Potential Crypto Mining Activity

Detects command line parameters or strings often used by crypto miners

Sigma rule (View on GitHub)

 1title: Potential Crypto Mining Activity
 2id: 66c3b204-9f88-4d0a-a7f7-8a57d521ca55
 3status: stable
 4description: Detects command line parameters or strings often used by crypto miners
 5references:
 6    - https://www.poolwatch.io/coin/monero
 7author: Florian Roth (Nextron Systems)
 8date: 2021-10-26
 9modified: 2023-02-13
10tags:
11    - attack.impact
12    - attack.t1496
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection:
18        CommandLine|contains:
19            - ' --cpu-priority='
20            - '--donate-level=0'
21            - ' -o pool.'
22            - ' --nicehash'
23            - ' --algo=rx/0 '
24            - 'stratum+tcp://'
25            - 'stratum+udp://'
26            # base64 encoded: --donate-level=
27            - 'LS1kb25hdGUtbGV2ZWw9'
28            - '0tZG9uYXRlLWxldmVsP'
29            - 'tLWRvbmF0ZS1sZXZlbD'
30            # base64 encoded: stratum+tcp:// and stratum+udp://
31            - 'c3RyYXR1bSt0Y3A6Ly'
32            - 'N0cmF0dW0rdGNwOi8v'
33            - 'zdHJhdHVtK3RjcDovL'
34            - 'c3RyYXR1bSt1ZHA6Ly'
35            - 'N0cmF0dW0rdWRwOi8v'
36            - 'zdHJhdHVtK3VkcDovL'
37    filter:
38        CommandLine|contains:
39            - ' pool.c '
40            - ' pool.o '
41            - 'gcc -'
42    condition: selection and not filter
43falsepositives:
44    - Legitimate use of crypto miners
45    - Some build frameworks
46level: high

References

Related rules

to-top