← Back to Explore
sigmalowHunting
DNS Events Related To Mining Pools
Identifies clients that may be performing DNS lookups associated with common currency mining pools.
Detection Query
selection:
query|endswith:
- monerohash.com
- do-dear.com
- xmrminerpro.com
- secumine.net
- xmrpool.com
- minexmr.org
- hashanywhere.com
- xmrget.com
- mininglottery.eu
- minergate.com
- moriaxmr.com
- multipooler.com
- moneropools.com
- xmrpool.eu
- coolmining.club
- supportxmr.com
- minexmr.com
- hashvault.pro
- xmrpool.net
- crypto-pool.fr
- xmr.pt
- miner.rocks
- walpool.com
- herominers.com
- gntl.co.uk
- semipool.com
- coinfoundry.org
- cryptoknight.cc
- fairhash.org
- baikalmine.com
- tubepool.xyz
- fairpool.xyz
- asiapool.io
- coinpoolit.webhop.me
- nanopool.org
- moneropool.com
- miner.center
- prohash.net
- poolto.be
- cryptoescrow.eu
- monerominers.net
- cryptonotepool.org
- extrmepool.org
- webcoin.me
- kippo.eu
- hashinvest.ws
- monero.farm
- linux-repository-updates.com
- 1gh.com
- dwarfpool.com
- hash-to-coins.com
- pool-proxy.com
- hashfor.cash
- fairpool.cloud
- litecoinpool.org
- mineshaft.ml
- abcxyz.stream
- moneropool.ru
- cryptonotepool.org.uk
- extremepool.org
- extremehash.com
- hashinvest.net
- unipool.pro
- crypto-pools.org
- monero.net
- backup-pool.com
- mooo.com
- freeyy.me
- cryptonight.net
- shscrypto.net
exclude_answers:
answers:
- 127.0.0.1
- 0.0.0.0
exclude_rejected:
rejected: "true"
condition: selection and not 1 of exclude_*
Author
Saw Winn Naung, Azure-Sentinel, @neu5ron
Created
2021-08-19
Data Sources
zeekdns
Platforms
zeek
Tags
attack.executionattack.t1569.002attack.impactattack.t1496
Raw Content
title: DNS Events Related To Mining Pools
id: bf74135c-18e8-4a72-a926-0e4f47888c19
status: test
description: Identifies clients that may be performing DNS lookups associated with common currency mining pools.
references:
- https://github.com/Azure/Azure-Sentinel/blob/fa0411f9424b6c47b4d5a20165e4f1b168c1f103/Detections/ASimDNS/imDNS_Miners.yaml
author: Saw Winn Naung, Azure-Sentinel, @neu5ron
date: 2021-08-19
modified: 2022-07-07
tags:
- attack.execution
- attack.t1569.002
- attack.impact
- attack.t1496
logsource:
service: dns
product: zeek
detection:
selection:
query|endswith:
- 'monerohash.com'
- 'do-dear.com'
- 'xmrminerpro.com'
- 'secumine.net'
- 'xmrpool.com'
- 'minexmr.org'
- 'hashanywhere.com'
- 'xmrget.com'
- 'mininglottery.eu'
- 'minergate.com'
- 'moriaxmr.com'
- 'multipooler.com'
- 'moneropools.com'
- 'xmrpool.eu'
- 'coolmining.club'
- 'supportxmr.com'
- 'minexmr.com'
- 'hashvault.pro'
- 'xmrpool.net'
- 'crypto-pool.fr'
- 'xmr.pt'
- 'miner.rocks'
- 'walpool.com'
- 'herominers.com'
- 'gntl.co.uk'
- 'semipool.com'
- 'coinfoundry.org'
- 'cryptoknight.cc'
- 'fairhash.org'
- 'baikalmine.com'
- 'tubepool.xyz'
- 'fairpool.xyz'
- 'asiapool.io'
- 'coinpoolit.webhop.me'
- 'nanopool.org'
- 'moneropool.com'
- 'miner.center'
- 'prohash.net'
- 'poolto.be'
- 'cryptoescrow.eu'
- 'monerominers.net'
- 'cryptonotepool.org'
- 'extrmepool.org'
- 'webcoin.me'
- 'kippo.eu'
- 'hashinvest.ws'
- 'monero.farm'
- 'linux-repository-updates.com'
- '1gh.com'
- 'dwarfpool.com'
- 'hash-to-coins.com'
- 'pool-proxy.com'
- 'hashfor.cash'
- 'fairpool.cloud'
- 'litecoinpool.org'
- 'mineshaft.ml'
- 'abcxyz.stream'
- 'moneropool.ru'
- 'cryptonotepool.org.uk'
- 'extremepool.org'
- 'extremehash.com'
- 'hashinvest.net'
- 'unipool.pro'
- 'crypto-pools.org'
- 'monero.net'
- 'backup-pool.com'
- 'mooo.com' # Dynamic DNS, may want to exclude
- 'freeyy.me'
- 'cryptonight.net'
- 'shscrypto.net'
exclude_answers:
answers:
- '127.0.0.1'
- '0.0.0.0'
exclude_rejected:
rejected: 'true'
condition: selection and not 1 of exclude_*
falsepositives:
- A DNS lookup does not necessarily mean a successful attempt, verify a) if there was a response using the zeek answers field, if there was then verify the connections (conn.log) to those IPs. b) verify if HTTP, SSL, or TLS activity to the domain that was queried. http.log field is 'host' and ssl/tls is 'server_name'.
level: low