Detect and Characterize Unauthorized Mining
Confirm the mining activity, identify the specific miner family, and characterize the entry vector. Treat mining as an intrusion indicator -- the miner is usually the tail end of an access sale, not the final objective.
Actions
- 1
Validate the alert: sustained high CPU/GPU across off-hours, connection to known mining pools (stratum+tcp://, common ports 3333/4444/14444), DNS to mining-pool domains (xmr.pool.minergate.com, pool.supportxmr.com, many others).
- 2
Identify the miner binary: XMRig is the most common; CoinMiner, LemonDuck, PGMiner (PostgreSQL), Sysrv-hello, H2Miner are also frequent. Record file path, hash, command-line arguments (pool URL, wallet address, worker name).
- 3
Extract the wallet address from the miner config or command line; use public block-explorer lookup to estimate earnings (rough blast-radius indicator).
- 4
Identify the entry vector: exposed Docker socket (2375/2376), exposed Redis with no auth, Jenkins with unauth job submission, exploitable web CVE (CVE-2021-44228 Log4Shell, CVE-2022-26134 Confluence, recent Spring/Struts/Oracle CVEs), SSH with default/stolen credentials.
- 5
Hunt for other cryptominer families on the same host and for persistence the miner family commonly installs (cron, systemd unit, Windows scheduled task, Run key).
- 6
For cloud: inspect billing anomalies, unexpected autoscaling events, IAM role usage; miners often run inside compromised Lambda, ECS, AKS, or GKE workloads that spin up and cost money silently.
Queries
DeviceProcessEvents | where FileName in~ ("xmrig","xmrig.exe","kinsing","kdevtmpfsi","sysrv","kthreaddi","kthreaddk") or ProcessCommandLine has_any ("stratum+tcp://","--donate-level=","--cpu-priority=","-o pool.") | project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountNameDeviceNetworkEvents | where RemotePort in (3333, 4444, 7777, 14444, 5555, 9999) and Protocol == "Tcp" | summarize cnt=count() by DeviceName, RemoteIP, RemotePort | where cnt > 10
index=dns (query="*.minergate.com" OR query="*.supportxmr.com" OR query="*.nanopool.org" OR query="*.dwarfpool.com" OR query="*.pool.*" OR query="*xmr*" OR query="*monero*") earliest=-30d | stats count by query, src_ip
Notes
Mining CPU bursts look like legitimate workloads (video encoding, batch jobs) if you only look at CPU graphs. Confirm with process name, command-line, and outbound stratum connection together.
Wallet address in the miner config is the single best pivot IoC. One wallet often indicates a single campaign and can link multiple unrelated intrusions.
Crypto mining is frequently the first visible symptom of a broader compromise; assume additional tooling is present until proven otherwise.