// first 10 minutes

cryptojacking — quick-start

cryptojacking — first 10 minutes. stop the burn, baseline CPU before logs rotate. print this, check boxes, then run the primary tools.

checklist

isolate the suspect host or scale down the cloud workload — stop pool traffic and bill bleed; do not reboot if you need memory artifacts.
snapshot sustained CPU/GPU utilization for the last 7 days — baseline drift is the signal, not a one-minute spike.
export the live process list and parent-child tree now — before EDR cleanup or auto-remediation kills the miner parent.
pull netflow, firewall, and proxy logs for stratum, pool, and mining-related domains — export before retention rolls.
export DNS query logs for the host and segment — miners beacon to pool hosts, failovers, and wallet payout domains.
check scheduled tasks, cron, systemd units, and registry autoruns — persistence survives reboot and image refresh.
if cloud: pull instance launch, user-data, container image digest, and IAM audit for the workload — miners often arrive as a bad image or leaked key.
capture a memory dump or approved live triage export before kill — pe and entropy analysis need the binary in RAM.
hash any miner binary, script, or container layer sha-256 before quarantine deletes it — custody row goes in now.
begin the primary tool path below — process tree rebuilder, memory analyzers, and beaconing detectors.

// first 10 minutes

cryptojacking — first 10 minutes. stop the burn, baseline CPU before logs rotate. print this, check boxes, then run the primary tools.

isolate the suspect host or scale down the cloud workload — stop pool traffic and bill bleed; do not reboot if you need memory artifacts.
snapshot sustained CPU/GPU utilization for the last 7 days — baseline drift is the signal, not a one-minute spike.
export the live process list and parent-child tree now — before EDR cleanup or auto-remediation kills the miner parent.
pull netflow, firewall, and proxy logs for stratum, pool, and mining-related domains — export before retention rolls.
export DNS query logs for the host and segment — miners beacon to pool hosts, failovers, and wallet payout domains.
check scheduled tasks, cron, systemd units, and registry autoruns — persistence survives reboot and image refresh.
if cloud: pull instance launch, user-data, container image digest, and IAM audit for the workload — miners often arrive as a bad image or leaked key.
capture a memory dump or approved live triage export before kill — pe and entropy analysis need the binary in RAM.
hash any miner binary, script, or container layer sha-256 before quarantine deletes it — custody row goes in now.
begin the primary tool path below — process tree rebuilder, memory analyzers, and beaconing detectors.