Crypto Miner User Agent

Feb 1, 2023 · attack.command_and_control attack.t1071.001 ·

Detects suspicious user agent strings used by crypto miners in proxy logs

Sigma rule (View on GitHub)

 1title: Crypto Miner User Agent
 2id: fa935401-513b-467b-81f4-f9e77aa0dd78
 3status: test
 4description: Detects suspicious user agent strings used by crypto miners in proxy logs
 5references:
 6    - https://github.com/xmrig/xmrig/blob/da22b3e6c45825f3ac1f208255126cb8585cd4fc/src/base/kernel/Platform_win.cpp#L65
 7    - https://github.com/xmrig/xmrig/blob/427b6516e0550200c17ca28675118f0fffcc323f/src/version.h
 8author: Florian Roth (Nextron Systems)
 9date: 2019/10/21
10modified: 2021/11/27
11tags:
12    - attack.command_and_control
13    - attack.t1071.001
14logsource:
15    category: proxy
16detection:
17    selection:
18        c-useragent|startswith:
19        # XMRig
20            - 'XMRig '
21        # CCMiner
22            - 'ccminer'
23    condition: selection
24fields:
25    - ClientIP
26    - c-uri
27    - c-useragent
28falsepositives:
29    - Unknown
30level: high

References

xmrig/src/base/kernel/Platform_win.cpp at da22b3e6c45825f3ac1f208255126cb8585cd4fc · xmrig/xmrig

RandomX, KawPow, CryptoNight and GhostRider unified CPU/GPU miner and RandomX benchmark - xmrig/xmrig

Read More
xmrig/src/version.h at 427b6516e0550200c17ca28675118f0fffcc323f · xmrig/xmrig

RandomX, KawPow, CryptoNight and GhostRider unified CPU/GPU miner and RandomX benchmark - xmrig/xmrig

Read More

Crypto Miner User Agent

Sigma rule (View on GitHub)

References

xmrig/src/base/kernel/Platform_win.cpp at da22b3e6c45825f3ac1f208255126cb8585cd4fc · xmrig/xmrig

xmrig/src/version.h at 427b6516e0550200c17ca28675118f0fffcc323f · xmrig/xmrig

Related rules