Crypto Miner User Agent
Detects suspicious user agent strings used by crypto miners in proxy logs
Sigma rule (View on GitHub)
1title: Crypto Miner User Agent
2id: fa935401-513b-467b-81f4-f9e77aa0dd78
3status: test
4description: Detects suspicious user agent strings used by crypto miners in proxy logs
5references:
6 - https://github.com/xmrig/xmrig/blob/da22b3e6c45825f3ac1f208255126cb8585cd4fc/src/base/kernel/Platform_win.cpp#L65
7 - https://github.com/xmrig/xmrig/blob/427b6516e0550200c17ca28675118f0fffcc323f/src/version.h
8author: Florian Roth (Nextron Systems)
9date: 2019/10/21
10modified: 2021/11/27
11tags:
12 - attack.command_and_control
13 - attack.t1071.001
14logsource:
15 category: proxy
16detection:
17 selection:
18 c-useragent|startswith:
19 # XMRig
20 - 'XMRig '
21 # CCMiner
22 - 'ccminer'
23 condition: selection
24fields:
25 - ClientIP
26 - c-uri
27 - c-useragent
28falsepositives:
29 - Unknown
30level: high
References
Related rules
- Exploit Framework User Agent
- PwnDrp Access
- Antivirus Exploitation Framework Detection
- Cobalt Strike DNS Beaconing
- Query Tor Onion Address - DNS Client