Stay organized with collections
Save and categorize content based on your preferences.
This document describes a threat finding type in Security Command Center. Threat findings are generated by
threat detectors when they detect
a potential threat in your cloud resources. For a full list of available threat findings, see Threat findings index.
Overview
VM Threat Detection detected cryptocurrency mining activities by matching memory
hashes of running programs against memory hashes of known cryptocurrency mining
software.
How to respond
To respond to this finding, do the following:
Step 1: Review finding details
Open an Execution: Cryptocurrency Mining Hash Match finding, as directed
in Review findings.
The details panel for the finding opens to the Summary tab.
On the Summary tab, review the information in the following sections:
What was detected, especially the following fields:
Binary family: the cryptocurrency application that was detected.
Program binary: the absolute path of the process.
Arguments: the arguments provided when invoking the process binary.
Process names: the name of the process running in the VM instance
that is associated with the detected signature matches.
VM Threat Detection can recognize kernel builds from major Linux
distributions. If it can recognize the affected VM's kernel build,
it can identify the application's process details and populate
the processes field of the finding. If VM Threat Detection can't
regognize the kernelโfor example, if the kernel is custom
builtโthe finding's processes field isn't populated.
Affected resource, especially the following fields:
Resource full name: the full resource name of the affected
VM instance, including the ID of the project that contains it.
To see the complete JSON for this finding, in the detail view of
the finding, click the JSON tab.
indicator
signatures:
memory_hash_signature: a signature corresponding to memory
page hashes.
detections
binary: the name of the cryptocurrency application's
binaryโfor example,
linux--x86-64_ethminer_0.19.0_alpha.0_cuda10.0.
percent_pages_matched: the percentage of pages in memory
that match pages in known cryptocurrency applications in the
page-hash database.
On the Google Cloud console toolbar, select the project that contains
the VM instance, as specified on the Resource full name row in
the Summary tab of the finding details.
Check the logs for signs of intrusion on the affected VM instance. For
example, check for suspicious or unknown activities and signs of
compromised credentials.
Step 3: Review permissions and settings
On the Summary tab of the finding details, in the Resource full
name field, click the link.
Review the details of the VM instance, including the network and access
settings.
Step 4: Research attack and response methods
Review MITRE ATT&CK framework entries for
Execution.
To develop a response plan, combine your investigation results with MITRE
research.
Step 5: Implement your response
The following response plan might be appropriate for this finding, but might also impact operations.
Carefully evaluate the information you gather in your investigation to determine the best way to
resolve findings.
To assist with detection and removal, use an endpoint detection and
response solution.
Contact the owner of the VM.
Confirm whether the application is a mining application:
If the detected application's process name and binary path are available,
consider the values on the Program binary, Arguments, and
Process names rows on the Summary tab of the finding details
in your investigation.
If the process details aren't available, check if the binary name from the
memory hash signature can provide clues. Consider a binary called
linux-x86-64_xmrig_2.14.1. You can use the
grep
command to search for notable files in storage. Use a meaningful portion of
the binary name in your search pattern, in this case, xmrig. Examine the
search results.
Examine the running processes, especially the processes with high CPU usage,
to see if there are any that you don't recognize. Determine whether the
associated applications are miner applications.
Search the files in storage for common strings that mining applications
use, such as btc.com, ethminer, xmrig, cpuminer, and randomx.
For more examples of strings you can search for, see
Software names and YARA rules
and the related documentation for each software listed.
