Detecting Illegitimate Crypto Miners on Linux Endpoints with Wazuh#

Introduction#

Cryptocurrency mining has become a profitable activity that attracts both legitimate miners and cybercriminals. Threat actors compromise unsuspecting users’ endpoints to mine cryptocurrency using their computational resources, often organizing these compromised systems into botnets controlled by Command and Control (CnC) servers.

The monetary incentive of crypto mining motivates attackers to continuously evolve their techniques. Common Linux-based crypto mining botnets include PyCryptoMiner, Panchan, Lemon Duck, Sysrv, and HolesWarm. These threats can significantly impact system performance, increase electricity costs, and serve as a gateway for additional malicious activities.

Wazuh provides comprehensive capabilities to detect crypto mining activities through:

🔍 Initial Access Detection: Monitor SSH brute force and exploitation attempts
📁 File Integrity Monitoring: Track modifications to critical files
💻 Resource Monitoring: Detect abnormal CPU and memory usage
🌐 Network Analysis: Identify connections to mining pools
🛡️ Automated Response: Block malicious activities in real-time

Understanding Crypto Miner Behavior#

Typical Attack Flow#

1
flowchart TB
2
    subgraph "Initial Access"
3
        A1[SSH Brute Force]
4
        A2[Vulnerability Exploit]
5
        A3[Stolen Credentials]
6
    end
7

8
    subgraph "Persistence"
9
        P1[Modify SSH Keys]
10
        P2[Create Cron Jobs]
11
        P3[Install Services]
12
        P4[Modify Startup]
13
    end
14

15
    subgraph "Execution"
16
        E1[Download Miner]
17
        E2[Execute in Memory]
18
        E3[Hide Process]
19
        E4[Mine Cryptocurrency]
20
    end
21

22
    subgraph "Propagation"
23
        PR1[Scan Network]
24
        PR2[Exploit Others]
25
        PR3[Spread Laterally]
26
    end
27

28
    A1 --> P1
29
    A2 --> P1
30
    A3 --> P1
31
    P1 --> P2
32
    P2 --> E1
33
    E1 --> E2
34
    E2 --> E3
35
    E3 --> E4
36
    E4 --> PR1
37
    PR1 --> PR2
38
    PR2 --> PR3
39

40
    style A1 fill:#ff6b6b
41
    style E4 fill:#ffd43b
42
    style PR3 fill:#ff6b6b

Common Indicators of Compromise#

Initial Access:
- Multiple SSH authentication failures
- Exploitation of known vulnerabilities
- Use of default or weak credentials
Persistence Mechanisms:
- Unauthorized SSH key additions
- Suspicious cron job creation
- Modified system startup scripts
Execution Patterns:
- High CPU usage (often 90%+)
- Memory-resident processes
- Obfuscated process names
Network Behavior:
- Connections to known mining pools
- Outbound SSH scanning
- Communication with CnC servers

Implementation Guide#

Prerequisites#

Wazuh Server: Version 4.3.7+ with all components
Linux Endpoints: Ubuntu/CentOS with Wazuh agents
Network: Suricata for deep packet inspection (optional)

Detection Strategy 1: Initial Access Monitoring#

SSH Brute Force Detection#

Wazuh includes built-in rules for SSH authentication monitoring:

1
<!-- Rules 5551-5553: SSH authentication failures -->
2
<rule id="5551" level="10" frequency="6" timeframe="360">
3
  <if_matched_sid>5550</if_matched_sid>
4
  <same_source_ip />
5
  <description>Multiple SSH authentication failures</description>
6
  <mitre>
7
    <id>T1110</id>
8
  </mitre>
9
</rule>

Monitor the dashboard for:

Rule 5551: Multiple authentication failures
Rule 5715: SSH brute force attack

Outbound SSH Scanning Detection#

1
<group name="crypto_miner_detection,">
2
  <rule id="100001" level="10" frequency="20" timeframe="60">
3
    <if_sid>5402</if_sid>
4
    <match>ssh</match>
5
    <different_dst_ip />
6
    <description>Possible SSH scanning activity - crypto miner propagation</description>
7
    <mitre>
8
      <id>T1021.004</id>
9
    </mitre>
10
  </rule>
11
</group>

Detection Strategy 2: SSH Key Monitoring#

Configure File Integrity Monitoring#

Edit /var/ossec/etc/shared/default/agent.conf on the Wazuh server:

