Monero Crypto Coin Mining Pool Lookup

calendar Nov 4, 2024 · attack.impact attack.t1496 attack.exfiltration attack.t1567  ·
Share on: linkedin copy

Detects suspicious DNS queries to Monero mining pools

Sigma rule (View on GitHub)

 1title: Monero Crypto Coin Mining Pool Lookup
 2id: b593fd50-7335-4682-a36c-4edcb68e4641
 3status: stable
 4description: Detects suspicious DNS queries to Monero mining pools
 5references:
 6    - https://www.nextron-systems.com/2021/10/24/monero-mining-pool-fqdns/
 7author: Florian Roth (Nextron Systems)
 8date: 2021-10-24
 9tags:
10    - attack.impact
11    - attack.t1496
12    - attack.exfiltration
13    - attack.t1567
14logsource:
15    category: dns
16detection:
17    selection:
18        query|contains:
19            - 'pool.minexmr.com'
20            - 'fr.minexmr.com'
21            - 'de.minexmr.com'
22            - 'sg.minexmr.com'
23            - 'ca.minexmr.com'
24            - 'us-west.minexmr.com'
25            - 'pool.supportxmr.com'
26            - 'mine.c3pool.com'
27            - 'xmr-eu1.nanopool.org'
28            - 'xmr-eu2.nanopool.org'
29            - 'xmr-us-east1.nanopool.org'
30            - 'xmr-us-west1.nanopool.org'
31            - 'xmr-asia1.nanopool.org'
32            - 'xmr-jp1.nanopool.org'
33            - 'xmr-au1.nanopool.org'
34            - 'xmr.2miners.com'
35            - 'xmr.hashcity.org'
36            - 'xmr.f2pool.com'
37            - 'xmrpool.eu'
38            - 'pool.hashvault.pro'
39    condition: selection
40falsepositives:
41    - Legitimate crypto coin mining
42level: high

References

  • Monero Mining Pool FQDNs

    Malware that deploys crypto mining software has become more and more popular and annoying. It’s not always possible to scan every device in your network with our free or commercial compromise asses...


    Read More

Related rules

to-top