DNS Events Related To Mining Pools
Identifies clients that may be performing DNS lookups associated with common currency mining pools.
Sigma rule (View on GitHub)
1title: DNS Events Related To Mining Pools
2id: bf74135c-18e8-4a72-a926-0e4f47888c19
3status: test
4description: Identifies clients that may be performing DNS lookups associated with common currency mining pools.
5references:
6 - https://github.com/Azure/Azure-Sentinel/blob/fa0411f9424b6c47b4d5a20165e4f1b168c1f103/Detections/ASimDNS/imDNS_Miners.yaml
7author: Saw Winn Naung, Azure-Sentinel, @neu5ron
8date: 2021-08-19
9modified: 2022-07-07
10tags:
11 - attack.execution
12 - attack.t1569.002
13 - attack.impact
14 - attack.t1496
15logsource:
16 service: dns
17 product: zeek
18detection:
19 selection:
20 query|endswith:
21 - 'monerohash.com'
22 - 'do-dear.com'
23 - 'xmrminerpro.com'
24 - 'secumine.net'
25 - 'xmrpool.com'
26 - 'minexmr.org'
27 - 'hashanywhere.com'
28 - 'xmrget.com'
29 - 'mininglottery.eu'
30 - 'minergate.com'
31 - 'moriaxmr.com'
32 - 'multipooler.com'
33 - 'moneropools.com'
34 - 'xmrpool.eu'
35 - 'coolmining.club'
36 - 'supportxmr.com'
37 - 'minexmr.com'
38 - 'hashvault.pro'
39 - 'xmrpool.net'
40 - 'crypto-pool.fr'
41 - 'xmr.pt'
42 - 'miner.rocks'
43 - 'walpool.com'
44 - 'herominers.com'
45 - 'gntl.co.uk'
46 - 'semipool.com'
47 - 'coinfoundry.org'
48 - 'cryptoknight.cc'
49 - 'fairhash.org'
50 - 'baikalmine.com'
51 - 'tubepool.xyz'
52 - 'fairpool.xyz'
53 - 'asiapool.io'
54 - 'coinpoolit.webhop.me'
55 - 'nanopool.org'
56 - 'moneropool.com'
57 - 'miner.center'
58 - 'prohash.net'
59 - 'poolto.be'
60 - 'cryptoescrow.eu'
61 - 'monerominers.net'
62 - 'cryptonotepool.org'
63 - 'extrmepool.org'
64 - 'webcoin.me'
65 - 'kippo.eu'
66 - 'hashinvest.ws'
67 - 'monero.farm'
68 - 'linux-repository-updates.com'
69 - '1gh.com'
70 - 'dwarfpool.com'
71 - 'hash-to-coins.com'
72 - 'pool-proxy.com'
73 - 'hashfor.cash'
74 - 'fairpool.cloud'
75 - 'litecoinpool.org'
76 - 'mineshaft.ml'
77 - 'abcxyz.stream'
78 - 'moneropool.ru'
79 - 'cryptonotepool.org.uk'
80 - 'extremepool.org'
81 - 'extremehash.com'
82 - 'hashinvest.net'
83 - 'unipool.pro'
84 - 'crypto-pools.org'
85 - 'monero.net'
86 - 'backup-pool.com'
87 - 'mooo.com' # Dynamic DNS, may want to exclude
88 - 'freeyy.me'
89 - 'cryptonight.net'
90 - 'shscrypto.net'
91 exclude_answers:
92 answers:
93 - '127.0.0.1'
94 - '0.0.0.0'
95 exclude_rejected:
96 rejected: 'true'
97 condition: selection and not 1 of exclude_*
98fields:
99 - id.orig_h
100 - id.resp_h
101 - query
102 - answers
103 - qtype_name
104 - rcode_name
105falsepositives:
106 - A DNS lookup does not necessarily mean a successful attempt, verify a) if there was a response using the zeek answers field, if there was then verify the connections (conn.log) to those IPs. b) verify if HTTP, SSL, or TLS activity to the domain that was queried. http.log field is 'host' and ssl/tls is 'server_name'.
107level: low
References
-
Cloud-native SIEM for intelligent security analytics for your entire enterprise. - Azure/Azure-Sentinel
Read More
Related rules
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript
- Audit CVE Event
- CSExec Service File Creation
- CSExec Service Installation