Analyze Mining Persistence and Secondary Tooling

Actions

1. 1

   Enumerate all new binaries created during the suspected compromise window: `find / -type f -newer <baseline-timestamp>` with filtering, AmCache entries, Prefetch entries, EDR file-event queries.

2. 2

   Check for common co-installed tooling: masscan/zmap scanners, SSH propagation scripts, Mimikatz or equivalent credential dumpers, webshells in web-server roots, reverse-shell scripts in /tmp or /dev/shm.

3. 3

   Inspect the wallet/pool configuration for worker-name patterns -- attackers often encode compromised-host identifiers (hostname, IP) into the worker name, which can reveal other compromised hosts in the same campaign.

4. 4

   Check outbound traffic during the compromise window for non-mining patterns: data exfiltration, command-and-control beaconing, SSH reverse tunnels, DNS anomalies.

5. 5

   For cloud environments: check IAM role usage and API activity during the compromise window; miners in cloud often piggyback on long-lived credentials to explore and expand.

Queries

DeviceFileEvents | where Timestamp > ago(30d) | where FolderPath has_any ("/tmp/","/dev/shm/","/var/tmp/","C:\\Users\\Public\\","C:\\ProgramData\\") and ActionType == "FileCreated" | project Timestamp, DeviceName, FolderPath, FileName, SHA256

DeviceProcessEvents | where Timestamp > ago(30d) | where ProcessCommandLine has_any ("nmap","masscan","zmap","hydra","medusa","patator","sshpass","mimikatz","psexec","evil-winrm") | project Timestamp, DeviceName, ProcessCommandLine

AWSCloudTrail | where eventTime > ago(30d) | where userIdentity.sessionContext.sessionIssuer.type == "Role" and sourceIPAddress has_any (<miner-ips>) | summarize count() by eventName, userIdentity.arn

Notes

Where to Go Next

Related Resources