Cryptocurrency miner attempted to boost CPU performance

Classification:

attack

Tactic:

TA0040-impact

Technique:

T1496-resource-hijacking

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect cryptocurrency miners modifying CPU settings to boost performance.

Strategy

Some cryptocurrency miners use model-specific registers to boost performance, and therefore profit. Legitimate use of this feature is rare.

Triage and response

  1. Review the process tree to determine why MSRs were used. The activity is likely malicious if the parent process is not expected.
  2. Use host metrics to verify if cryptocurrency mining is taking place. This will be indicated by an increase in CPU usage.
  3. Follow your organization’s internal processes for investigating and remediating compromised systems.

Requires Agent version 7.35 or later