Cryptojacking & Resource Abuse Response Playbook¶

Metadata¶

RACI — Roles & Responsibilities¶

R = Responsible, A = Accountable, C = Consulted, I = Informed

Trigger Conditions¶

Activate this playbook on any of the following:

• [ ] Cloud billing alert: unexpected compute cost spike (>20% above baseline or >$500 unplanned)
• [ ] CPU/GPU utilization sustained above 90% on hosts with no corresponding business workload
• [ ] EDR alert: known cryptominer process detected (xmrig, ccminer, t-rex, nbminer, phoenixminer)
• [ ] Network alert: outbound connections to known mining pool domains or Stratum protocol (port 3333, 4444, 8333, 14433)
• [ ] Cloud security alert: new IAM keys created from unusual source, unauthorized instance launches
• [ ] Container runtime alert: unexpected privileged container, Docker socket mount, or suspicious image pull
• [ ] Kubernetes alert: unauthorized DaemonSet, resource limit modifications, or pods with no resource constraints
• [ ] Process monitoring: high-CPU processes with obfuscated names or running from /tmp, /dev/shm, or user writable paths
• [ ] AWS CloudTrail / Azure Activity Log / GCP Audit Log: RunInstances, CreateVM, or equivalent from unfamiliar principal

Decision Tree¶

flowchart TD
    A([Cryptojacking Trigger Detected]) --> B{Where is the\nmining activity?}
    B -- On-Premises --> C{Is it an\nendpoint or server?}
    B -- Cloud IaaS --> D{Are unauthorized\ninstances running?}
    B -- Container/K8s --> E{Is the miner in a\ncontainer image or\nruntime injected?}

    C -- Endpoint --> F[EDR isolate host\nKill miner process\nForensic triage]
    C -- Server --> G[Isolate from network\nCapture memory dump\nKill miner process]

    D -- Yes --> H[IMMEDIATE: Terminate\nunauthorized instances\nRevoke IAM keys]
    D -- No --> I[Identify compromised\nworkload — isolate\nand investigate]

    E -- "In Image" --> J[Remove image from\nregistry — redeploy\nclean image]
    E -- "Runtime Injected" --> K[Kill pod — investigate\nnode compromise\nCheck for breakout]

    F --> L{Credential\ncompromise?}
    G --> L
    H --> L
    I --> L
    J --> L
    K --> L

    L -- Yes --> M[Full credential rotation\nReview access logs\nScope blast radius]
    L -- No --> N[Patch entry vector\nHarden configuration]
    M --> O[Cost impact assessment\nBilling dispute if applicable]
    N --> O
    O --> P([Post-Incident Review\n& Lessons Learned])

Known IOC Patterns¶

Mining Pool Domains (Synthetic)¶

Suspicious Process Names & Paths¶

Command-Line Patterns¶

# Common miner command-line indicators
--donate-level 0          # XMRig donation level override
--coin monero             # Explicit coin selection
-o stratum+tcp://         # Mining pool connection
--threads=$(nproc)        # Use all available CPU cores
-a randomx                # RandomX algorithm (Monero)
--no-color --background   # Run headless

Phase 1 — Detection & Triage (0–1 Hour)¶

1.1 Detection Queries¶

// Detect known cryptominer process names
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any ("xmrig", "ccminer", "t-rex", "nbminer", "phoenixminer",
                           "xmr-stak", "kworkerds", "kdevtmpfsi")
    or ProcessCommandLine has_any ("stratum+tcp", "stratum+ssl", "--coin",
                                    "--donate-level", "randomx", "-o pool.")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName,
          InitiatingProcessFileName
| order by Timestamp desc

// Detect sustained high CPU from non-business processes
DevicePerformanceEvents
| where Timestamp > ago(4h)
| where CounterName == "% Processor Time" and CounterValue > 90
| join kind=inner (
    DeviceProcessEvents
    | where Timestamp > ago(4h)
    | where InitiatingProcessFileName !in ("sqlservr.exe", "java.exe", "w3wp.exe",
                                             "svchost.exe")
) on DeviceName
| summarize AvgCPU = avg(CounterValue) by DeviceName, FileName
| where AvgCPU > 85
| order by AvgCPU desc

// Detect outbound connections to mining pool ports
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemotePort in (3333, 4444, 8332, 8333, 14433, 14444)
| where ActionType == "ConnectionSuccess"
| project Timestamp, DeviceName, RemoteIP, RemotePort, RemoteUrl,
          InitiatingProcessFileName
| order by Timestamp desc

