Back to Tech Center

How to Monitor for Cryptomining in the Cloud

July 19, 2021

Tech Center
CrowdStrike Tech Center


Public cloud environments are excellent targets for cryptojacking. With the proper access, an adversary can take advantage of expensive, quickly provisioned virtual resources without detection. CrowdStrike’s Cloud Security Posture Management solution, Falcon Horizon, helps organizations secure cloud environments while proactively monitoring for misconfigurations, overly permissive access settings and suspect behaviors.


Cloud Security Assessments

Leveraging two different types of assessments, the main dashboard displays an overview of recent findings across all of the registered cloud accounts and providers. The findings on the left are based on configuration policies that look at various service specific settings. Behavioral assessments focus on changes or patterns that could indicate malicious activity. Any related findings are shown on the right side of the dashboard.

cspm crytomining dashboard

Cloud Security Policies

Assessments are performed on a regular, configurable basis using CrowdStrike developed policies for the different cloud services. Under the policies tab, there is a comprehensive list of supported services for each cloud provider including Amazon’s EC2. AWS’s Elastic Cloud Compute (EC2) service makes it possible to quickly obtain compute capacity at scale.

CSPM Cryptomining EC2 policies

The various Falcon Horizon policies for EC2 include configuration policies around various settings such as public access and identity management. For each registered account and region, there are options to enable policy and customize the severity.

cspm crypto policy options

While CrowdStrike’s CSPM policies are not limited to compliance standards, those that correlate to benchmarks include links to additional information such as the rationale statement and audit procedure.

cspm crypto compliance

Behavioral policies are available to assess how EC2 instances are being leveraged. By monitoring behaviors and patterns, Falcon Horizon can look beyond configurations to alert organizations when suspicious activity is detected. 

cspm crypto behavior policies

Monitor for Cryptomining Activity

Specifically, there is a behavioral policy to monitor for cryptocurrency mining attacks. This policy is looking for a specific, rapid sequence of calls that would be used by an attacker launching a scripted mining attack.

cspm crypto policy

The policy details include remediation steps as well as alert logic and the MITRE ATTACK details. Assessment findings based on this policy would merit immediate investigation to confirm the findings and take action to stop a mining attack in progress.

cspm crypto policy details


With the growth of cloud deployments, it is imperative that companies continuously monitor their environments and consistently maintain their required security standards. Falcon Horizon provides granular policy assessment and visibility to help organizations quickly identify potential exposures, resolve findings and minimize overall risk.

More resources

Related Content