1
<agent_config os="linux">
2
  <syscheck>
3
    <directories check_all="yes" realtime="yes">/home/*/.ssh/</directories>
4
    <directories check_all="yes" realtime="yes">/var/lib/*/.ssh/</directories>
5
    <directories check_all="yes" realtime="yes">/root/.ssh/</directories>
6
  </syscheck>
7
</agent_config>

Create Detection Rules#

Add to /var/ossec/etc/rules/local_rules.xml:

1
<group name="cryptominer,">
2
  <rule id="100010" level="10">
3
    <if_sid>554</if_sid>
4
    <field name="file" type="pcre2">\/authorized_keys$</field>
5
    <regex type="pcre2">added</regex>
6
    <description>SSH authorized_keys file "$(file)" has been added</description>
7
    <mitre>
8
      <id>T1098.004</id>
9
    </mitre>
10
  </rule>
11

12
  <rule id="100011" level="10">
13
    <if_sid>550</if_sid>
14
    <field name="file" type="pcre2">\/authorized_keys$</field>
15
    <regex type="pcre2">modified</regex>
16
    <description>SSH authorized_keys file "$(file)" has been modified</description>
17
    <mitre>
18
      <id>T1098.004</id>
19
    </mitre>
20
  </rule>
21
</group>

Detection Strategy 3: Cron Job Monitoring#

Configure FIM with Report Changes#

1
<agent_config os="linux">
2
  <syscheck>
3
    <directories check_all="yes" realtime="yes" report_changes="yes">/var/spool/cron/crontabs/</directories>
4
  </syscheck>
5
</agent_config>

Enhanced Cron Monitoring Rules#

1
<rule id="100012" level="12">
2
  <if_sid>550, 554</if_sid>
3
  <field name="file" type="pcre2">^\/var\/spool\/cron\/crontabs</field>
4
  <description>Cron job has been modified for user "$(uname)". Changes: "$(changed_content)"</description>
5
  <mitre>
6
    <id>T1053.003</id>
7
  </mitre>
8
</rule>
9

10
<!-- Detect suspicious cron patterns -->
11
<rule id="100013" level="13">
12
  <if_sid>100012</if_sid>
13
  <match>wget|curl|/tmp/|/var/tmp/|base64|eval</match>
14
  <description>Suspicious cron job detected - possible crypto miner</description>
15
</rule>

Detection Strategy 4: Malware Detection with VirusTotal#

Configure FIM for Common Drop Locations#

1
<agent_config os="linux">
2
  <syscheck>
3
    <directories check_all="yes" realtime="yes">/tmp/</directories>
4
    <directories check_all="yes" realtime="yes">/var/tmp/</directories>
5
    <directories check_all="yes" realtime="yes">/home/*/Downloads/</directories>
6
  </syscheck>
7
</agent_config>

Enable VirusTotal Integration#

Add to /var/ossec/etc/ossec.conf on the Wazuh server:

1
<integration>
2
  <name>virustotal</name>
3
  <api_key>YOUR_VIRUSTOTAL_API_KEY</api_key>
4
  <group>syscheck</group>
5
  <alert_format>json</alert_format>
6
</integration>

Detection Strategy 5: CPU Usage Monitoring#

Configure Resource Monitoring#

1
<agent_config os="linux">
2
  <localfile>
3
    <log_format>full_command</log_format>
4
    <command>top -bn1 | grep "Cpu(s)" | sed "s/.*, *\([0-9.]*\)%* id.*/\1/" | awk '{print 100 - $1"%"}'</command>
5
    <alias>top cpu usage</alias>
6
    <frequency>60</frequency>
7
  </localfile>
8
</agent_config>

Enable remote commands on agents:

1
echo "logcollector.remote_commands=1" >> /var/ossec/etc/local_internal_options.conf
2
systemctl restart wazuh-agent

CPU Monitoring Rules#

1
<rule id="100013" level="12" ignore="600">
2
  <if_sid>530</if_sid>
3
  <match>ossec: output: 'top cpu usage</match>
4
  <regex type="pcre2">9\d%|100%</regex>
5
  <description>CPU usage higher than 90%</description>
6
  <mitre>
7
    <id>T1496</id>
8
  </mitre>
9
</rule>
10

11
<!-- Sustained high CPU usage -->
12
<rule id="100014" level="14" frequency="5" timeframe="300">
13
  <if_sid>100013</if_sid>
14
  <description>Sustained high CPU usage - possible crypto mining</description>
15
  <options>alert_by_email</options>
16
</rule>

