detecting-cryptomining-in-cloud
This skill teaches security teams how to detect and respond to unauthorized cryptocurrency mining operations in cloud environments. It covers identifying cryptomining indicators through compute usage anomalies, network traffic patterns to mining pools, GuardDuty CryptoCurrency findings, and runtime process monitoring on EC2, ECS, EKS, and Azure Automation workloads.
What this skill does
# Detecting Cryptomining in Cloud
## When to Use
- When cloud billing alerts indicate unexpected compute cost spikes
- When GuardDuty generates CryptoCurrency or Impact finding types
- When investigating compromised IAM credentials that may be used to launch mining instances
- When monitoring container workloads for unauthorized process execution
- When establishing proactive detection controls against resource hijacking attacks
**Do not use** for legitimate cryptocurrency mining operations, for non-cloud mining detection on physical hardware, or for general malware analysis unrelated to mining activity.
## Prerequisites
- Amazon GuardDuty enabled with Runtime Monitoring for EC2, ECS, and EKS
- CloudWatch or Azure Monitor configured for compute utilization alerting
- VPC Flow Logs enabled for network traffic analysis to mining pool IPs
- AWS Cost Anomaly Detection or Azure Cost Management alerts configured
## Workflow
### Step 1: Establish Detection Through Multiple Signals
Deploy detection across four signal categories: cost anomalies, compute utilization, network traffic, and runtime processes.
```bash
# AWS Cost Anomaly Detection
aws ce create-anomaly-monitor \
--anomaly-monitor '{
"MonitorName": "EC2CostSpike",
"MonitorType": "DIMENSIONAL",
"MonitorDimension": "SERVICE"
}'
aws ce create-anomaly-subscription \
--anomaly-subscription '{
"SubscriptionName": "CryptoMiningAlert",
"MonitorArnList": ["arn:aws:ce::123456789012:anomalymonitor/monitor-id"],
"Subscribers": [{"Address": "[email protected]", "Type": "EMAIL"}],
"Threshold": 50.0,
"Frequency": "IMMEDIATE"
}'
# CloudWatch alarm for CPU utilization spike
aws cloudwatch put-metric-alarm \
--alarm-name HighCPUUtilization \
--namespace AWS/EC2 \
--metric-name CPUUtilization \
--statistic Average \
--period 300 \
--threshold 90 \
--comparison-operator GreaterThanThreshold \
--evaluation-periods 3 \
--alarm-actions "arn:aws:sns:us-east-1:123456789012:security-alerts"
```
### Step 2: Monitor GuardDuty CryptoCurrency Findings
Configure alerting for GuardDuty findings specific to cryptocurrency mining activity on EC2, ECS, and EKS workloads.
Key GuardDuty finding types for cryptomining:
- `CryptoCurrency:EC2/BitcoinTool.B` - Network connections to crypto-related domains
- `CryptoCurrency:Runtime/BitcoinTool.B` - Runtime detection of mining process execution
- `Impact:EC2/BitcoinTool.B` - EC2 instance communicating with known Bitcoin mining pools
- `Impact:Runtime/CryptoMinerExecuted` - Crypto mining binary execution detected by runtime agent
```bash
# EventBridge rule for cryptocurrency findings
aws events put-rule \
--name CryptoMiningDetection \
--event-pattern '{
"source": ["aws.guardduty"],
"detail-type": ["GuardDuty Finding"],
"detail": {
"type": [
{"prefix": "CryptoCurrency:"},
{"prefix": "Impact:EC2/BitcoinTool"},
{"prefix": "Impact:Runtime/CryptoMiner"}
]
}
}'
# Auto-remediation Lambda for crypto findings
aws events put-targets \
--rule CryptoMiningDetection \
--targets '[{
"Id": "CryptoAutoRemediate",
"Arn": "arn:aws:lambda:us-east-1:123456789012:function/crypto-remediate"
}]'
```
### Step 3: Analyze Network Traffic for Mining Pool Connections
Monitor VPC Flow Logs and DNS queries for connections to known cryptocurrency mining pools operating on common ports (3333, 4444, 5555, 8333, 9999, 14444).
