Xmrig
Detect Xmrig
Sigma rule (View on GitHub)
1title: Xmrig
2status: experimental
3description: Detect Xmrig
4author: Joe Security
5date: 2019-11-07
6id: 200021
7threatname:
8behaviorgroup: 29
9classification: 9
10mitreattack:
11
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection:
17 CommandLine:
18 - '*-algo=* -o *miner* -u*'
19 - '*cryptonight --url=xmr.*'
20 - '*stratum+tcp://*'
21 - '*--algo=cn*-o * -u *'
22 - '*--coin=monero --*'
23 - '*-o pool.*--nicehash*'
24 - '*--pool stratum:*'
25 - '*--background --donate-level 1 --nicehash*'
26 - '*-o * -u * -p w=a -k -a*'
27 - '* -u * -p x --max-cpu-usage*'
28 - '*--donate-level=*--max-cpu-usage=*'
29 - '*-p stratum1+ssl://* -r --response-timeout*'
30 - '*-o * --cpu-max-threads-hint*'
31 - '*--donate-level * -o pool.*'
32 - '*--cpu-memory-pool=*--donate-level=*'
33 - '*--pool=stratum:*--cinit-max-gpu=*'
34 - '*-o xmr.* -u * -p*'
35 - '*-epool * -ewal * -worker*'
36 - '*-o * -u * --donate-level=*'
37 - '*--cinit-find-e --pool=stratums://*'
38 - '*-o * -u * -p x *'
39 - '*pool.minexmr.*-max-threads-*'
40 - '*--cinit-find-*.nanopool.*'
41 - '*--cinit-find-*--url=*'
42 - '*--url pool* --donate-level*'
43 - '*--user *--donate-level*'
44 - '*-p w=Rig -a cn-heavy/xhv -k -o*'
45 - '*-o * -u * --tls*'
46 - '*--user*--server*--algo*'
47
48 condition: selection
49level: critical