organizations、folders或projects) -
QUOTA_PROJECT:用於帳單和配額追蹤的專案 ID -
RESOURCE_ID:要更新的機構、資料夾或專案的數值 ID;如果是專案,您也可以使用英數字元的專案 ID -
NEW_STATE:ENABLED啟用 VM 威脅偵測;DISABLED停用 VM 威脅偵測;或INHERITED沿用父項資源的啟用狀態 (僅適用於專案和資料夾)
HTTP 方法和網址:
PATCH https://securitycentermanagement.googleapis.com/v1/RESOURCE_TYPE/RESOURCE_ID/locations/global/securityCenterServices/vm-threat-detection?updateMask=intendedEnablementState
JSON 要求主體:
{
"intendedEnablementState": "NEW_STATE"
}
如要傳送要求,請展開以下其中一個選項:
您應該會收到如下的 JSON 回應:
{
"name": "projects/1234567890123/locations/global/securityCenterServices/vm-threat-detection",
"effectiveEnablementState": "ENABLED",
"modules": {
"CRYPTOMINING_YARA": {
"effectiveEnablementState": "ENABLED"
},
"KERNEL_MEMORY_TAMPERING": {
"effectiveEnablementState": "ENABLED"
},
"KERNEL_INTEGRITY_TAMPERING": {
"effectiveEnablementState": "ENABLED"
},
"CRYPTOMINING_HASH": {
"intendedEnablementState": "ENABLED",
"effectiveEnablementState": "ENABLED"
},
"MALWARE_DISK_SCAN_YARA": {
"effectiveEnablementState": "ENABLED"
}
},
"updateTime": "2024-08-05T22:32:01.536452397Z"
}
啟用或停用 VM 威脅偵測模組
如要啟用或停用個別 VM 威脅偵測偵測器 (又稱模組),請按照下列步驟操作。您所做的變更最多可能需要 1 小時才會生效。
如要瞭解所有 VM Threat Detection 威脅調查結果和產生這些結果的模組,請參閱「威脅調查結果」。
控制台
您可以在 Google Cloud 控制台中啟用或停用機構層級的 VM 威脅偵測模組。如要在資料夾或專案層級啟用或停用 VM 威脅偵測模組,請使用 gcloud CLI 或 REST API。
前往 Google Cloud 控制台的「Virtual Machine Threat Detection Modules」(虛擬機器威脅偵測模組) 頁面。
按一下要啟用或停用模組的雲端服務供應商分頁標籤,例如「Google Cloud」。
在「模組」分頁的「狀態」欄中,選取要啟用或停用模組的目前狀態,然後選取下列其中一個選項:
- 啟用:啟用模組。
- 停用:停用模組。
gcloud
gcloud scc manage services update
指令會更新 Security Command Center 服務或模組的狀態。
使用下方的任何指令資料之前,請先替換以下項目:
-
RESOURCE_TYPE:要更新的資源類型 (organization、folder或project) -
RESOURCE_ID:要更新的機構、資料夾或專案的數值 ID;如果是專案,您也可以使用英數字元的專案 ID -
MODULE_NAME:要啟用或停用的模組名稱;如需有效值,請參閱「威脅發現」 -
NEW_STATE:ENABLED啟用模組;DISABLED停用模組;或INHERITED沿用父項資源的啟用狀態 (僅適用於專案和資料夾)
將下列內容儲存到名為 request.json 的檔案:
{ "MODULE_NAME": { "intendedEnablementState": "NEW_STATE" } }
執行
gcloud scc manage services update
指令:
Linux、macOS 或 Cloud Shell
gcloud scc manage services update vm-threat-detection \ --RESOURCE_TYPE=RESOURCE_ID \ --enablement-state=ENABLED \ --module-config-file=request.json
Windows (PowerShell)
gcloud scc manage services update vm-threat-detection ` --RESOURCE_TYPE=RESOURCE_ID ` --enablement-state=ENABLED \ --module-config-file=request.json
Windows (cmd.exe)
gcloud scc manage services update vm-threat-detection ^ --RESOURCE_TYPE=RESOURCE_ID ^ --enablement-state=ENABLED \ --module-config-file=request.json
