Contain the Mining Workload and Entry Vector

Actions

1. 1

   Capture evidence first: copy the miner binary, config file, cron entries or scheduled task, and any dropped scripts to the evidence store (with hashes and chain-of-custody metadata) before removal.

2. 2

   Kill the mining process(es) and any parent/worker processes; on Linux use `ps -ef` and `pstree` to identify the full tree; on Windows review suspicious svchost or powershell children.

3. 3

   Remove persistence: cron entries, systemd units, `/etc/rc.local` additions, Windows Scheduled Tasks, Windows Services, Registry Run keys.

4. 4

   Block known mining pool domains and stratum ports (3333, 4444, 7777, 14444) at firewall/DNS layer; subscribe to community mining-pool blocklists for broader coverage.

5. 5

   Close the entry vector: patch the exploitable service (Log4j, Confluence, Spring, etc.), restrict exposed management endpoints (Docker socket, Redis, Jenkins, Kubernetes API) to internal networks only, rotate credentials that were re-used or brute-forced.

6. 6

   For containerized workloads: delete the compromised container; rebuild from a clean image with the entry vector patched; add admission policies to prevent privileged or host-network containers that allow escape.

Queries

crontab -l && ls -la /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.weekly /var/spool/cron/

systemctl list-units --type=service --state=running; systemctl list-unit-files --type=service --state=enabled

Get-ScheduledTask | Where-Object {$_.State -eq "Ready" -and $_.Actions.Execute -match "powershell|cmd|wscript|cscript"} | Select TaskName, Actions

Get-ChildItem -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run","HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Recurse -ErrorAction SilentlyContinue

Notes

Where to Go Next

Related Resources