← Back to Explore
sigmahighTTP
Potential Crypto Mining Activity
Detects command line parameters or strings often used by crypto miners
Detection Query
selection:
CommandLine|contains:
- " --cpu-priority="
- --donate-level=0
- " -o pool."
- " --nicehash"
- " --algo=rx/0 "
- stratum+tcp://
- stratum+udp://
- LS1kb25hdGUtbGV2ZWw9
- 0tZG9uYXRlLWxldmVsP
- tLWRvbmF0ZS1sZXZlbD
- c3RyYXR1bSt0Y3A6Ly
- N0cmF0dW0rdGNwOi8v
- zdHJhdHVtK3RjcDovL
- c3RyYXR1bSt1ZHA6Ly
- N0cmF0dW0rdWRwOi8v
- zdHJhdHVtK3VkcDovL
filter:
CommandLine|contains:
- " pool.c "
- " pool.o "
- gcc -
condition: selection and not filter
Author
Florian Roth (Nextron Systems)
Created
2021-10-26
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.impactattack.t1496
Raw Content
title: Potential Crypto Mining Activity
id: 66c3b204-9f88-4d0a-a7f7-8a57d521ca55
status: stable
description: Detects command line parameters or strings often used by crypto miners
references:
- https://www.poolwatch.io/coin/monero
author: Florian Roth (Nextron Systems)
date: 2021-10-26
modified: 2023-02-13
tags:
- attack.impact
- attack.t1496
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- ' --cpu-priority='
- '--donate-level=0'
- ' -o pool.'
- ' --nicehash'
- ' --algo=rx/0 '
- 'stratum+tcp://'
- 'stratum+udp://'
# base64 encoded: --donate-level=
- 'LS1kb25hdGUtbGV2ZWw9'
- '0tZG9uYXRlLWxldmVsP'
- 'tLWRvbmF0ZS1sZXZlbD'
# base64 encoded: stratum+tcp:// and stratum+udp://
- 'c3RyYXR1bSt0Y3A6Ly'
- 'N0cmF0dW0rdGNwOi8v'
- 'zdHJhdHVtK3RjcDovL'
- 'c3RyYXR1bSt1ZHA6Ly'
- 'N0cmF0dW0rdWRwOi8v'
- 'zdHJhdHVtK3VkcDovL'
filter:
CommandLine|contains:
- ' pool.c '
- ' pool.o '
- 'gcc -'
condition: selection and not filter
falsepositives:
- Legitimate use of crypto miners
- Some build frameworks
level: high