Cryptomining attack chain detected

Classification:

attack

Tactic:

TA0040-impact

Technique:

T1496-resource-hijacking

Goal

Detect a complete cryptomining attack chain by correlating multiple indicators of cryptocurrency mining activity within the same execution context.

Strategy

This correlation rule identifies cryptomining operations by detecting combinations of the following activity groups:

  • Miner Execution: Cryptocurrency mining processes identified by their command-line arguments or environment variables (for example, wallet addresses, mining algorithms, pool configurations)
  • Pool Connection: Network connections to known mining pool domains or DNS lookups for mining infrastructure
  • Persistence Setup: Creation or modification of cron jobs and scheduled tasks to maintain mining operations across reboots
  • System Optimization: Modifications to CPU performance settings (MSR writes), cache management, or other system tuning for mining efficiency

The rule triggers at different severity levels based on the combination of detected activities:

CaseSeverityRequired Components
Advanced Cryptomining OperationCriticalMiner + Pool + Persistence + System Optimization
Persistent CryptominingHighMiner + Pool + Persistence
Active CryptominingMediumMiner + Pool

Triage & Response

  1. Terminate mining processes: Identify and stop all cryptocurrency mining processes running on the affected system

  2. Block mining pool communications: Block network access to identified mining pool domains and IP addresses

  3. Isolate affected systems: Quarantine compromised containers or hosts to prevent lateral spread

  4. Remove persistence mechanisms: Check for and remove any cron jobs, scheduled tasks, or startup scripts used to maintain mining operations

  5. Analyze mining configuration: Review process arguments and environment variables for wallet addresses and pool details that may indicate the attacker

  6. Assess resource impact: Calculate CPU, memory, and network usage consumed by mining processes to estimate financial impact

  7. Investigate initial access: Determine how the cryptominer was deployed (for example, vulnerable application, compromised credentials, supply chain attack)

  8. Hunt for additional miners: Search for other systems with similar mining indicators across your environment

  9. Implement preventive controls: Deploy resource monitoring, network egress filtering for mining pools, and runtime protection to prevent future incidents