// Detect known cryptominer process names and command-line args
index=edr sourcetype=process_creation
| where match(process_name, "(?i)(xmrig|ccminer|t-rex|nbminer|phoenixminer|xmr-stak|kworkerds|kdevtmpfsi)")
    OR match(process_command_line, "(?i)(stratum\+tcp|stratum\+ssl|--coin|--donate-level|randomx|-o pool\.)")
| table _time, host, process_name, process_command_line, user, parent_process_name
| sort - _time

// Detect sustained high CPU usage anomalies
index=perfmon sourcetype=Perfmon:Processor
| stats avg(Value) AS avg_cpu by host, instance
| where avg_cpu > 90
| join host [
    search index=edr sourcetype=process_creation earliest=-4h
    | where process_name NOT IN ("sqlservr.exe", "java.exe", "w3wp.exe", "svchost.exe")
    | stats count by host, process_name
    | sort - count
]
| table host, instance, avg_cpu, process_name, count
| sort - avg_cpu

// Detect outbound connections to common mining pool ports
index=firewall sourcetype=pan:traffic action=allowed dest_port IN (3333, 4444, 8332, 8333, 14433, 14444)
| stats count by src_ip, dest_ip, dest_port, app
| sort - count

1.2 Cloud-Specific Detection¶

# Check for unauthorized EC2 instances (especially GPU instances)
aws ec2 describe-instances \
  --filters "Name=instance-type,Values=p3.*,p4d.*,g4dn.*,g5.*" \
  --query 'Reservations[].Instances[].{ID:InstanceId,Type:InstanceType,State:State.Name,Launch:LaunchTime,KeyName:KeyName}' \
  --output table

# Check for recently created IAM access keys
aws iam list-users --query 'Users[].UserName' --output text | \
  xargs -I {} aws iam list-access-keys --user-name {} \
  --query "AccessKeyMetadata[?CreateDate>='$(date -u -d '7 days ago' +%Y-%m-%d)']" \
  --output table

# Check CloudTrail for RunInstances from unusual sources
aws cloudtrail lookup-events \
  --lookup-attributes AttributeKey=EventName,AttributeValue=RunInstances \
  --start-time $(date -u -d '48 hours ago' +%Y-%m-%dT%H:%M:%SZ) \
  --query 'Events[].{Time:EventTime,User:Username,Source:EventSource}' \
  --output table

# Check for recently created VMs (especially GPU SKUs)
az vm list --query "[?timeCreated>='$(date -u -d '7 days ago' +%Y-%m-%d)'].{Name:name,RG:resourceGroup,Size:hardwareProfile.vmSize,Created:timeCreated}" \
  --output table

# Check for unusual service principal activity
az monitor activity-log list \
  --start-time $(date -u -d '48 hours ago' +%Y-%m-%dT%H:%M:%SZ) \
  --filter "operationName eq 'Microsoft.Compute/virtualMachines/write'" \
  --query "[].{Time:eventTimestamp,Caller:caller,Status:status.value}" \
  --output table

# List recently created instances (especially GPU-attached)
gcloud compute instances list \
  --filter="creationTimestamp>=$(date -u -d '7 days ago' +%Y-%m-%d)" \
  --format="table(name,zone,machineType,status,creationTimestamp)"

# Check for GPU-accelerated instances
gcloud compute instances list \
  --filter="guestAccelerators.acceleratorCount>0" \
  --format="table(name,zone,machineType,guestAccelerators)"

# Audit IAM key creation events
gcloud logging read \
  'protoPayload.methodName="google.iam.admin.v1.CreateServiceAccountKey"' \
  --freshness=7d --format=json

Phase 2 — Containment (1–4 Hours)¶

2.1 On-Premises Containment¶

• [ ] EDR-isolate all hosts running confirmed cryptominer processes
• [ ] Kill identified miner processes and remove binaries
• [ ] Block outbound connections to identified mining pool IPs/domains at firewall and proxy
• [ ] Capture memory dump before killing processes for forensic analysis

# Kill known miner processes (Linux)
for proc in xmrig ccminer t-rex kworkerds kdevtmpfsi; do
  pkill -9 -f "$proc" 2>/dev/null && echo "[$(date -u +%Y-%m-%dT%H:%M:%SZ)] Killed: $proc"
done

# Remove miner binaries from common staging directories
find /tmp /var/tmp /dev/shm /run -type f \( -name "xmrig*" -o -name "ccminer*" -o -name "config.json" \) \
  -exec sha256sum {} \; -exec rm -f {} \; 2>/dev/null