Detection Strategy 6: Network Monitoring with Suricata#

Install and Configure Suricata#

1
# Install Suricata
2
add-apt-repository ppa:oisf/suricata-5.0
3
apt-get update
4
apt install suricata
5

6
# Download Emerging Threats rules
7
wget https://rules.emergingthreats.net/open/suricata-5.0.9/emerging.rules.tar.gz
8
tar zxvf emerging.rules.tar.gz
9
rm /etc/suricata/rules/* -f
10
mv rules/*.rules /etc/suricata/rules/ -f
11

12
# Download crypto miner rules
13
wget -O /etc/suricata/rules/crypto-Miners_public_pools.rules \
14
  https://raw.githubusercontent.com/al0ne/suricata-rules/master/Crypto_miner_pool/crypto-Miners_public_pools.rules

Configure Suricata#

Edit /etc/suricata/suricata.yaml:

1
default-rule-path: /etc/suricata/rules
2
rule-files:
3
  - "*.rules"
4

5
af-packet:
6
  - interface: eth0  # Change to your interface
7

8
outputs:
9
  - eve-log:
10
      enabled: yes
11
      filetype: regular
12
      filename: eve.json

Configure Wazuh Agent#

Add to /var/ossec/etc/ossec.conf:

1
<localfile>
2
  <log_format>json</log_format>
3
  <location>/var/log/suricata/eve.json</location>
4
</localfile>

Advanced Detection Rules#

Comprehensive Crypto Miner Detection#

1
<group name="crypto_miner_advanced,">
2
  <!-- Known miner process names -->
3
  <rule id="100020" level="12">
4
    <if_sid>530</if_sid>
5
    <match>xmrig|minerd|cpuminer|xmr-stak|cgminer|bfgminer</match>
6
    <description>Known crypto miner process detected: $(full_log)</description>
7
    <mitre>
8
      <id>T1496</id>
9
    </mitre>
10
  </rule>
11

12
  <!-- Suspicious binary locations -->
13
  <rule id="100021" level="11">
14
    <if_sid>554</if_sid>
15
    <field name="file" type="pcre2">\/tmp\/|\/var\/tmp\/|\/dev\/shm\/</field>
16
    <regex>\.sh$|\.bin$|\.elf$</regex>
17
    <description>Suspicious executable in temporary directory: $(file)</description>
18
  </rule>
19

20
  <!-- Hidden process detection -->
21
  <rule id="100022" level="12">
22
    <if_sid>530</if_sid>
23
    <match>ps aux</match>
24
    <regex>\[\s*\]|\[crypto\]|\[kworker\]</regex>
25
    <description>Possible hidden crypto miner process</description>
26
  </rule>
27

28
  <!-- Mining pool connections -->
29
  <rule id="100023" level="13">
30
    <if_sid>530</if_sid>
31
    <match>netstat|ss</match>
32
    <regex>pool\.minexmr|nanopool|f2pool|antpool|stratum</regex>
33
    <description>Connection to known mining pool detected</description>
34
  </rule>
35

36
  <!-- Firewall modification -->
37
  <rule id="100024" level="11">
38
    <if_sid>2902</if_sid>
39
    <match>iptables -F|ufw disable</match>
40
    <description>Firewall rules cleared - possible miner activity</description>
41
  </rule>
42

43
  <!-- Multiple indicators correlation -->
44
  <rule id="100025" level="15" frequency="3" timeframe="300">
45
    <if_sid>100010,100012,100013</if_sid>
46
    <description>Multiple crypto miner indicators detected</description>
47
    <options>alert_by_email</options>
48
  </rule>
49
</group>

Process Monitoring#

1
<!-- Monitor specific processes -->
2
<localfile>
3
  <log_format>full_command</log_format>
4
  <command>ps aux | grep -v grep | grep -E "xmrig|minerd|kworker|crypto" || echo "No miners found"</command>
5
  <alias>miner_process_check</alias>
6
  <frequency>300</frequency>
7
</localfile>
8

9
<!-- Check for suspicious network connections -->
10
<localfile>
11
  <log_format>full_command</log_format>
12
  <command>ss -tupn | grep -E ":3333|:4444|:5555|:7777|:8333|:9999" || echo "No suspicious connections"</command>
13
  <alias>miner_connection_check</alias>
14
  <frequency>300</frequency>
15
</localfile>