```kql
// Sentinel KQL query for mining pool connections
AzureNetworkAnalytics_CL
| where TimeGenerated > ago(24h)
| where DestPort_d in (3333, 4444, 5555, 8333, 9999, 14444, 14433, 45700)
| summarize ConnectionCount = count(), BytesSent = sum(BytesSent_d)
by SrcIP_s, DestIP_s, DestPort_d, bin(TimeGenerated, 1h)
| where ConnectionCount > 10
| project TimeGenerated, SrcIP_s, DestIP_s, DestPort_d, ConnectionCount, BytesSent
```
```bash
# AWS Athena query for VPC Flow Logs mining pool detection
cat << 'EOF' > mining-detection.sql
SELECT srcaddr, dstaddr, dstport, protocol,
COUNT(*) as connection_count,
SUM(bytes) as total_bytes
FROM vpc_flow_logs
WHERE dstport IN (3333, 4444, 5555, 8333, 9999, 14444)
AND action = 'ACCEPT'
AND start >= date_add('hour', -24, now())
GROUP BY srcaddr, dstaddr, dstport, protocol
HAVING COUNT(*) > 10
ORDER BY connection_count DESC
EOF
```
### Step 4: Detect Mining in Container Environments
Monitor ECS task definitions and EKS pod deployments for known mining container images and suspicious process execution.
```bash
# Check for recently registered ECS task definitions with suspicious images
aws ecs list-task-definitions --sort DESC --max-items 50 | \
jq -r '.taskDefinitionArns[]' | while read arn; do
aws ecs describe-task-definition --task-definition "$arn" \
--query 'taskDefinition.containerDefinitions[*].[name,image]' --output text
done
# Known malicious mining images to watch for:
# - Images with high pull counts from unknown registries
# - Images containing xmrig, cpuminer, minergate, or ccminer binaries
# - Images with entrypoint pointing to /tmp/.hidden or /dev/shm paths
# Monitor CloudTrail for suspicious ECS/EKS activity
aws cloudtrail lookup-events \
--lookup-attributes AttributeKey=EventName,AttributeValue=RegisterTaskDefinition \
--start-time $(date -d '-24 hours' +%Y-%m-%dT%H:%M:%S) \
--query 'Events[*].[EventName,Username,EventTime]'
```
### Step 5: Respond and Contain Mining Activity
Execute immediate containment actions when mining is confirmed, preserving forensic evidence before terminating the malicious workloads.
```python
# Auto-remediation Lambda for cryptomining incidents
import boto3
import json
def lambda_handler(event, context):
finding = event['detail']
resource_type = finding['resource']['resourceType']
if resource_type == 'Instance':
instance_id = finding['resource']['instanceDetails']['instanceId']
ec2 = boto3.client('ec2')
# Snapshot EBS volumes for forensics before isolation
volumes = ec2.describe_instances(InstanceIds=[instance_id])
for reservation in volumes['Reservations']:
for instance in reservation['Instances']:
for vol in instance['BlockDeviceMappings']:
volume_id = vol['Ebs']['VolumeId']
ec2.create_snapshot(
VolumeId=volume_id,
Description=f'Forensic snapshot - crypto mining - {instance_id}',
TagSpecifications=[{
'ResourceType': 'snapshot',
'Tags': [{'Key': 'Incident', 'Value': 'CryptoMining'},
{'Key': 'SourceInstance', 'Value': instance_id}]
}]
)
# Disable API termination protection if set by attacker
ec2.modify_instance_attribute(
InstanceId=instance_id,
DisableApiTermination={'Value': False}
)
# Isolate instance with empty security group
vpc_id = finding['resource']['instanceDetails']['networkInterfaces'][0]['vpcId']
isolation_sg = ec2.create_security_group(
GroupName=f'crypto-isolation-{instance_id}',
Description='Cryptomining isolation - no traffic allowed',
VpcId=vpc_id
)
# Revoke default egress rule
ec2.revoke_security_group_egress(
GroupId=isolation_sg['GroupId'],
IpPermissions=[{'IpProtocol': '-1', 'IpRanges': [{'CidrIp': '0.0.0.0/0'}]}]
)
ec2.modify_instance_attribute(
InstanceId=instance_id,
Groups=[isolation_sg['GroupId']]
)
return {'status': 'contained', 'instance': instance_id}
```
### Step 6: Trace Initial Access Vector
Investigate CloudTrail logs to determine how the attacker gained access to deploy mining workloads. Common vectors include compromised IAM credentials, exposed Related in Cloud & DevOps
appbuilder-action-scaffolder
IncludedCreate, implement, deploy, and debug Adobe Runtime actions with consistent layout, validation, and error handling. Use this skill whenever the user needs to add actions to an App Builder project, understand action structure (params, response format, web/raw actions), configure actions in the manifest, use App Builder SDKs (State, Files, Events, database), deploy and invoke actions via CLI, debug action issues, or implement patterns such as webhook receivers, custom event providers, journaling consumers, large payload redirects, action sequence pipelines, and Asset Compute workers. Also trigger when users mention serverless functions in Adobe context, action logging, IMS authentication for actions, or cron-style scheduled actions.
