Cryptocurrency miner attempted to boost CPU performance

Goal

Detect cryptocurrency miners modifying CPU settings to boost performance.

Strategy

Some cryptocurrency miners use model-specific registers to boost performance, and therefore profit. Legitimate use of this feature is rare.

Triage and response

  1. Review the process tree to determine why MSRs were used. The activity is likely malicious if the parent process is not expected.
  2. Use host metrics to verify if cryptocurrency mining is taking place. This will be indicated by an increase in CPU usage.
  3. Follow your organization’s internal processes for investigating and remediating compromised systems.

Requires Agent version 7.35 or later

PREVIEWING: brett0000FF/node-compatibility