Techniques
Sample rules
Potential Crypto Mining Activity
- source: sigma
- technicques:
- t1496
Description
Detects command line parameters or strings often used by crypto miners
Detection logic
condition: selection and not filter
filter:
CommandLine|contains:
- ' pool.c '
- ' pool.o '
- gcc -
selection:
CommandLine|contains:
- ' --cpu-priority='
- --donate-level=0
- ' -o pool.'
- ' --nicehash'
- ' --algo=rx/0 '
- stratum+tcp://
- stratum+udp://
- LS1kb25hdGUtbGV2ZWw9
- 0tZG9uYXRlLWxldmVsP
- tLWRvbmF0ZS1sZXZlbD
- c3RyYXR1bSt0Y3A6Ly
- N0cmF0dW0rdGNwOi8v
- zdHJhdHVtK3RjcDovL
- c3RyYXR1bSt1ZHA6Ly
- N0cmF0dW0rdWRwOi8v
- zdHJhdHVtK3VkcDovL
Linux Crypto Mining Pool Connections
- source: sigma
- technicques:
- t1496
Description
Detects process connections to a Monero crypto mining pool
Detection logic
condition: selection
selection:
DestinationHostname:
- pool.minexmr.com
- fr.minexmr.com
- de.minexmr.com
- sg.minexmr.com
- ca.minexmr.com
- us-west.minexmr.com
- pool.supportxmr.com
- mine.c3pool.com
- xmr-eu1.nanopool.org
- xmr-eu2.nanopool.org
- xmr-us-east1.nanopool.org
- xmr-us-west1.nanopool.org
- xmr-asia1.nanopool.org
- xmr-jp1.nanopool.org
- xmr-au1.nanopool.org
- xmr.2miners.com
- xmr.hashcity.org
- xmr.f2pool.com
- xmrpool.eu
- pool.hashvault.pro
- moneroocean.stream
- monerocean.stream
Linux Crypto Mining Indicators
- source: sigma
- technicques:
- t1496
Description
Detects command line parameters or strings often used by crypto miners
Detection logic
condition: selection
selection:
CommandLine|contains:
- ' --cpu-priority='
- --donate-level=0
- ' -o pool.'
- ' --nicehash'
- ' --algo=rx/0 '
- stratum+tcp://
- stratum+udp://
- sh -c /sbin/modprobe msr allow_writes=on
- LS1kb25hdGUtbGV2ZWw9
- 0tZG9uYXRlLWxldmVsP
- tLWRvbmF0ZS1sZXZlbD
- c3RyYXR1bSt0Y3A6Ly
- N0cmF0dW0rdGNwOi8v
- zdHJhdHVtK3RjcDovL
- c3RyYXR1bSt1ZHA6Ly
- N0cmF0dW0rdWRwOi8v
- zdHJhdHVtK3VkcDovL