Cryptocurrency miner attempted to boost CPU performance

Classification:

attack

Tactic:

TA0040-impact

Technique:

T1496-resource-hijacking

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect cryptocurrency miners modifying CPU settings to boost performance.

Strategy

Some cryptocurrency miners use model-specific registers to boost performance, and therefore profit. Legitimate use of this feature is rare.

Triage and response

  1. Review the process tree to determine why MSRs were used. The activity is likely malicious if the parent process is not expected.
  2. Use host metrics to verify if cryptocurrency mining is taking place. This will be indicated by an increase in CPU usage.
  3. Follow your organization’s internal processes for investigating and remediating compromised systems.

Requires Agent version 7.35 or later