Active Response Configuration#

Automated Blocking#

Create /var/ossec/active-response/bin/block-crypto-miner.sh:

1
#!/bin/bash
2
# Block crypto miner activity
3

4
ACTION=$1
5
USER=$2
6
IP=$3
7
ALERTID=$4
8
RULEID=$5
9

10
if [ "$ACTION" = "add" ]; then
11
    # Kill suspicious processes
12
    pkill -f "xmrig|minerd|cpuminer|xmr-stak"
13

14
    # Block known mining pool IPs
15
    iptables -A OUTPUT -p tcp --dport 3333 -j DROP
16
    iptables -A OUTPUT -p tcp --dport 4444 -j DROP
17
    iptables -A OUTPUT -p tcp --dport 5555 -j DROP
18

19
    # Remove suspicious files
20
    find /tmp /var/tmp -name "*.sh" -mtime -1 -exec rm -f {} \;
21

22
    # Log action
23
    echo "$(date) - Blocked crypto miner activity" >> /var/log/crypto-miner-blocked.log
24
fi
25

26
if [ "$ACTION" = "delete" ]; then
27
    # Remove blocks (if needed)
28
    iptables -D OUTPUT -p tcp --dport 3333 -j DROP 2>/dev/null
29
    iptables -D OUTPUT -p tcp --dport 4444 -j DROP 2>/dev/null
30
    iptables -D OUTPUT -p tcp --dport 5555 -j DROP 2>/dev/null
31
fi

Configure active response in /var/ossec/etc/ossec.conf:

1
<command>
2
  <name>block-crypto-miner</name>
3
  <executable>block-crypto-miner.sh</executable>
4
  <expect>srcip</expect>
5
  <timeout_allowed>yes</timeout_allowed>
6
</command>
7

8
<active-response>
9
  <command>block-crypto-miner</command>
10
  <location>local</location>
11
  <rules_id>100013,100020,100023,100025</rules_id>
12
</active-response>

Monitoring Dashboard#

Key Metrics to Track#

Authentication Metrics:
- Failed SSH attempts
- Successful logins from new IPs
- Outbound SSH connections
File System Changes:
- SSH key modifications
- Cron job changes
- Executable files in /tmp
Resource Usage:
- CPU usage trends
- Memory consumption
- Process count
Network Activity:
- Connections to mining pools
- Unusual port usage
- Data transfer volumes

Custom Visualizations#

1
{
2
  "visualization": {
3
    "title": "Crypto Miner Detection Dashboard",
4
    "visState": {
5
      "type": "dashboard",
6
      "params": {
7
        "panels": [
8
          {
9
            "id": "ssh-failures",
10
            "type": "line",
11
            "title": "SSH Authentication Failures",
12
            "query": "rule.id:5551"
13
          },
14
          {
15
            "id": "cpu-usage",
16
            "type": "gauge",
17
            "title": "CPU Usage Alert Frequency",
18
            "query": "rule.id:100013"
19
          },
20
          {
21
            "id": "file-changes",
22
            "type": "data_table",
23
            "title": "Critical File Modifications",
24
            "query": "rule.groups:cryptominer"
25
          },
26
          {
27
            "id": "network-connections",
28
            "type": "pie",
29
            "title": "Mining Pool Connections",
30
            "query": "rule.id:100023"
31
          }
32
        ]
33
      }
34
    }
35
  }
36
}

Best Practices#

1. Prevention Strategies#

1
Security Hardening:
2
  SSH Configuration:
3
    - Disable password authentication
4
    - Use key-based authentication only
5
    - Implement fail2ban
6
    - Change default SSH port
7

8
  System Hardening:
9
    - Regular security updates
10
    - Minimal software installation
11
    - Strict file permissions
12
    - SELinux/AppArmor enabled
13

14
  Network Security:
15
    - Outbound traffic filtering
16
    - Block unnecessary ports
17
    - Monitor DNS queries
18
    - Implement IDS/IPS

2. Detection Tuning#

1
<!-- Environment-specific rules -->
2
<rule id="100030" level="8">
3
  <if_sid>100013</if_sid>
4
  <time>8:00 am - 6:00 pm</time>
5
  <weekday>monday,tuesday,wednesday,thursday,friday</weekday>
6
  <description>High CPU during business hours - investigate</description>
7
</rule>
8