# Kill known miner processes (Windows)
$miners = @("xmrig", "ccminer", "t-rex", "nbminer", "phoenixminer")
foreach ($miner in $miners) {
    $procs = Get-Process -Name $miner -ErrorAction SilentlyContinue
    if ($procs) {
        $procs | Stop-Process -Force
        Write-Host "[$(Get-Date -Format u)] Killed: $miner (PID: $($procs.Id -join ', '))"
    }
}

2.2 Cloud Resource Containment¶

# AWS — Terminate unauthorized instances
aws ec2 terminate-instances --instance-ids i-0a1b2c3d4e5f67890 i-0f9e8d7c6b5a43210

# AWS — Revoke compromised IAM access keys
aws iam update-access-key --user-name compromised-user --access-key-id AKIAIOSFODNN7EXAMPLE --status Inactive
aws iam delete-access-key --user-name compromised-user --access-key-id AKIAIOSFODNN7EXAMPLE

# AWS — Apply deny-all SCP to compromised account (AWS Organizations)
aws organizations attach-policy --policy-id p-quarantine123 --target-id 123456789012

2.3 Container & Kubernetes Containment¶

# Identify containers with high CPU usage
docker stats --no-stream --format "table {{.Name}}\t{{.CPUPerc}}\t{{.MemUsage}}\t{{.PIDs}}" | \
  sort -k2 -t'%' -rn | head -20

# Check for Docker socket exposure (critical misconfiguration)
docker ps --format '{{.Names}}\t{{.Mounts}}' | grep -i "docker.sock"

# Check for privileged containers
docker ps -q | xargs docker inspect --format '{{.Name}} Privileged:{{.HostConfig.Privileged}}' | \
  grep "Privileged:true"

# Kill and remove compromised containers
docker kill cryptominer-container && docker rm cryptominer-container

# Remove malicious images from local registry
docker rmi malicious-image:latest --force

# Find pods with abnormal CPU usage across all namespaces
kubectl top pods --all-namespaces --sort-by=cpu | head -20

# Detect unauthorized DaemonSets (miners often deploy as DaemonSets for node-wide coverage)
kubectl get daemonsets --all-namespaces -o wide | grep -v kube-system

# Check for pods without resource limits (easy target for miners)
kubectl get pods --all-namespaces -o json | \
  jq -r '.items[] | select(.spec.containers[].resources.limits == null) |
  "\(.metadata.namespace)/\(.metadata.name)"'

# Check for pods running as privileged
kubectl get pods --all-namespaces -o json | \
  jq -r '.items[] | select(.spec.containers[].securityContext.privileged == true) |
  "\(.metadata.namespace)/\(.metadata.name)"'

# Delete unauthorized DaemonSet
kubectl delete daemonset crypto-miner-ds -n compromised-namespace

# Cordon and drain affected nodes
kubectl cordon affected-node-01
kubectl drain affected-node-01 --ignore-daemonsets --delete-emptydir-data

2.4 Network Containment¶

• [ ] Block outbound to known mining pool ports at perimeter firewall: 3333, 4444, 8332, 8333, 14433, 14444
• [ ] Block Stratum protocol signatures at IDS/IPS
• [ ] Add identified mining pool domains to DNS sinkhole
• [ ] Review proxy logs for connections to mining pool domains in the past 30 days

Phase 3 — Eradication (4–24 Hours)¶

3.1 Root Cause Analysis¶

Determine the entry vector — cryptojacking commonly enters through:

3.2 Credential Rotation¶

• [ ] Rotate all IAM access keys for affected accounts
• [ ] Rotate all service account passwords/keys on affected hosts
• [ ] Revoke all active sessions (cloud console and API)
• [ ] Review and remove unauthorized SSH keys from ~/.ssh/authorized_keys
• [ ] Rotate Kubernetes service account tokens in affected namespaces
• [ ] Review and rotate any secrets stored in environment variables on compromised systems

3.3 Persistence Hunting¶

• [ ] Check crontabs for all users: for user in $(cut -f1 -d: /etc/passwd); do crontab -l -u $user 2>/dev/null; done
• [ ] Check systemd services for unauthorized units: systemctl list-units --type=service --state=running
• [ ] Check for modified system binaries: rpm -Va or debsums -c
• [ ] Review Kubernetes admission webhooks for malicious mutations
• [ ] Check for Lambda/Cloud Functions created during the incident window
• [ ] Review container registry for images pushed during the incident window
• [ ] Scan all running container images with Trivy or Grype

3.4 Hardening Actions¶

• [ ] Enable and enforce pod security standards (restricted) in Kubernetes
• [ ] Remove Docker socket mounts from all non-essential containers
• [ ] Implement resource quotas and limit ranges in all Kubernetes namespaces
• [ ] Enable cloud billing alerts at multiple thresholds ($100, $500, $1000, $5000)
• [ ] Deploy admission controller (OPA Gatekeeper / Kyverno) to block privileged containers
• [ ] Restrict IAM permissions to least privilege — remove ec2:RunInstances from non-admin roles

