Crypto miner environment variables observed

Classification:

attack

Tactic:

TA0040-impact

Technique:

T1496-resource-hijacking

이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

What happened

The process {{ @process.comm }} was identified as a crypto miner based on its environment variables.

Goal

Detect when a process launches with environment variables associated with cryptocurrency miners.

Strategy

Some cryptocurrency miners support environment variables such as POOL_USER or POOL_URL to define configuration settings. This can be used to identify suspicious processes with high confidence.

Triage and response

  1. Isolate the workload.
  2. Use host metrics to verify if cryptocurrency mining is taking place. This is indicated by an increase in CPU usage.
  3. Review the process tree and related signals to determine the initial entry point.

Requires Agent version 7.27 or later.