Cryptocurrency miner attempted to boost CPU performance

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect cryptocurrency miners modifying CPU settings to boost performance.

Strategy

Some cryptocurrency miners use model-specific registers to boost performance, and therefore profit. Legitimate use of this feature is rare.

Triage and response

  1. Review the process tree to determine why MSRs were used. The activity is likely malicious if the parent process is not expected.
  2. Use host metrics to verify if cryptocurrency mining is taking place. This will be indicated by an increase in CPU usage.
  3. Follow your organization’s internal processes for investigating and remediating compromised systems.

Requires Agent version 7.35 or later

PREVIEWING: rtrieu/product-analytics-ui-changes