Detecting Cloud Cryptomining Activity

When to Use

• When investigating unexpected spikes in cloud compute costs or CPU utilization
• When GuardDuty, Defender for Cloud, or SCC reports cryptocurrency-related findings
• When monitoring for compromised credentials being used to launch mining instances
• When building detection rules for unauthorized workload deployment in cloud environments
• When responding to alerts about network connections to known mining pool infrastructure

Do not use for detecting cryptomining on endpoints or on-premises servers (use EDR tools), for investigating the financial impact of mining (use cloud cost management tools), or for blocking mining at the network level (use DNS filtering and firewall rules).

Prerequisites

• AWS GuardDuty enabled across all accounts and regions
• Azure Defender for Cloud with server and container plans enabled
• GCP Security Command Center with Event Threat Detection enabled
• CloudTrail, Azure Activity Log, and GCP Audit Log enabled for API monitoring
• Cloud cost monitoring and alerting configured (AWS Cost Anomaly Detection, Azure Cost Management)