Techniques
Sample rules
XMRIG Driver Loaded
- source: splunk
- technicques:
- T1543.003
- T1543
Description
This analytic identifies XMRIG coinminer driver installation on the system. The XMRIG driver name by default is WinRing0x64.sys
. This cpu miner is an open source project that is commonly abused by adversaries to infect and mine bitcoin.
Detection logic
`sysmon` EventCode=6 Signature="Noriyuki MIYAZAKI" OR ImageLoaded= "*\\WinRing0x64.sys"
| stats min(_time) as firstTime max(_time) as lastTime count by dest ImageLoaded Hashes IMPHASH Signature Signed
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `xmrig_driver_loaded_filter`