Sustained execution of resource-intensive processes (e.g., cryptocurrency miners), often launched via scheduled tasks, WMI, or PowerShell. These processes frequently establish persistent external connections and attempt to evade detection using masqueraded or renamed binaries.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=3 |
| Scheduled Job Creation (DC0001) | WinEventLog:Security | EventCode=4698 |
| Field | Description |
|---|---|
| Image | The executable name of the miner or wrapper—can vary across campaigns. |
| DestinationIP | May differ depending on the mining pool or proxy server. |
| ParentProcessName | Useful for filtering known-good automation vs malicious task runners. |
Unusual long-running processes consuming high CPU cycles (e.g., via 'top' or 'ps') initiated via cron, shell scripts, or Docker. Connections to known mining pools or DNS over HTTPS usage as evasion.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:SYSCALL | execve |
| Network Traffic Flow (DC0078) | NSM:Flow | Outbound connection to mining pool port (3333, 4444, 5555) |
| Scheduled Job Creation (DC0001) | linux:cron | Scheduled execution of unknown or unusual script/binary |
| Field | Description |
|---|---|
| CommandLine | The miner's execution path and options may vary by campaign. |
| CPUThreshold | Environment-specific definition of anomalous CPU usage. |
Persistent or background daemons (e.g., plist or launchd jobs) spawning high-CPU processes like xmrig or cpuminer. Outbound encrypted traffic to IPs/domains commonly used by mining proxies.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | macos:unifiedlog | launchd or cron spawning mining binaries |
| Network Traffic Content (DC0085) | macos:unifiedlog | Persistent outbound connections with consistent periodicity |
| Field | Description |
|---|---|
| launchd.plist_label | May be disguised with benign-looking names. |
| DestinationDomain | Varying mining pool or obfuscated destination. |
Ephemeral or unauthorized container instantiation using public images (e.g., from DockerHub) that initiate high CPU usage shortly after startup. Often scheduled via Kubernetes or Docker socket abuse.
| Data Component | Name | Channel |
|---|---|---|
| Container Creation (DC0072) | containerd:events | create |
| Process Creation (DC0032) | auditd:SYSCALL | execve |
| Network Traffic Flow (DC0078) | NSM:Flow | Outbound traffic to mining pool upon container launch |
| Field | Description |
|---|---|
| ImageSource | May vary depending on where the image is pulled from (registry or custom URL). |
| Namespace | Helps differentiate attacker-created namespaces. |
Unauthorized instance creation in unmonitored or unused regions. Burst of compute-intensive jobs in spot instances or sudden spike in resource usage in legitimate VMs.
| Data Component | Name | Channel |
|---|---|---|
| Instance Start (DC0080) | AWS:CloudTrail | RunInstances |
| Host Status (DC0018) | AWS:CloudWatch | Unusual CPU burst or metric anomalies |
| Field | Description |
|---|---|
| Region | Adversaries may deploy resources in rarely used or misconfigured regions. |
| TagKey | Used to evade detection with benign-looking tags or names. |