Linux Crypto Mining Indicators
Detects command line parameters or strings often used by crypto miners
Sigma rule (View on GitHub)
1title: Linux Crypto Mining Indicators
2id: 9069ea3c-b213-4c52-be13-86506a227ab1
3status: test
4description: Detects command line parameters or strings often used by crypto miners
5references:
6 - https://www.poolwatch.io/coin/monero
7author: Florian Roth (Nextron Systems)
8date: 2021/10/26
9modified: 2022/12/25
10tags:
11 - attack.impact
12 - attack.t1496
13logsource:
14 product: linux
15 category: process_creation
16detection:
17 selection:
18 CommandLine|contains:
19 - ' --cpu-priority='
20 - '--donate-level=0'
21 - ' -o pool.'
22 - ' --nicehash'
23 - ' --algo=rx/0 '
24 - 'stratum+tcp://'
25 - 'stratum+udp://'
26 # Sub process started by xmrig - the most popular Monero crypto miner - unknown if this causes any false positives
27 - 'sh -c /sbin/modprobe msr allow_writes=on'
28 # base64 encoded: --donate-level=
29 - 'LS1kb25hdGUtbGV2ZWw9'
30 - '0tZG9uYXRlLWxldmVsP'
31 - 'tLWRvbmF0ZS1sZXZlbD'
32 # base64 encoded: stratum+tcp:// and stratum+udp://
33 - 'c3RyYXR1bSt0Y3A6Ly'
34 - 'N0cmF0dW0rdGNwOi8v'
35 - 'zdHJhdHVtK3RjcDovL'
36 - 'c3RyYXR1bSt1ZHA6Ly'
37 - 'N0cmF0dW0rdWRwOi8v'
38 - 'zdHJhdHVtK3VkcDovL'
39 condition: selection
40falsepositives:
41 - Legitimate use of crypto miners
42level: high
References
Related rules
- Linux Crypto Mining Pool Connections
- Potential Crypto Mining Activity
- Monero Crypto Coin Mining Pool Lookup
- Potential BlackByte Ransomware Activity
- New Root or CA or AuthRoot Certificate to Store