← Back to Explore
sigmahighTTP
Monero Crypto Coin Mining Pool Lookup
Detects suspicious DNS queries to Monero mining pools
Detection Query
selection:
query|contains:
- pool.minexmr.com
- fr.minexmr.com
- de.minexmr.com
- sg.minexmr.com
- ca.minexmr.com
- us-west.minexmr.com
- pool.supportxmr.com
- mine.c3pool.com
- xmr-eu1.nanopool.org
- xmr-eu2.nanopool.org
- xmr-us-east1.nanopool.org
- xmr-us-west1.nanopool.org
- xmr-asia1.nanopool.org
- xmr-jp1.nanopool.org
- xmr-au1.nanopool.org
- xmr.2miners.com
- xmr.hashcity.org
- xmr.f2pool.com
- xmrpool.eu
- pool.hashvault.pro
condition: selection
Author
Florian Roth (Nextron Systems)
Created
2021-10-24
Data Sources
dns
Tags
attack.impactattack.t1496attack.exfiltrationattack.t1567
Raw Content
title: Monero Crypto Coin Mining Pool Lookup
id: b593fd50-7335-4682-a36c-4edcb68e4641
status: stable
description: Detects suspicious DNS queries to Monero mining pools
references:
- https://www.nextron-systems.com/2021/10/24/monero-mining-pool-fqdns/
author: Florian Roth (Nextron Systems)
date: 2021-10-24
tags:
- attack.impact
- attack.t1496
- attack.exfiltration
- attack.t1567
logsource:
category: dns
detection:
selection:
query|contains:
- 'pool.minexmr.com'
- 'fr.minexmr.com'
- 'de.minexmr.com'
- 'sg.minexmr.com'
- 'ca.minexmr.com'
- 'us-west.minexmr.com'
- 'pool.supportxmr.com'
- 'mine.c3pool.com'
- 'xmr-eu1.nanopool.org'
- 'xmr-eu2.nanopool.org'
- 'xmr-us-east1.nanopool.org'
- 'xmr-us-west1.nanopool.org'
- 'xmr-asia1.nanopool.org'
- 'xmr-jp1.nanopool.org'
- 'xmr-au1.nanopool.org'
- 'xmr.2miners.com'
- 'xmr.hashcity.org'
- 'xmr.f2pool.com'
- 'xmrpool.eu'
- 'pool.hashvault.pro'
condition: selection
falsepositives:
- Legitimate crypto coin mining
level: high