Process arguments match cryptocurrency miner

Classification:

attack

Tactic:

TA0040-impact

Technique:

T1496-resource-hijacking

Goal

Detect when a process launches with arguments associated with cryptocurrency miners.

Strategy

Cryptocurrency miners are often executed with unique arguments such as --donate-level. This can be used to identify suspicious processes with high confidence.

Triage and response

  1. Isolate the workload.
  2. Use host metrics to verify if cryptocurrency mining is taking place. This will be indicated by an increase in CPU usage.
  3. Review the process tree and related signals to determine the initial entry point.

Requires agent version 7.27 or greater