DNS Events Related To Mining Pools

Identifies clients that may be performing DNS lookups associated with common currency mining pools.

Sigma rule (View on GitHub)

  1title: DNS Events Related To Mining Pools
  2id: bf74135c-18e8-4a72-a926-0e4f47888c19
  3status: test
  4description: Identifies clients that may be performing DNS lookups associated with common currency mining pools.
  5references:
  6    - https://github.com/Azure/Azure-Sentinel/blob/fa0411f9424b6c47b4d5a20165e4f1b168c1f103/Detections/ASimDNS/imDNS_Miners.yaml
  7author: Saw Winn Naung, Azure-Sentinel, @neu5ron
  8date: 2021-08-19
  9modified: 2022-07-07
 10tags:
 11    - attack.execution
 12    - attack.t1569.002
 13    - attack.impact
 14    - attack.t1496
 15logsource:
 16    service: dns
 17    product: zeek
 18detection:
 19    selection:
 20        query|endswith:
 21            - 'monerohash.com'
 22            - 'do-dear.com'
 23            - 'xmrminerpro.com'
 24            - 'secumine.net'
 25            - 'xmrpool.com'
 26            - 'minexmr.org'
 27            - 'hashanywhere.com'
 28            - 'xmrget.com'
 29            - 'mininglottery.eu'
 30            - 'minergate.com'
 31            - 'moriaxmr.com'
 32            - 'multipooler.com'
 33            - 'moneropools.com'
 34            - 'xmrpool.eu'
 35            - 'coolmining.club'
 36            - 'supportxmr.com'
 37            - 'minexmr.com'
 38            - 'hashvault.pro'
 39            - 'xmrpool.net'
 40            - 'crypto-pool.fr'
 41            - 'xmr.pt'
 42            - 'miner.rocks'
 43            - 'walpool.com'
 44            - 'herominers.com'
 45            - 'gntl.co.uk'
 46            - 'semipool.com'
 47            - 'coinfoundry.org'
 48            - 'cryptoknight.cc'
 49            - 'fairhash.org'
 50            - 'baikalmine.com'
 51            - 'tubepool.xyz'
 52            - 'fairpool.xyz'
 53            - 'asiapool.io'
 54            - 'coinpoolit.webhop.me'
 55            - 'nanopool.org'
 56            - 'moneropool.com'
 57            - 'miner.center'
 58            - 'prohash.net'
 59            - 'poolto.be'
 60            - 'cryptoescrow.eu'
 61            - 'monerominers.net'
 62            - 'cryptonotepool.org'
 63            - 'extrmepool.org'
 64            - 'webcoin.me'
 65            - 'kippo.eu'
 66            - 'hashinvest.ws'
 67            - 'monero.farm'
 68            - 'linux-repository-updates.com'
 69            - '1gh.com'
 70            - 'dwarfpool.com'
 71            - 'hash-to-coins.com'
 72            - 'pool-proxy.com'
 73            - 'hashfor.cash'
 74            - 'fairpool.cloud'
 75            - 'litecoinpool.org'
 76            - 'mineshaft.ml'
 77            - 'abcxyz.stream'
 78            - 'moneropool.ru'
 79            - 'cryptonotepool.org.uk'
 80            - 'extremepool.org'
 81            - 'extremehash.com'
 82            - 'hashinvest.net'
 83            - 'unipool.pro'
 84            - 'crypto-pools.org'
 85            - 'monero.net'
 86            - 'backup-pool.com'
 87            - 'mooo.com' # Dynamic DNS, may want to exclude
 88            - 'freeyy.me'
 89            - 'cryptonight.net'
 90            - 'shscrypto.net'
 91    exclude_answers:
 92        answers:
 93            - '127.0.0.1'
 94            - '0.0.0.0'
 95    exclude_rejected:
 96        rejected: 'true'
 97    condition: selection and not 1 of exclude_*
 98fields:
 99    - id.orig_h
100    - id.resp_h
101    - query
102    - answers
103    - qtype_name
104    - rcode_name
105falsepositives:
106    - A DNS lookup does not necessarily  mean a successful attempt, verify a) if there was a response using the zeek answers field, if there was then verify the connections (conn.log) to those IPs. b) verify if HTTP, SSL, or TLS activity to the domain that was queried. http.log field is 'host' and ssl/tls is 'server_name'.
107level: low

References

Related rules

to-top