Azure Cryptomining
Detection overview
Triggers
- Creation of powerful compute instances (virtual machines) for potential cryptomining activities.
- High-powered VM instances are being created to enable compute-intensive operations for authorized business activities.
Possible Root Causes
- Cryptomining Attack: An attacker is leveraging compromised credentials to create large-scale VMs to mine cryptocurrency within the Azure environment.
- Legitimate Business Operations: The organization is creating high-powered VMs for valid use cases, such as AI model training, data processing, or large-scale simulations.
Business Impact
- The creation of large and/or expensive VMs can significantly impact the organization's cloud budget, especially if left undetected.
- Unauthorized VMs could lead to increased operational costs, resource exhaustion, and potential security risks.
Steps to Verify
- Investigate the Identity: Check for other signs of malicious activity linked to the user or service principal that created the VMs.
- Validate VM Creation: Confirm whether the deployment of large and/or expensive VMs was intentional and aligns with business needs.
- If Malicious Activity Is Suspected:
- Shut down or delete unauthorized VMs to prevent further resource consumption.
- Revoke credentials associated with the suspicious activity.
- Review access logs and permissions to identify potential privilege escalation or further compromises.
- Monitor cloud billing and usage alerts to detect unusual spikes in resource consumption.
Azure Cryptomining
Possible root causes
Malicious Detection
Benign Detection
Azure Cryptomining
Example scenarios
Azure Cryptomining
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
Azure Cryptomining
Steps to investigate
Azure Cryptomining
Related detections
No items found.