您應該會收到類似以下的回應:
effectiveEnablementState: ENABLED
modules:
CRYPTOMINING_HASH:
effectiveEnablementState: ENABLED
intendedEnablementState: ENABLED
CRYPTOMINING_YARA:
effectiveEnablementState: ENABLED
KERNEL_INTEGRITY_TAMPERING:
effectiveEnablementState: ENABLED
KERNEL_MEMORY_TAMPERING:
effectiveEnablementState: ENABLED
MALWARE_DISK_SCAN_YARA:
effectiveEnablementState: ENABLED
name: projects/1234567890123/locations/global/securityCenterServices/vm-threat-detection
updateTime: '2024-08-05T22:32:01.536452397Z'
REST
Security Command Center Management API 的 RESOURCE_TYPE.locations.securityCenterServices.patch 方法會更新 Security Command Center 服務或模組的狀態。
使用任何要求資料之前,請先替換以下項目:
-
RESOURCE_TYPE:要更新的資源類型 (organizations、folders或projects) -
QUOTA_PROJECT:用於帳單和配額追蹤的專案 ID -
RESOURCE_ID:要更新的機構、資料夾或專案的數值 ID;如果是專案,您也可以使用英數字元的專案 ID -
MODULE_NAME:要啟用或停用的模組名稱;如需有效值,請參閱「威脅發現」 -
NEW_STATE:ENABLED啟用模組;DISABLED停用模組;或INHERITED沿用父項資源的啟用狀態 (僅適用於專案和資料夾)
HTTP 方法和網址:
PATCH https://securitycentermanagement.googleapis.com/v1/RESOURCE_TYPE/RESOURCE_ID/locations/global/securityCenterServices/vm-threat-detection?updateMask=modules
JSON 要求主體:
{
"modules": {
"MODULE_NAME": {
"intendedEnablementState": "NEW_STATE"
}
}
}
如要傳送要求,請展開以下其中一個選項:
您應該會收到如下的 JSON 回應:
{
"name": "projects/1234567890123/locations/global/securityCenterServices/vm-threat-detection",
"effectiveEnablementState": "ENABLED",
"modules": {
"CRYPTOMINING_YARA": {
"effectiveEnablementState": "ENABLED"
},
"KERNEL_MEMORY_TAMPERING": {
"effectiveEnablementState": "ENABLED"
},
"KERNEL_INTEGRITY_TAMPERING": {
"effectiveEnablementState": "ENABLED"
},
"CRYPTOMINING_HASH": {
"intendedEnablementState": "ENABLED",
"effectiveEnablementState": "ENABLED"
},
"MALWARE_DISK_SCAN_YARA": {
"effectiveEnablementState": "ENABLED"
}
},
"updateTime": "2024-08-05T22:32:01.536452397Z"
}
查看 VM 威脅偵測模組的設定
如要瞭解所有 VM Threat Detection 威脅調查結果和產生這些結果的模組,請參閱「威脅調查結果」表格。
控制台
您可以在 Google Cloud 控制台中,查看機構層級的 VM 威脅偵測模組設定。如要在資料夾或專案層級查看 VM 威脅偵測模組的設定,請使用 gcloud CLI 或 REST API。
如要在 Google Cloud 控制台中查看設定,請前往「Virtual Machine Threat Detection Modules」(虛擬機器威脅偵測模組) 頁面。
gcloud
gcloud scc manage services describe
指令會取得 Security Command Center 服務或模組的狀態。
使用下方的任何指令資料之前,請先替換以下項目:
-
RESOURCE_TYPE:要取得的資源類型 (organization、folder或project) -
RESOURCE_ID:要取得的機構、資料夾或專案的數值 ID;如果是專案,您也可以使用英數字元的專案 ID
執行
gcloud scc manage services describe
指令:
Linux、macOS 或 Cloud Shell
gcloud scc manage services describe vm-threat-detection \ --RESOURCE_TYPE=RESOURCE_ID
