Linux Crypto Mining Pool Connections

calendar Aug 12, 2024 · attack.impact attack.t1496  ·
Share on: linkedin copy

Detects process connections to a Monero crypto mining pool

Sigma rule (View on GitHub)

 1title: Linux Crypto Mining Pool Connections
 2id: a46c93b7-55ed-4d27-a41b-c259456c4746
 3status: stable
 4description: Detects process connections to a Monero crypto mining pool
 5references:
 6    - https://www.poolwatch.io/coin/monero
 7author: Florian Roth (Nextron Systems)
 8date: 2021-10-26
 9tags:
10    - attack.impact
11    - attack.t1496
12logsource:
13    product: linux
14    category: network_connection
15detection:
16    selection:
17        DestinationHostname:
18            - 'pool.minexmr.com'
19            - 'fr.minexmr.com'
20            - 'de.minexmr.com'
21            - 'sg.minexmr.com'
22            - 'ca.minexmr.com'
23            - 'us-west.minexmr.com'
24            - 'pool.supportxmr.com'
25            - 'mine.c3pool.com'
26            - 'xmr-eu1.nanopool.org'
27            - 'xmr-eu2.nanopool.org'
28            - 'xmr-us-east1.nanopool.org'
29            - 'xmr-us-west1.nanopool.org'
30            - 'xmr-asia1.nanopool.org'
31            - 'xmr-jp1.nanopool.org'
32            - 'xmr-au1.nanopool.org'
33            - 'xmr.2miners.com'
34            - 'xmr.hashcity.org'
35            - 'xmr.f2pool.com'
36            - 'xmrpool.eu'
37            - 'pool.hashvault.pro'
38            - 'moneroocean.stream'
39            - 'monerocean.stream'
40    condition: selection
41falsepositives:
42    - Legitimate use of crypto miners
43level: high

References

Related rules

to-top