Process arguments match cryptocurrency miner


Detect when a process launches with arguments associated with cryptocurrency miners.


Monitor systems process and analyze command-line arguments to identify specific patterns or arguments commonly associated with cryptocurrency mining software. Miners are often executed with unique arguments such as --donate-level.

Triage and response

Note: Cryptocurrency mining is often a symptom of a greater issue. It is imperative to determine the initial entry point such as through compromised cloud credentials or an application that is vulnerable to remote code execution (RCE).

  1. Isolate the host or container and roll back to a known secure configuration.
  2. Use host metrics to verify that cryptocurrency mining is taking place. This will be indicated by an increase in CPU usage.
  3. Review the process tree, related signals, and related logs to determine the initial entry point.

Requires Agent version 7.28 or later