Stay organized with collectionsSave and categorize content based on your preferences.
This document describes a threat finding type in Security Command Center. Threat findings are generated bythreat detectorswhen they detect
a potential threat in your cloud resources. For a full list of available threat findings, seeThreat findings index.
Overview
VM Threat Detection detected a combination of signals that match a known
kernel-mode rootkit in a Compute Engine VM instance.
TheDefense Evasion: Rootkitfinding category is a superset of the following
finding categories. Therefore, this section applies to these finding categories
as well.
Defense Evasion: Unexpected ftrace handler
Defense Evasion: Unexpected interrupt handler
Defense Evasion: Unexpected kernel modules
Defense Evasion: Unexpected kernel read-only data modification
Defense Evasion: Unexpected kprobe handler
Defense Evasion: Unexpected processes in runqueue
Defense Evasion: Unexpected system call handler
How to respond
To respond to this finding, do the following:
Step 1: Review finding details
Open finding, as directed
inReview findings.
The details panel for the finding opens to theSummarytab.
On theSummarytab, review the information in the following sections:
What was detected, especially the following fields:
Kernel rootkit name: the family name of the rootkit that was
detected—for example,Diamorphine.
Unexpected kernel code pages: whether kernel code pages are present
in kernel or module code regions where they aren't expected.
Unexpected system call handler: whether system call handlers are
present in kernel or module code regions where they aren't expected.
Affected resource, especially the following field:
Resource full name: the full resource name of the affected
VM instance, including the ID of the project that contains it.
To see the complete JSON for this finding, in the detail view of
the finding, click theJSONtab.
On the Google Cloud console toolbar, select the project that contains
the VM instance, as specified on theResource full namerow in
theSummarytab of the finding details.
Check the logs for signs of intrusion on the affected VM instance. For
example, check for suspicious or unknown activities and signs ofcompromised credentials.
Step 3: Review permissions and settings
On theSummarytab of the finding details, in theResource full
namefield, click the link.
Review the details of the VM instance, including the network and access
settings.
To develop a response plan, combine your investigation results with MITRE
research.
Step 6: Implement your response
The following response plan might be appropriate for this finding, but might also impact operations.
Carefully evaluate the information you gather in your investigation to determine the best way to
resolve findings.
For forensic analysis, consider backing up the virtual machines and
persistent disks. For more information, seeData protection
optionsin the Compute Engine
documentation.
Delete the VM instance.
For further investigation, consider using incident response services likeMandiant.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["| Premium and Enterprise [service tiers](/security-command-center/docs/service-tiers)\n\nThis document describes a threat finding type in Security Command Center. Threat findings are generated by\n[threat detectors](/security-command-center/docs/concepts-security-sources#threats) when they detect\na potential threat in your cloud resources. For a full list of available threat findings, see [Threat findings index](/security-command-center/docs/threat-findings-index).\n\nOverview\n\nVM Threat Detection detected a combination of signals that match a known\nkernel-mode rootkit in a Compute Engine VM instance.\n\nThe `Defense Evasion: Rootkit` finding category is a superset of the following\nfinding categories. Therefore, this section applies to these finding categories\nas well.\n\n- `Defense Evasion: Unexpected ftrace handler`\n- `Defense Evasion: Unexpected interrupt handler`\n- `Defense Evasion: Unexpected kernel modules`\n- `Defense Evasion: Unexpected kernel read-only data modification`\n- `Defense Evasion: Unexpected kprobe handler`\n- `Defense Evasion: Unexpected processes in runqueue`\n- `Defense Evasion: Unexpected system call handler`\n\nHow to respond\n\nTo respond to this finding, do the following:\n\nStep 1: Review finding details\n\n1. Open finding, as directed\n in [Review findings](/security-command-center/docs/how-to-use-vm-threat-detection#findings-vmtd).\n The details panel for the finding opens to the **Summary** tab.\n\n2. On the **Summary** tab, review the information in the following sections:\n\n - **What was detected**, especially the following fields:\n\n - **Kernel rootkit name** : the family name of the rootkit that was detected---for example, `Diamorphine`.\n - **Unexpected kernel code pages**: whether kernel code pages are present in kernel or module code regions where they aren't expected.\n - **Unexpected system call handler**: whether system call handlers are present in kernel or module code regions where they aren't expected.\n - **Affected resource**, especially the following field:\n\n - **Resource full name**: the full resource name of the affected VM instance, including the ID of the project that contains it.\n3. To see the complete JSON for this finding, in the detail view of\n the finding, click the **JSON** tab.\n\nStep 2: Check logs\n\n1. In the Google Cloud console, go to **Logs Explorer**.\n\n [Go to Logs Explorer](https://console.cloud.google.com/logs/query)\n2. On the Google Cloud console toolbar, select the project that contains\n the VM instance, as specified on the **Resource full name** row in\n the **Summary** tab of the finding details.\n\n3. Check the logs for signs of intrusion on the affected VM instance. For\n example, check for suspicious or unknown activities and signs of\n [compromised credentials](/security/compromised-credentials).\n\nStep 3: Review permissions and settings\n\n1. On the **Summary** tab of the finding details, in the **Resource full\n name** field, click the link.\n2. Review the details of the VM instance, including the network and access settings.\n\nStep 4: Inspect the affected VM\n\nFollow the instructions in [Inspect a VM for signs of kernel memory\ntampering](/security-command-center/docs/investigate-vmtd-kernel-tampering-findings).\n\nStep 5: Research attack and response methods\n\n1. Review MITRE ATT\\&CK framework entries for [Defense Evasion](https://attack.mitre.org/tactics/TA0005/).\n2. To develop a response plan, combine your investigation results with MITRE research.\n\nStep 6: Implement your response\n\n\nThe following response plan might be appropriate for this finding, but might also impact operations.\nCarefully evaluate the information you gather in your investigation to determine the best way to\nresolve findings.\n\n1. Contact the owner of the VM.\n\n2. If necessary, [stop the compromised\n instance](/compute/docs/instances/stop-start-instance) and replace it with a\n new instance.\n\n3. For forensic analysis, consider backing up the virtual machines and\n persistent disks. For more information, see [Data protection\n options](/compute/docs/disks/data-protection) in the Compute Engine\n documentation.\n\n4. Delete the VM instance.\n\n5. For further investigation, consider using incident response services like\n [Mandiant](/security/consulting/mandiant-incident-response-services).\n\nWhat's next\n\n- Learn [how to work with threat\n findings in Security Command Center](/security-command-center/docs/how-to-investigate-threats).\n- Refer to the [Threat findings index](/security-command-center/docs/threat-findings-index).\n- Learn how to [review a\n finding](/security-command-center/docs/how-to-investigate-threats#reviewing_findings) through the Google Cloud console.\n- Learn about the [services that\n generate threat findings](/security-command-center/docs/concepts-security-sources#threats)."]]
