Persistent high CPU utilization combined with suspicious command-line execution (e.g., mining tools or obfuscated scripts) and outbound connections to mining/proxy networks.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Host Status (DC0018) | Windows:perfmon | High sustained CPU usage by a single process |
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=3 |
| Field | Description |
|---|---|
| TimeWindow | Duration threshold for sustained CPU activity (e.g., >15 minutes) |
| DestinationIPList | Known mining pool IPs or proxy service endpoints |
| ExecutableNamePatterns | Regex list of suspicious or known mining tools |
Abnormal CPU/memory usage by unauthorized processes with outbound connections to known mining pools or using cron jobs/scripts to maintain persistence.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:SYSCALL | execve |
| Host Status (DC0018) | linux:procfs | Sustained high /proc/[pid]/stat usage |
| Network Traffic Flow (DC0078) | NSM:Flow | Outbound traffic to mining pools or proxies |
| Field | Description |
|---|---|
| ProcessPath | Location of resource-heavy binaries (e.g., /tmp/.xmr) |
| CPUThreshold | Acceptable baseline for CPU overuse |
| KnownMiningDomains | List of domains/IPs for known cryptomining services |
Background launch agents/daemons with high CPU use and network access to external mining services.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | macos:unifiedlog | launchctl activity and process creation |
| Network Traffic Content (DC0085) | macos:unifiedlog | Persistent outbound traffic to mining domains |
| Field | Description |
|---|---|
| launchdLabel | Suspicious or unknown launch agents |
| TrafficVolumeThreshold | Outbound bandwidth usage thresholds |
Sudden spikes in cloud VM CPU usage with outbound traffic to mining pools and unauthorized instance creation.
| Data Component | Name | Channel |
|---|---|---|
| Instance Start (DC0080) | AWS:CloudTrail | RunInstances |
| Host Status (DC0018) | CloudWatch:Metrics | Sustained EC2 CPU usage above normal baseline |
| Network Traffic Flow (DC0078) | AWS:VPCFlowLogs | Outbound flow logs to known mining pools |
| Field | Description |
|---|---|
| CPUUtilizationThreshold | CloudWatch alarm trigger for sustained CPU |
| UnusualRegionList | Instances launched in unexpected regions |
High CPU usage by unauthorized containers running mining binaries or public proxy tools.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | containerd:events | New container with suspicious image name or high resource usage |
| Host Status (DC0018) | prometheus:metrics | Container CPU/Memory usage exceeding threshold |
| Network Traffic Flow (DC0078) | container:cni | Outbound network traffic to mining proxies |
| Field | Description |
|---|---|
| ImageName | Suspicious or unknown container image used |
| CPUQuotaThreshold | Container-level resource limits |
Abuse of cloud messaging platforms to send mass spam or consume quota-based resources.
| Data Component | Name | Channel |
|---|---|---|
| Cloud Service Modification (DC0069) | m365:unified | SendMessage |
| Application Log Content (DC0038) | saas:application | High-volume API calls or traffic via messaging or webhook service |
| Field | Description |
|---|---|
| MessageRateThreshold | Max allowable outbound message rate per user/account |
| APIKeyList | Known authorized API clients for messaging usage |