9
<rule id="100031" level="14">
10
  <if_sid>100013</if_sid>
11
  <time>10:00 pm - 6:00 am</time>
12
  <description>High CPU during off-hours - likely crypto mining</description>
13
</rule>

3. Incident Response#

1
#!/bin/bash
2
# Crypto miner incident response script
3

4
echo "=== Crypto Miner Incident Response ==="
5
echo "Started: $(date)"
6

7
# 1. Isolate the system
8
echo "Isolating system..."
9
# iptables -A INPUT -j DROP
10
# iptables -A OUTPUT -j DROP
11

12
# 2. Collect evidence
13
echo "Collecting evidence..."
14
mkdir -p /tmp/incident_response
15
ps aux > /tmp/incident_response/processes.txt
16
netstat -tulpn > /tmp/incident_response/connections.txt
17
crontab -l > /tmp/incident_response/crontab.txt
18
find /tmp /var/tmp -type f -mtime -7 > /tmp/incident_response/recent_files.txt
19

20
# 3. Kill malicious processes
21
echo "Terminating suspicious processes..."
22
pkill -f "xmrig|minerd|cpuminer|kworker"
23

24
# 4. Remove persistence
25
echo "Removing persistence mechanisms..."
26
# Check and clean crontabs
27
crontab -l | grep -v "wget\|curl\|/tmp/\|base64" | crontab -
28

29
# 5. Clean up
30
echo "Cleaning temporary files..."
31
find /tmp /var/tmp -name "*.sh" -o -name "config.json" | xargs rm -f
32

33
echo "Response completed: $(date)"

Advanced Threat Hunting#

Behavioral Analysis#

1
<!-- Detect process name spoofing -->
2
<rule id="100040" level="12">
3
  <if_sid>530</if_sid>
4
  <match>/usr/sbin/httpd</match>
5
  <regex>cpu.*[8-9]\d\.[0-9]%|cpu.*100\.[0-9]%</regex>
6
  <description>Suspicious high CPU usage by httpd - possible fake process</description>
7
</rule>
8

9
<!-- Detect mining through containers -->
10
<rule id="100041" level="11">
11
  <if_sid>87903</if_sid>
12
  <match>docker run</match>
13
  <regex>xmrig|monero|nicehash</regex>
14
  <description>Crypto mining container detected</description>
15
</rule>
16

17
<!-- Memory-based miner detection -->
18
<rule id="100042" level="12">
19
  <if_sid>530</if_sid>
20
  <match>ps aux</match>
21
  <regex>RSS.*[5-9]\d{5}|RSS.*[1-9]\d{6}</regex>
22
  <description>Process using excessive memory - possible miner</description>
23
</rule>

Network Traffic Analysis#

1
#!/usr/bin/env python3
2
# Analyze network traffic for mining patterns
3

4
import json
5
import re
6
from collections import defaultdict
7

8
def analyze_mining_traffic(log_file):
9
    """Analyze network logs for crypto mining patterns"""
10

11
    mining_pools = [
12
        'pool.minexmr.com',
13
        'xmr-us-east1.nanopool.org',
14
        'xmr.f2pool.com',
15
        'pool.supportxmr.com'
16
    ]
17

18
    suspicious_ports = [3333, 4444, 5555, 7777, 8333, 9999]
19
    connections = defaultdict(int)
20

21
    with open(log_file, 'r') as f:
22
        for line in f:
23
            try:
24
                log = json.loads(line)
25

26
                # Check for mining pool connections
27
                for pool in mining_pools:
28
                    if pool in log.get('dest_ip', ''):
29
                        connections[pool] += 1
30

31
                # Check for suspicious ports
32
                dest_port = log.get('dest_port', 0)
33
                if dest_port in suspicious_ports:
34
                    connections[f"Port_{dest_port}"] += 1
35

36
            except:
37
                continue
38

39
    return connections
40

41
# Generate alert if threshold exceeded
42
def check_thresholds(connections):
43
    for dest, count in connections.items():
44
        if count > 10:
45
            print(f"ALERT: Multiple connections to {dest} ({count} times)")

Integration Examples#

1. SIEM Integration#

1
#!/usr/bin/env python3
2
# Forward crypto miner alerts to external SIEM
3

4
import requests
5
import json
6

7
def forward_to_siem(alert):
8
    """Forward high-priority crypto miner alerts"""
9