Phase 4 — Recovery (12–24 Hours)¶

4.1 System Restoration¶

• [ ] Reimage or rebuild compromised hosts from known-good baselines
• [ ] Redeploy containers from verified clean images (rebuild, do not reuse compromised images)
• [ ] Restore Kubernetes workloads from version-controlled manifests (GitOps)
• [ ] Verify all security agents (EDR, cloud security posture management) are running on restored systems
• [ ] Confirm mining pool domains/IPs remain blocked at network perimeter

4.2 Cost Impact Assessment Template¶

4.3 Cloud Provider Billing Dispute Process¶

1. Open AWS Support case: Billing → "Unexpected charges"
2. Provide: Account ID, affected services, incident timeline, CloudTrail evidence
3. Reference: AWS Customer Agreement Section 7.2 (unauthorized use)
4. Request: Credit for unauthorized compute charges
5. SLA: AWS typically responds within 24h for billing disputes
6. Escalation: AWS TAM (if Enterprise Support) or Account Manager

1. Open Azure Support request: Billing → "Unexpected charges"
2. Provide: Subscription ID, resource group, incident timeline, Activity Log evidence
3. Reference: Microsoft Online Services Terms
4. Request: Credit for unauthorized compute charges
5. SLA: Microsoft typically responds within 24-48h
6. Escalation: Microsoft Account Manager or CSAM

1. Open GCP Support case: Billing → "Unexpected charges"
2. Provide: Project ID, billing account, incident timeline, Audit Log evidence
3. Reference: Google Cloud Terms of Service
4. Request: Credit for unauthorized compute charges
5. SLA: Google typically responds within 24h (Premium Support)
6. Escalation: Google Cloud Account Manager

Phase 5 — Lessons Learned (Within 2 Weeks)¶

5.1 Metrics to Capture¶

5.2 Prevention Controls Checklist¶

• [ ] Cloud billing alerts configured at multiple thresholds
• [ ] Cloud security posture management (CSPM) tool deployed and alerting
• [ ] Container image scanning in CI/CD pipeline (block images with known miners)
• [ ] Kubernetes admission controllers enforcing pod security standards
• [ ] Resource quotas and limit ranges applied to all namespaces
• [ ] Docker socket access restricted (never mount to application containers)
• [ ] IAM least privilege enforced — no broad *:* policies
• [ ] SSH key management: centralized, rotated, and audited
• [ ] EDR deployed on all compute instances (including cloud VMs)
• [ ] Network egress filtering: block connections to known mining pools and Stratum ports
• [ ] Regular vulnerability scanning of all container images in registries
• [ ] MFA enforced on all cloud console and API access
• [ ] Service control policies (SCPs) restricting GPU instance types to approved accounts only

Runbook Checklist¶

Detection & Triage¶

• [ ] Cryptojacking trigger confirmed and IR bridge opened
• [ ] Severity assigned (P2 default — escalate to P1 if billing >$10K or credential compromise)
• [ ] Affected scope identified: on-prem, cloud, container, or hybrid
• [ ] Mining process/container identified and documented
• [ ] Entry vector initial assessment completed

Containment¶

• [ ] Miner processes killed on all affected hosts
• [ ] Unauthorized cloud instances terminated
• [ ] Compromised containers killed and removed
• [ ] IAM keys/credentials for compromised accounts revoked
• [ ] Mining pool IPs/domains blocked at firewall, proxy, and DNS
• [ ] Kubernetes DaemonSets/pods deleted, nodes cordoned

Eradication¶

• [ ] Root cause and entry vector identified
• [ ] All credentials rotated on affected systems
• [ ] Persistence mechanisms removed (crons, services, webhooks)
• [ ] Container images scanned and malicious images removed from registry
• [ ] Security hardening applied (pod security, resource limits, IAM)

Recovery¶

• [ ] Compromised systems reimaged or rebuilt from clean baselines
• [ ] Containers redeployed from verified clean images
• [ ] Security agents confirmed running on all restored systems
• [ ] Cost impact assessment completed
• [ ] Billing dispute filed with cloud provider (if applicable)

Lessons Learned¶

• [ ] Metrics captured (TTD, TTC, financial impact)
• [ ] Post-incident review conducted within 2 weeks
• [ ] Prevention controls checklist reviewed and gaps addressed
• [ ] Detection rules updated based on observed IOCs and TTPs
• [ ] Playbook updated with findings

Nexus SecOps Benchmark Control Mapping¶