<  Back to rules search

Process arguments match cryptocurrency miner

Classification:

attack

Tactic:

Technique:

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect when a process launches with arguments associated with cryptocurrency miners.

Strategy

Cryptocurrency miners are often executed with unique arguments such as --donate-level. This can be used to identify suspicious processes with high confidence.

Triage and response

  1. Isolate the workload.
  2. Use host metrics to verify if cryptocurrency mining is taking place. This will be indicated by an increase in CPU usage.
  3. Review the process tree and related signals to determine the initial entry point.

Requires agent version 7.27 or greater