orchestrating-datacloud
IncludedSalesforce Data Cloud product orchestrator for connect→prepare→harmonize→segment→act workflows. Use this skill when the user needs a multi-step Data Cloud pipeline, cross-phase troubleshooting, or data space and data kit management. TRIGGER when: user needs a multi-step Data Cloud pipeline, asks to set up or troubleshoot Data Cloud across phases, manages data spaces or data kits, or wants a cross-phase sf data360 workflow. DO NOT TRIGGER when: work is isolated to a single phase (use the matching phase-specific skill), the task is STDM/session tracing/parquet telemetry (use observing-agentforce), standard CRM SOQL (use querying-soql), or Apex implementation (use generating-apex).
github-project-automation
IncludedAutomate GitHub repository setup with CI/CD workflows, issue templates, Dependabot, and CodeQL security scanning. Includes 12 production-tested workflows and prevents 18 errors: YAML syntax, action pinning, and configuration. Use when: setting up GitHub Actions CI/CD, creating issue/PR templates, enabling Dependabot or CodeQL scanning, deploying to Cloudflare Workers, implementing matrix testing, or troubleshooting YAML indentation, action version pinning, secrets syntax, runner versions, or CodeQL configuration. Keywords: github actions, github workflow, ci/cd, issue templates, pull request templates, dependabot, codeql, security scanning, yaml syntax, github automation, repository setup, workflow templates, github actions matrix, secrets management, branch protection, codeowners, github projects, continuous integration, continuous deployment, workflow syntax error, action version pinning, runner version, github context, yaml indentation error
sf-datacloud
IncludedSalesforce Data Cloud product orchestrator for connect→prepare→harmonize→segment→act workflows. TRIGGER when: user needs a multi-step Data Cloud pipeline, asks to set up or troubleshoot Data Cloud across phases, manages data spaces or data kits, or wants a cross-phase `sf data360` workflow. DO NOT TRIGGER when: work is isolated to a single phase (use the matching sf-datacloud-* skill), the task is STDM/session tracing/parquet telemetry (use sf-ai-agentforce-observability), standard CRM SOQL (use sf-soql), or Apex implementation (use sf-apex).
fabric-cli
IncludedUse this skill for Fabric.so CLI workflows with the `fabric` terminal command: diagnose/install/login, search or browse a Fabric library, save notes/links/files, create folders, ask the Fabric AI assistant, manage tasks/workspaces, generate shell completion, check subscription usage, produce JSON output, and use Fabric as persistent agent memory. Do not use for Microsoft Fabric/Azure/Power BI `fab`, Daniel Miessler's Fabric framework, Python Fabric SSH, Fabric.js, or textile/fashion fabric.
lark
IncludedLark/Feishu CLI skills: lark-cli operations for docs, markdown, sheets, base, calendar, im, mail, task, okr, drive, wiki, slides, whiteboard, apps, approval, attendance, contact, vc, minutes, event. Use when the user needs to operate Lark/Feishu resources via lark-cli, send messages, manage documents, spreadsheets, calendars, tasks, OKRs, deploy web pages, or any Feishu/Lark workspace operations.