Windows (PowerShell)
gcloud scc manage services describe vm-threat-detection ` --RESOURCE_TYPE=RESOURCE_ID
Windows (cmd.exe)
gcloud scc manage services describe vm-threat-detection ^ --RESOURCE_TYPE=RESOURCE_ID
您應該會收到類似以下的回應:
effectiveEnablementState: ENABLED
modules:
CRYPTOMINING_HASH:
effectiveEnablementState: ENABLED
intendedEnablementState: ENABLED
CRYPTOMINING_YARA:
effectiveEnablementState: ENABLED
KERNEL_INTEGRITY_TAMPERING:
effectiveEnablementState: ENABLED
KERNEL_MEMORY_TAMPERING:
effectiveEnablementState: ENABLED
MALWARE_DISK_SCAN_YARA:
effectiveEnablementState: ENABLED
name: projects/1234567890123/locations/global/securityCenterServices/vm-threat-detection
updateTime: '2024-08-05T22:32:01.536452397Z'
REST
Security Command Center Management API 的
RESOURCE_TYPE.locations.securityCenterServices.get
方法會取得 Security Command Center 服務或模組的狀態。
使用任何要求資料之前,請先替換以下項目:
-
RESOURCE_TYPE:要取得的資源類型 (organizations、folders或projects) -
QUOTA_PROJECT:用於帳單和配額追蹤的專案 ID -
RESOURCE_ID:要取得的機構、資料夾或專案的數值 ID;如果是專案,您也可以使用英數字元的專案 ID
HTTP 方法和網址:
GET https://securitycentermanagement.googleapis.com/v1/RESOURCE_TYPE/RESOURCE_ID/locations/global/securityCenterServices/vm-threat-detection
如要傳送要求,請展開以下其中一個選項:
您應該會收到如下的 JSON 回應:
{
"name": "projects/1234567890123/locations/global/securityCenterServices/vm-threat-detection",
"effectiveEnablementState": "ENABLED",
"modules": {
"CRYPTOMINING_YARA": {
"effectiveEnablementState": "ENABLED"
},
"KERNEL_MEMORY_TAMPERING": {
"effectiveEnablementState": "ENABLED"
},
"KERNEL_INTEGRITY_TAMPERING": {
"effectiveEnablementState": "ENABLED"
},
"CRYPTOMINING_HASH": {
"intendedEnablementState": "ENABLED",
"effectiveEnablementState": "ENABLED"
},
"MALWARE_DISK_SCAN_YARA": {
"effectiveEnablementState": "ENABLED"
}
},
"updateTime": "2024-08-05T22:32:01.536452397Z"
}
用於偵測加密貨幣挖礦的軟體名稱和 YARA 規則
以下列出會觸發加密貨幣挖礦發現的二進位檔和 YARA 規則名稱。如要查看清單,請展開節點。
Execution: Cryptocurrency Mining Hash Match
- Arionum CPU 礦工:適用於 Arionum 加密貨幣的挖礦軟體
- Avermore:適用於以 Scrypt 為基礎的加密貨幣的挖礦軟體
- Beam CUDA 礦工:適用於以 Equihash 為基礎的加密貨幣的挖礦軟體
- Beam OpenCL 礦工:適用於以 Equihash 為基礎的加密貨幣的挖礦軟體
- BFGMiner:以 ASIC/FPGA 為基礎的比特幣挖礦軟體
- BMiner:適用於各種加密貨幣的挖礦軟體
- Cast XMR:適用於以 CryptoNight 為基礎的加密貨幣的挖礦軟體 CryptoNight
- ccminer:以 CUDA 為基礎的挖礦軟體
- cgminer:以 ASIC/FPGA 為基礎的比特幣挖礦軟體
- Claymore 的礦工:以 GPU 為基礎的挖礦軟體,適用於各種加密貨幣
- CPUMiner:以 CPU 為基礎的挖礦軟體系列
- CryptoDredge:挖礦軟體系列,適用於 CryptoDredge
- CryptoGoblin:適用於以 CryptoNight 為基礎的加密貨幣的挖礦軟體 CryptoNight
- DamoMiner:以 GPU 為基礎的挖礦軟體,適用於Ethereum和其他加密貨幣
