What happened

The process {{ @process.comm }} was identified as a crypto miner based on its environment variables.

Goal

Detect when a process launches with environment variables associated with cryptocurrency miners.

Strategy

Some cryptocurrency miners support environment variables such as POOL_USER or POOL_URL to define configuration settings. This can be used to identify suspicious processes with high confidence.

Triage and response

1. Isolate the workload.
2. Use host metrics to verify if cryptocurrency mining is taking place. This is indicated by an increase in CPU usage.
3. Review the process tree and related signals to determine the initial entry point.

Requires Agent version 7.27 or later.