Malware: Malicious file on disk (YARA)

This document describes a threat finding type in Security Command Center. Threat findings are generated by threat detectors when they detect a potential threat in your cloud resources. For a full list of available threat findings, see Threat findings index.

Overview

VM Threat Detection detected a potentially malicious file by scanning a Compute Engine VM's persistent disks for known malware signatures.

How to respond

To respond to this finding, do the following:

Step 1: Review finding details

1. Open the Malware: Malicious file on disk (YARA) finding, as directed in Review findings. The details panel for the finding opens to the Summary tab.

2. On the Summary tab, review the information in the following sections:

   • What was detected, especially the following fields:
     • YARA rule name: the YARA rule that was matched.
     • Files: the partition UUID and the relative path of the potentially malicious file that was detected.
   • Affected resource, especially the following fields:
     • Resource full name: the full resource name of the affected VM instance, including the ID of the project that contains it.

3. To see the complete JSON for this finding, in the detail view of the finding, click the JSON tab.

4. In the JSON, note the following fields:

   • indicator
     • signatures:
       • yaraRuleSignature: a signature corresponding to the YARA rule that was matched.

Step 2: Check logs

To check your logs for a Compute Engine VM instance, follow these steps:

1. In the Google Cloud console, go to Logs Explorer.

   Go to Logs Explorer

2. On the Google Cloud console toolbar, select the project that contains the VM instance, as specified on the Resource full name row in the Summary tab of the finding details.

3. Check the logs for signs of intrusion on the affected VM instance. For example, check for suspicious or unknown activities and signs of compromised credentials.

For information about how to check logs for an Amazon EC2 VM instance, see the Amazon CloudWatch Logs documentation.

Step 3: Review permissions and settings

1. On the Summary tab of the finding details, in the Resource full name field, click the link.
2. Review the details of the VM instance, including the network and access settings.

Step 4: Research attack and response methods

Check the SHA-256 hash value for the binary flagged as malicious on VirusTotal by clicking the link in VirusTotal indicator. VirusTotal is an Alphabet-owned service that provides context on potentially malicious files, URLs, domains, and IP addresses.

Step 5: Implement your response

The following response plan might be appropriate for this finding, but might also impact operations. Carefully evaluate the information you gather in your investigation to determine the best way to resolve findings.

1. Contact the owner of the VM.

2. If necessary, locate and delete the potentially malicious file. To get the partition UUID and relative path of the file, refer to the Files field on the Summary tab of the finding details. To assist with detection and removal, use an endpoint detection and response solution.

3. If necessary, stop the compromised instance and replace it with a new instance.

   • Compute Engine VM: See Stop or restart a Compute Engine instance in the Compute Engine documentation.

   • Amazon EC2 VM: See Stop and start Amazon EC2 instances in the AWS documentation.

4. For forensic analysis, consider backing up the virtual machines and persistent disks.

   • Compute Engine VM: See Data protection options in the Compute Engine documentation.
   • Amazon EC2 VM: See Amazon EC2 backup and recovery with snapshots and AMIs in the AWS documentation.

5. For further investigation, consider using incident response services like Mandiant.

What's next

• Learn how to work with threat findings in Security Command Center.
• Refer to the Threat findings index.
• Learn how to review a finding through the Google Cloud console.
• Learn about the services that generate threat findings.