Crypto Miner User Agent
Detects suspicious user agent strings used by crypto miners in proxy logs
Sigma rule (View on GitHub)
1title: Crypto Miner User Agent
2id: fa935401-513b-467b-81f4-f9e77aa0dd78
3status: test
4description: Detects suspicious user agent strings used by crypto miners in proxy logs
5references:
6 - https://github.com/xmrig/xmrig/blob/da22b3e6c45825f3ac1f208255126cb8585cd4fc/src/base/kernel/Platform_win.cpp#L65
7 - https://github.com/xmrig/xmrig/blob/427b6516e0550200c17ca28675118f0fffcc323f/src/version.h
8author: Florian Roth (Nextron Systems)
9date: 2019-10-21
10modified: 2021-11-27
11tags:
12 - attack.command-and-control
13 - attack.t1071.001
14logsource:
15 category: proxy
16detection:
17 selection:
18 c-useragent|startswith:
19 # XMRig
20 - 'XMRig '
21 # CCMiner
22 - 'ccminer'
23 condition: selection
24fields:
25 - ClientIP
26 - c-uri
27 - c-useragent
28falsepositives:
29 - Unknown
30level: high
References
-
RandomX, KawPow, CryptoNight and GhostRider unified CPU/GPU miner and RandomX benchmark - xmrig/xmrig
Read More -
RandomX, KawPow, CryptoNight and GhostRider unified CPU/GPU miner and RandomX benchmark - xmrig/xmrig
Read More
Related rules
- APT User Agent
- APT40 Dropbox Tool User Agent
- Bitsadmin to Uncommon IP Server Address
- Bitsadmin to Uncommon TLD
- Chafer Malware URL Pattern