Crypto miner process observed

Classification:

attack

Tactic:

TA0040-impact

Technique:

T1496-resource-hijacking

Esta página aún no está disponible en español. Estamos trabajando en su traducción.
Si tienes alguna pregunta o comentario sobre nuestro actual proyecto de traducción, no dudes en ponerte en contacto con nosotros.

What happened

The process {{ @process.comm }} was identified as a crypto miner. Cryptocurrency mining monopolizes CPU usage, slowing legitimate services.

Goal

Detect when a process launches with arguments associated with cryptocurrency miners.

Strategy

Monitor systems process and analyze command-line arguments to identify specific patterns or arguments commonly associated with cryptocurrency mining software. Miners are often executed with unique arguments such as --donate-level.

Triage and response

Note: Cryptocurrency mining is often a symptom of a greater issue. It is imperative to determine the initial entry point such as through compromised cloud credentials or an application that is vulnerable to remote code execution (RCE).

  1. Use host metrics to verify that cryptocurrency mining is taking place. This is indicated by an increase in CPU usage.
  2. Review the process tree, related signals, and related logs to determine the initial entry point.
  3. Remediate the affected resources and secure the initial entry point. This may involve patching vulnerabilities or rotating credentials.

Changelog

  • 26 September 2024 - Updated rule name and description

Requires Agent version 7.28 or later