---
title: Cryptomining attack chain detected
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: Docs > Datadog Security > OOTB Rules > Cryptomining attack chain detected
---

# Cryptomining attack chain detected
Classification:attackTactic:[TA0040-impact](https://attack.mitre.org/tactics/TA0040)Technique:[T1496-resource-hijacking](https://attack.mitre.org/techniques/T1496) 
## Goal{% #goal %}

Detect a complete cryptomining attack chain by correlating multiple indicators of cryptocurrency mining activity within the same execution context.

## Strategy{% #strategy %}

This correlation rule identifies cryptomining operations by detecting combinations of the following activity groups:

- **Miner Execution**: Cryptocurrency mining processes identified by their command-line arguments or environment variables (for example, wallet addresses, mining algorithms, pool configurations)
- **Pool Connection**: Network connections to known mining pool domains or DNS lookups for mining infrastructure
- **Persistence Setup**: Creation or modification of cron jobs and scheduled tasks to maintain mining operations across reboots
- **System Optimization**: Modifications to CPU performance settings (MSR writes), cache management, or other system tuning for mining efficiency

The rule triggers at different severity levels based on the combination of detected activities:

| Case                            | Severity | Required Components                              |
| ------------------------------- | -------- | ------------------------------------------------ |
| Advanced Cryptomining Operation | Critical | Miner + Pool + Persistence + System Optimization |
| Persistent Cryptomining         | High     | Miner + Pool + Persistence                       |
| Active Cryptomining             | Medium   | Miner + Pool                                     |

## Triage & Response{% #triage--response %}

1. **Terminate mining processes**: Identify and stop all cryptocurrency mining processes running on the affected system

1. **Block mining pool communications**: Block network access to identified mining pool domains and IP addresses

1. **Isolate affected systems**: Quarantine compromised containers or hosts to prevent lateral spread

1. **Remove persistence mechanisms**: Check for and remove any cron jobs, scheduled tasks, or startup scripts used to maintain mining operations

1. **Analyze mining configuration**: Review process arguments and environment variables for wallet addresses and pool details that may indicate the attacker

1. **Assess resource impact**: Calculate CPU, memory, and network usage consumed by mining processes to estimate financial impact

1. **Investigate initial access**: Determine how the cryptominer was deployed (for example, vulnerable application, compromised credentials, supply chain attack)

1. **Hunt for additional miners**: Search for other systems with similar mining indicators across your environment

1. **Implement preventive controls**: Deploy resource monitoring, network egress filtering for mining pools, and runtime protection to prevent future incidents