detecting-cryptomining-in-cloud

# Detecting Cryptomining in Cloud ## When to Use - When cloud billing alerts indicate unexpected compute cost spikes - When GuardDuty generates CryptoCurrency or Impact finding types - When investigating compromised IAM credentials that may be used to launch mining instances - When monitoring container workloads for unauthorized process execution - When establishing proactive detection controls against resource hijacking attacks **Do not use** for legitimate cryptocurrency mining operations, for non-cloud mining detection on physical hardware, or for general malware analysis unrelated to mining activity. ## Prerequisites - Amazon GuardDuty enabled with Runtime Monitoring for EC2, ECS, and EKS - CloudWatch or Azure Monitor configured for compute utilization alerting - VPC Flow Logs enabled for network traffic analysis to mining pool IPs - AWS Cost Anomaly Detection or Azure Cost Management alerts configured ## Workflow ### Step 1: Establish Detection Through Multiple Signals Deploy detection across four signal categories: cost anomalies, compute utilization, network traffic, and runtime processes. ```bash # AWS Cost Anomaly Detection aws ce create-anomaly-monitor \ --anomaly-monitor '{ "MonitorName": "EC2CostSpike", "MonitorType": "DIMENSIONAL", "MonitorDimension": "SERVICE" }' aws ce create-anomaly-subscription \ --anomaly-subscription '{ "SubscriptionName": "CryptoMiningAlert", "MonitorArnList": ["arn:aws:ce::123456789012:anomalymonitor/mo...