Playbook of the Week: Cloud Cryptojacking Response

As the use of multi-cloud environments continues to rise, adversaries have increased their focus on targeting cloud infrastructure. Cloud environments are seen as an attractive target for attackers, who seek to gain access to sensitive data and resources that are not properly secured by organizations.

The dynamic and complex nature of cloud infrastructure makes it challenging to secure, resulting in a lack of visibility and control needed to promptly detect and respond to security incidents. Cloud-based attacks are becoming more sophisticated and well-funded, using advanced tactics such as cloud cryptojacking, malware campaigns, and cloud misconfigurations. These attacks can be hard to detect and prevent, particularly for organizations that are not well-prepared.

In this article, we will take a closer look at cryptojacking attacks and how you can quickly and effectively respond to help minimize their impact and prevent them from spreading with Cortex XSOAR.

What is Cryptomining?

Cryptomining is the process of using specialized computer software and hardware to verify and record transactions on a blockchain network to earn cryptocurrency.

Think of a blockchain as a digital ledger, where all transactions are recorded in a public and decentralized way. Cryptomining is like being a bookkeeper for this digital ledger. Miners use their computer resources to solve the complex mathematical problems that are required to add new blocks of transactions to the blockchain. When miners successfully add a new block to the blockchain, they are rewarded with a certain amount of cryptocurrency, typically Bitcoin, as a reward for their work.

In simple terms, cryptomining is like digging for digital gold using your computer, and the reward is the cryptocurrency you earn.

Malicious Mining: Cryptomining vs Cryptojacking

Cloud cryptojacking is a type of cyberattack in which attackers use the resources of a cloud computing platform to mine for cryptocurrency without the knowledge or consent of the cloud platform's owner. So while cryptojacking is a process of cryptomining, the main difference is that it relies on the unauthorized use of someone else's resources to mine for cryptocurrency.

An example of a cloud cryptojacking attack would be an attacker gaining access to a cloud platform's API credentials and using them to spin up many virtual machines dedicated to mining cryptocurrency.

Stop Crytpojacking Attacks with Cortex XSOAR

Cortex XSOAR can quickly respond to cryptojacking attacks by automating the incident response process. In the enrichment and investigation phase, XSOAR can gather information about the attack by integrating with cloud platforms like AWS, GCP, and Azure to gather information about the resources that are being used for mining, the IP addresses that are accessing them, and the user accounts that are associated with the API credentials.

Regarding response options, XSOAR can be configured to automatically terminate instances, revoke API keys, and take other actions to stop the attack and contain the damage. Additionally, AI/ML can be used to improve incident response time by detecting signs of an attack and taking action before the attack becomes widespread.

Cryptojacking Response Playbook

The cloud cryptojacking response playbook (part of the Cortex XDR content pack) provides an automated flow for collecting, analyzing, and responding to malicious cryptomining activity.

The playbook is triggered by a Cortex XDR alert that detects unusual allocation of cloud computing resources.

Image 1: Detecting adversary techniques with cloud data
Image 1: Detecting adversary techniques with cloud data


Based on the alert data, XSOAR initiates the automated flow that executes the following:


XSOAR enriches all data related to the following:

  • Identity and Access Management (IAM) Enrichment
    • Collects information about the identity used in the attack
  • Resource Enrichment
    • Collects information about the resource type, region, and project
  • Network Enrichment
    • Collects information about the attacker IP address, geo-location, and ASN

Then, the collected data is set into a dedicated layout.

Verdict Decision

The verdict is based on a predefined logic which correlates XDR alerts and XSOAR enrichment, based on the following decision tree:

Figure 2: Decision tree for verdict decision
Figure 2: Decision tree for verdict decision


Verdict Resolution

If the verdict is benign or indecisive, a manual task will require the analyst’s intervention.

The cloud response playbook will be executed if the verdict is malicious.


This playbook provides an automated or semi-manual response action integrating with AWS, GCP, and Azure.

Figure 3: Cloud response playbook triggered
Figure 3: Cloud response playbook triggered


The response actions available are divided into the core building blocks of the cloud:

  • Compute Resources
    • Terminate/Shut down/Power off an instance
  • IAM
    • Delete/Disable a user
  • Privileges
    • Delete/Revoke/Disable credentials
  • Indicators
    • Block indicators

The Layout

The layout we’ve created for this alert is divided into two main tabs:

  • Incident Info
  • Security Posture

The Incident Info tab is mainly focused on presenting high/low-level information of both the incident and alert.

Figure 4: Incident information
Figure 4: Incident information


The Security Posture tab's goal is to provide detailed information and visualization of the following questions:

  • Who are the involved users?
  • How many instances were created and what is their type?
  • From how many regions was the attack executed?

Furthermore, we provide extended information on the attacker's characteristics and a section dedicated to all of the suspicious or malicious indicators found.

Figure 4: Security posture
Figure 4: Security posture



Cryptojacking attacks have become a serious threat to organizations of all sizes, as attackers seek to exploit the power of cloud computing environments to mine for cryptocurrency. The ability to quickly and effectively respond to these attacks is crucial to minimize their impact and prevent them from spreading.

Organizations should also stay vigilant and aware of the latest trends and techniques in cryptojacking attacks and be prepared to adapt their incident response plans accordingly. Incident response automation and implementing security best practices are crucial in protecting organizations from the growing threat of cryptojacking attacks in the cloud.

For more information on the Cryptojacking Response playbook and other XSOAR packs and playbooks, visit our Cortex XSOAR Developer Docs reference page.

To learn more about how to stop cryptojacking attacks, read our other articles Stopping Cryptojacking Attacks With and Without an Agent and Compromised Cloud Compute Credentials: Case Studies From the Wild.

Don’t have Cortex XSOAR? Download our free Community Edition today to test out this playbook and hundreds more automations for common use cases you deal with daily in your security operations or SOC.