Linux Crypto Mining Indicators

Detects command line parameters or strings often used by crypto miners

Sigma rule (View on GitHub)

 1title: Linux Crypto Mining Indicators
 2id: 9069ea3c-b213-4c52-be13-86506a227ab1
 3status: test
 4description: Detects command line parameters or strings often used by crypto miners
 5references:
 6    - https://www.poolwatch.io/coin/monero
 7author: Florian Roth (Nextron Systems)
 8date: 2021-10-26
 9modified: 2022-12-25
10tags:
11    - attack.impact
12    - attack.t1496
13logsource:
14    product: linux
15    category: process_creation
16detection:
17    selection:
18        CommandLine|contains:
19            - ' --cpu-priority='
20            - '--donate-level=0'
21            - ' -o pool.'
22            - ' --nicehash'
23            - ' --algo=rx/0 '
24            - 'stratum+tcp://'
25            - 'stratum+udp://'
26            # Sub process started by xmrig - the most popular Monero crypto miner - unknown if this causes any false positives
27            - 'sh -c /sbin/modprobe msr allow_writes=on'
28            # base64 encoded: --donate-level=
29            - 'LS1kb25hdGUtbGV2ZWw9'
30            - '0tZG9uYXRlLWxldmVsP'
31            - 'tLWRvbmF0ZS1sZXZlbD'
32            # base64 encoded: stratum+tcp:// and stratum+udp://
33            - 'c3RyYXR1bSt0Y3A6Ly'
34            - 'N0cmF0dW0rdGNwOi8v'
35            - 'zdHJhdHVtK3RjcDovL'
36            - 'c3RyYXR1bSt1ZHA6Ly'
37            - 'N0cmF0dW0rdWRwOi8v'
38            - 'zdHJhdHVtK3VkcDovL'
39    condition: selection
40falsepositives:
41    - Legitimate use of crypto miners
42level: high

References

Related rules

to-top