false positives should be limited.

t1543
t1543.003
endpoint
splunk

Techniques

T1543
T1543.003

Sample rules

XMRIG Driver Loaded

source: splunk
technicques:
- T1543.003
- T1543

Description

This analytic identifies XMRIG coinminer driver installation on the system. The XMRIG driver name by default is WinRing0x64.sys. This cpu miner is an open source project that is commonly abused by adversaries to infect and mine bitcoin.

Detection logic

`sysmon` EventCode=6 Signature="Noriyuki MIYAZAKI" OR ImageLoaded= "*\\WinRing0x64.sys" 
|  stats  min(_time) as firstTime max(_time) as lastTime count by  dest ImageLoaded Hashes IMPHASH Signature Signed 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `xmrig_driver_loaded_filter`