intermediate

Cryptominer Detection and Response

Procedures for detecting and responding to cryptocurrency mining malware on systems.

1-3 hours5 steps10 checklist items

Summary

Guide for identifying cryptomining activity and removing mining malware from affected systems.

Step-by-Step Procedure

Detection Confirmation

Verify cryptomining activity.

Actions

Check for high CPU/GPU utilization alerts

Look for known mining pool connections

Identify suspicious processes with high resource usage

Check for common cryptominer file names

Scope Assessment

Determine how widespread the infection is.

Actions

Search for mining pool domains in proxy logs

Scan for same file hashes across environment

Check for lateral movement indicators

Identify initial access vector

Containment

Stop the mining activity.

Actions

Block mining pool domains and IPs at firewall

Isolate heavily affected systems

Kill mining processes if safe

Removal

Remove cryptominer malware.

Actions

Identify and remove miner binaries

Check for and remove persistence mechanisms

Verify scheduled tasks and services

Clean up any dropped tools

Root Cause Analysis

Determine how miners were deployed.

Actions

Identify initial compromise vector

Check for vulnerable applications or services

Review recently exploited vulnerabilities

Assess patching gaps

Completion Checklist

Mining activity confirmed

Scope of infection determined

Mining pools blocked

Affected systems identified

Miner processes killed

Malware removed

Persistence removed

Root cause identified

Patches applied if needed

Incident documented

Evidence to Collect

Process list showing miners
Network logs to mining pools
Malware samples
CPU/GPU utilization data
Initial access indicators

Join our community to discuss playbooks and share incident response experiences.