some build frameworks

t1496
windows
sigma

Techniques

t1496

Sample rules

Potential Crypto Mining Activity

source: sigma
technicques:
- t1496

Description

Detects command line parameters or strings often used by crypto miners

Detection logic

condition: selection and not filter
filter:
  CommandLine|contains:
  - ' pool.c '
  - ' pool.o '
  - gcc -
selection:
  CommandLine|contains:
  - ' --cpu-priority='
  - --donate-level=0
  - ' -o pool.'
  - ' --nicehash'
  - ' --algo=rx/0 '
  - stratum+tcp://
  - stratum+udp://
  - LS1kb25hdGUtbGV2ZWw9
  - 0tZG9uYXRlLWxldmVsP
  - tLWRvbmF0ZS1sZXZlbD
  - c3RyYXR1bSt0Y3A6Ly
  - N0cmF0dW0rdGNwOi8v
  - zdHJhdHVtK3RjcDovL
  - c3RyYXR1bSt1ZHA6Ly
  - N0cmF0dW0rdWRwOi8v
  - zdHJhdHVtK3VkcDovL