Cryptocurrency miner attempted to boost CPU performance

Classification:

attack

Tactic:

TA0040-impact

Technique:

T1496-resource-hijacking

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Goal

Detect cryptocurrency miners modifying CPU settings to boost performance.

Strategy

Some cryptocurrency miners use model-specific registers to boost performance, and therefore profit. Legitimate use of this feature is rare.

Triage and response

  1. Review the process tree to determine why MSRs were used. The activity is likely malicious if the parent process is not expected.
  2. Use host metrics to verify if cryptocurrency mining is taking place. This will be indicated by an increase in CPU usage.
  3. Follow your organization’s internal processes for investigating and remediating compromised systems.

Requires Agent version 7.35 or later

PREVIEWING: rtrieu/product-analytics-ui-changes