If you determine that the application is a miner application, and its process
is still running, terminate the process. Locate the application's executable
binary in the VM's storage, and delete it.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-03 UTC."],[],[],null,["# Execution: Cryptocurrency Mining Hash Match\n\n| Premium and Enterprise [service tiers](/security-command-center/docs/service-tiers)\n\nThis document describes a threat finding type in Security Command Center. Threat findings are generated by\n[threat detectors](/security-command-center/docs/concepts-security-sources#threats) when they detect\na potential threat in your cloud resources. For a full list of available threat findings, see [Threat findings index](/security-command-center/docs/threat-findings-index).\n\nOverview\n--------\n\nVM Threat Detection detected cryptocurrency mining activities by matching memory\nhashes of running programs against memory hashes of known cryptocurrency mining\nsoftware.\n\nHow to respond\n--------------\n\nTo respond to this finding, do the following:\n\n### Step 1: Review finding details\n\n1. Open an `Execution: Cryptocurrency Mining Hash Match` finding, as directed\n in [Review findings](/security-command-center/docs/how-to-use-vm-threat-detection#findings-vmtd).\n The details panel for the finding opens to the **Summary** tab.\n\n2. On the **Summary** tab, review the information in the following sections:\n\n - **What was detected**, especially the following fields:\n\n - **Binary family**: the cryptocurrency application that was detected.\n - **Program binary**: the absolute path of the process.\n - **Arguments**: the arguments provided when invoking the process binary.\n - **Process names**: the name of the process running in the VM instance that is associated with the detected signature matches.\n\n VM Threat Detection can recognize kernel builds from major Linux\n distributions. If it can recognize the affected VM's kernel build,\n it can identify the application's process details and populate\n the `processes` field of the finding. If VM Threat Detection can't\n regognize the kernel---for example, if the kernel is custom\n built---the finding's `processes` field isn't populated.\n - **Affected resource**, especially the following fields:\n\n - **Resource full name**: the full resource name of the affected VM instance, including the ID of the project that contains it.\n3. To see the complete JSON for this finding, in the detail view of\n the finding, click the **JSON** tab.\n\n - `indicator`\n - `signatures`:\n - `memory_hash_signature`: a signature corresponding to memory page hashes.\n - `detections`\n - `binary`: the name of the cryptocurrency application's binary---for example, `linux--x86-64_ethminer_0.19.0_alpha.0_cuda10.0`.\n - `percent_pages_matched`: the percentage of pages in memory that match pages in known cryptocurrency applications in the page-hash database.\n\n### Step 2: Check logs\n\n1. In the Google Cloud console, go to **Logs Explorer**.\n\n \u003cbr /\u003e\n\n [Go to Logs Explorer](https://console.cloud.google.com/logs/query)\n\n \u003cbr /\u003e\n\n2. On the Google Cloud console toolbar, select the project that contains\n the VM instance, as specified on the **Resource full name** row in\n the **Summary** tab of the finding details.\n\n3. Check the logs for signs of intrusion on the affected VM instance. For\n example, check for suspicious or unknown activities and signs of\n [compromised credentials](/security/compromised-credentials).\n\n### Step 3: Review permissions and settings\n\n1. On the **Summary** tab of the finding details, in the **Resource full\n name** field, click the link.\n2. Review the details of the VM instance, including the network and access settings.\n\n### Step 4: Research attack and response methods\n\n1. Review MITRE ATT\\&CK framework entries for [Execution](https://attack.mitre.org/tactics/TA0002/).\n2. To develop a response plan, combine your investigation results with MITRE research.\n\n### Step 5: Implement your response\n\n\nThe following response plan might be appropriate for this finding, but might also impact operations.\nCarefully evaluate the information you gather in your investigation to determine the best way to\nresolve findings.\n\nTo assist with detection and removal, use an endpoint detection and\nresponse solution.\n\n1. Contact the owner of the VM.\n2. Confirm whether the application is a mining application:\n\n - If the detected application's process name and binary path are available,\n consider the values on the **Program binary** , **Arguments** , and\n **Process names** rows on the **Summary** tab of the finding details\n in your investigation.\n\n - If the process details aren't available, check if the binary name from the\n memory hash signature can provide clues. Consider a binary called\n `linux-x86-64_xmrig_2.14.1`. You can use the\n [`grep`](https://www.gnu.org/software/grep/manual/grep.html)\n command to search for notable files in storage. Use a meaningful portion of\n the binary name in your search pattern, in this case, `xmrig`. Examine the\n search results.\n\n - Examine the running processes, especially the processes with high CPU usage,\n to see if there are any that you don't recognize. Determine whether the\n associated applications are miner applications.\n\n - Search the files in storage for common strings that mining applications\n use, such as `btc.com`, `ethminer`, `xmrig`, `cpuminer`, and `randomx`.\n For more examples of strings you can search for, see\n [Software names and YARA rules](/security-command-center/docs/how-to-use-vm-threat-detection#software-names-yara-rules)\n and the related documentation for each software listed.\n\n3. If you determine that the application is a miner application, and its process\n is still running, terminate the process. Locate the application's executable\n binary in the VM's storage, and delete it.\n\n4. If necessary, [stop the compromised instance](/compute/docs/instances/stop-start-instance)\n and replace it with a new instance.\n\nWhat's next\n-----------\n\n- Learn [how to work with threat\n findings in Security Command Center](/security-command-center/docs/how-to-investigate-threats).\n- Refer to the [Threat findings index](/security-command-center/docs/threat-findings-index).\n- Learn how to [review a\n finding](/security-command-center/docs/how-to-investigate-threats#reviewing_findings) through the Google Cloud console.\n- Learn about the [services that\n generate threat findings](/security-command-center/docs/concepts-security-sources#threats)."]]