10
    if alert['rule']['id'] in ['100025', '100014', '100023']:
11
        siem_event = {
12
            'timestamp': alert['timestamp'],
13
            'severity': 'critical',
14
            'category': 'crypto_mining',
15
            'host': alert['agent']['name'],
16
            'details': {
17
                'rule': alert['rule']['description'],
18
                'indicators': extract_indicators(alert)
19
            }
20
        }
21

22
        requests.post(
23
            'https://siem.company.com/api/events',
24
            json=siem_event,
25
            headers={'Authorization': 'Bearer YOUR_TOKEN'}
26
        )
27

28
def extract_indicators(alert):
29
    """Extract IoCs from alert"""
30
    indicators = {
31
        'ips': [],
32
        'domains': [],
33
        'hashes': [],
34
        'processes': []
35
    }
36

37
    # Extract relevant indicators based on rule
38
    if 'full_log' in alert:
39
        # Extract IPs
40
        ips = re.findall(r'\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b',
41
                         alert['full_log'])
42
        indicators['ips'] = list(set(ips))
43

44
    return indicators

2. Automated Threat Intelligence#

1
#!/bin/bash
2
# Update threat intelligence for crypto miners
3

4
THREAT_INTEL_DIR="/var/ossec/etc/lists"
5

6
# Download latest mining pool list
7
wget -O "$THREAT_INTEL_DIR/mining_pools.txt" \
8
  "https://raw.githubusercontent.com/your-repo/threat-intel/main/mining_pools.txt"
9

10
# Download latest miner hashes
11
wget -O "$THREAT_INTEL_DIR/miner_hashes.txt" \
12
  "https://raw.githubusercontent.com/your-repo/threat-intel/main/miner_hashes.txt"
13

14
# Convert to CDB format
15
cat "$THREAT_INTEL_DIR/mining_pools.txt" | awk '{print $1":"}' > \
16
  "$THREAT_INTEL_DIR/mining_pools"
17

18
cat "$THREAT_INTEL_DIR/miner_hashes.txt" | awk '{print $1":"}' > \
19
  "$THREAT_INTEL_DIR/miner_hashes"
20

21
# Restart Wazuh manager
22
systemctl restart wazuh-manager

Performance Impact#

Monitoring Overhead#

1
Resource Usage Guidelines:
2
  FIM Monitoring:
3
    - Limit directories monitored
4
    - Use scan intervals appropriately
5
    - Exclude large/frequently changing directories
6

7
  Command Monitoring:
8
    - CPU check: Every 60 seconds
9
    - Process check: Every 300 seconds
10
    - Network check: Every 300 seconds
11

12
  Log Collection:
13
    - Rotate logs regularly
14
    - Compress archived logs
15
    - Set appropriate retention periods

Optimization Strategies#

1
<!-- Reduce noise from legitimate high CPU usage -->
2
<rule id="100050" level="0">
3
  <if_sid>100013</if_sid>
4
  <match>gcc|make|npm|docker|java</match>
5
  <description>Ignore high CPU from known processes</description>
6
</rule>
7

8
<!-- Time-based rule suppression -->
9
<rule id="100051" level="0">
10
  <if_sid>100010</if_sid>
11
  <time>8:00 am - 9:00 am</time>
12
  <description>Suppress SSH key alerts during maintenance window</description>
13
</rule>

Conclusion#

Detecting illegitimate crypto miners on Linux endpoints requires a multi-layered approach combining various Wazuh capabilities. By implementing comprehensive monitoring across initial access vectors, persistence mechanisms, execution patterns, and network behavior, organizations can effectively detect and respond to crypto mining threats.

Key achievements through this implementation:

✅ Early Detection: Identify crypto miners at various stages of the attack chain
🛡️ Automated Response: Block malicious activities in real-time
📊 Comprehensive Visibility: Monitor all critical indicators of compromise
🔍 Threat Hunting: Proactively search for hidden mining activities
📈 Continuous Improvement: Adapt detection rules based on emerging threats

Key Takeaways#

Layer Your Defenses: Combine multiple detection strategies for comprehensive coverage
Monitor Holistically: Track authentication, files, resources, and network together
Automate Responses: Implement active responses to minimize damage
Update Regularly: Keep threat intelligence and detection rules current
Test Continuously: Validate detection capabilities with controlled tests

Resources#

Protect your Linux infrastructure from crypto mining threats with Wazuh! 💎🛡️