// runnable playbook

cryptojacking

unauthorized miner on endpoint / cloud workload — CPU/GPU baseline drift + persistence + outbound pool traffic.

a guided path, not automation — each step opens a tool you run yourself; nothing uploads. progress is saved only in this browser.

// based on the curated pipeline

wraps the cryptojacking — beacon kit preset — drop process + network + DNS logs → ancestry → beacon detect → DNS timeline → persistence → report

methodology guide →worked example →full tool list →

guided steps

0/8 done

01
evidence manifest generator
hash log exports before analysis
open tool →methodology
your note (local only)
02
process ancestry reconstructor
reconstruct process parent-child chains for miner processes
open tool →methodology
your note (local only)
03
beaconing pattern detector
detect periodic beaconing to mining pools
open tool →methodology
your note (local only)
04
host-based beaconing detector
host-level beacon interval analysis
open tool →methodology
your note (local only)
05
dns query log analyzer
DNS query analysis for pool domain resolution
open tool →methodology
your note (local only)
06
scheduled task deletion and history clearing detector
detect scheduled-task tampering for miner persistence
open tool →methodology
your note (local only)
07
registry autorun entry removal detector
detect autorun key removal — anti-forensics after miner install
open tool →methodology
your note (local only)
08
case report generator
draft a report identifying miner persistence + pool infrastructure
suggested options · title: cryptojacking — scope assessment
open tool →methodology
your note (local only)

when you're done

export a run summary — a small JSON record of which steps you marked done, your notes, and a self-hash so the record can't be silently altered. it is your reproducibility note, not a per-tool receipt: each tool emits its own input→output receipt when you run it.