Possible Coin Miner CPU Priority Param
Detects command line parameter very often used with coin miners
Sigma rule (View on GitHub)
1title: Possible Coin Miner CPU Priority Param
2id: 071d5e5a-9cef-47ec-bc4e-a42e34d8d0ed
3status: test
4description: Detects command line parameter very often used with coin miners
5references:
6 - https://xmrig.com/docs/miner/command-line-options
7author: Florian Roth (Nextron Systems)
8date: 2021-10-09
9modified: 2022-12-25
10tags:
11 - attack.privilege-escalation
12 - attack.t1068
13logsource:
14 product: linux
15 service: auditd
16detection:
17 cmd1:
18 a1|startswith: '--cpu-priority'
19 cmd2:
20 a2|startswith: '--cpu-priority'
21 cmd3:
22 a3|startswith: '--cpu-priority'
23 cmd4:
24 a4|startswith: '--cpu-priority'
25 cmd5:
26 a5|startswith: '--cpu-priority'
27 cmd6:
28 a6|startswith: '--cpu-priority'
29 cmd7:
30 a7|startswith: '--cpu-priority'
31 condition: 1 of cmd*
32falsepositives:
33 - Other tools that use a --cpu-priority flag
34level: critical
References
-
--no-cpudisable CPU mining backend3.0.0+-t--threads=Nnumber of CPU threads. Proper CPU affinity required for some optimizations.All--cpu-affinity=Nset process affinity to CPU core(s), mask 0x3 for ...
Read More
Related rules
- Audit CVE Event
- Nimbuspwn Exploitation
- OMIGOD HTTP No Authentication RCE
- OMIGOD SCX RunAsProvider ExecuteScript
- OMIGOD SCX RunAsProvider ExecuteShellCommand