- DigitsMiner:Digits 挖礦軟體
- EasyMiner:比特幣和其他加密貨幣的挖礦軟體
- Ethminer:適用於Ethereum和其他加密貨幣的挖礦軟體
- EWBF:適用於以 Equihash 為基礎的加密貨幣的挖礦軟體
- FinMiner:適用於 Ethash 和 CryptoNight 的挖礦軟體 加密貨幣
- Funakoshi Miner:適用於 Bitcoin-Gold 加密貨幣的挖礦軟體
- Geth:Ethereum的挖礦軟體
- GMiner:適用於各種加密貨幣的挖礦軟體
- gominer:適用於 Decred
- GrinGoldMiner:用於挖掘 Grin 的挖礦軟體
- Hush:以 Zcash 為基礎的加密貨幣挖礦軟體
- IxiMiner:適用於 Ixian 的挖礦軟體
- kawpowminer:適用於 Ravencoin 的挖礦軟體
- Komodo:Komodo 挖礦軟體系列
- lolMiner:適用於各種加密貨幣的挖礦軟體
- lukMiner:適用於各種加密貨幣的挖礦軟體
- MinerGate:適用於各種加密貨幣的挖礦軟體
- miniZ:適用於以 Equihash 為基礎的加密貨幣挖礦軟體
- Mirai:可用於挖礦的惡意軟體
- MultiMiner:適用於各種加密貨幣的挖礦軟體
- nanominer:適用於各種加密貨幣的挖礦軟體
- NBMiner:適用於各種加密貨幣的挖礦軟體
- Nevermore:適用於各種加密貨幣的挖礦軟體
- nheqminer:適用於 NiceHash 的挖礦軟體
- NinjaRig:適用於 Argon2 型加密貨幣的挖礦軟體
- NodeCore PoW CUDA Miner:適用於 VeriBlock 的挖礦軟體
- NoncerPro:Nimiq 挖礦軟體
- Optiminer/Equihash:適用於以 Equihash 為基礎的加密貨幣挖礦軟體
- PascalCoin:PascalCoin 挖礦軟體系列
- PhoenixMiner:用於Ethereum的挖礦軟體
- Pooler CPU Miner:Litecoin和比特幣的挖礦軟體
- ProgPoW Miner:適用於Ethereum和其他加密貨幣的挖礦軟體
- rhminer:適用於 PascalCoin 的挖礦軟體
- sgminer:以 Scrypt 為基礎的加密貨幣挖礦軟體
- simplecoin:適用於以 scrypt 為基礎的 SimpleCoin 的挖礦軟體系列
- Skypool Nimiq Miner:適用於 Nimiq 的挖礦軟體
- SwapReferenceMiner:適用於 Grin 的挖礦軟體
- Team Red Miner:適用於各種加密貨幣的 AMD 挖礦軟體
- T-Rex:適用於各種加密貨幣的挖礦軟體
- TT-Miner:適用於各種加密貨幣的挖礦軟體
- Ubqminer:適用於 Ubqhash 型加密貨幣的挖礦軟體
- VersusCoin:VersusCoin 的挖礦軟體
- violetminer:適用於 Argon2 型加密貨幣的挖礦軟體
- webchain-miner:適用於 MintMe 的挖礦軟體
- WildRig:適用於各種加密貨幣的挖礦軟體
- XCASH_ALL_Miner:適用於 XCASH 的挖礦軟體
- xFash:MinerGate 挖礦軟體
- XLArig:適用於以 CryptoNight 為基礎的 加密貨幣挖礦軟體
- XMRig:適用於各種加密貨幣的挖礦軟體
- Xmr-Stak:適用於以 CryptoNight 為基礎的加密貨幣挖礦軟體 CryptoNight
- XMR-Stak TurtleCoin:適用於以 CryptoNight 為基礎的加密貨幣的挖礦軟體 CryptoNight
- Xtl-Stak:以 CryptoNight 為基礎的加密貨幣挖礦軟體
- Yam Miner:MinerGate 挖礦軟體
- YCash:YCash 挖礦軟體
- ZCoin:ZCoin/Fire 的挖礦軟體
- Zealot/Enemy:適用於各種加密貨幣的挖礦軟體
- 加密貨幣挖礦程式訊號1
1 這個一般威脅名稱表示 VM 中可能正在執行不明加密貨幣挖礦程式,但 VM 威脅偵測功能沒有該挖礦程式的具體資訊。
Execution: Cryptocurrency Mining YARA Rule
- YARA_RULE1:比對 Monero 的挖礦軟體
- YARA_RULE9:比對使用 Blake2 和 AES 密碼的挖礦軟體
- YARA_RULE10:比對使用 CryptoNight 工作量證明的挖礦軟體
- YARA_RULE15:比對出 NBMiner 挖礦軟體NBMiner
- YARA_RULE17:比對使用 Scrypt 工作量證明常式的挖礦軟體
- YARA_RULE18:比對使用 Scrypt 工作量證明的挖礦軟體
- YARA_RULE19:比對 BFGMiner 的挖礦軟體BFGMiner
- YARA_RULE24:比對 XMR-Stak 的挖礦軟體
- YARA_RULE25:比對出適用於 XMRig 的挖礦軟體
- DYNAMIC_YARA_RULE_BFGMINER_2:比對 BFGMiner 的挖礦軟體
後續步驟
- 進一步瞭解 VM Threat Detection。
- 瞭解如何允許 VM Threat Detection 掃描 VPC Service Controls 邊界中的 VM。
- 瞭解如何為 AWS 啟用虛擬機器威脅偵測。
- 瞭解如何調查 VM 威脅偵測結果。