EXPLORE
Sign In
← Back to Explore
kqlHunting

Kinsing miner download

This query was originally published in the threat analytics report, *Sysrv botnet evolution*.

Detection Query

DeviceProcessEvents
| where ProcessCommandLine has_all('curl', '-o /etc/kinsing')

Data Sources

DeviceProcessEvents

Platforms

windows

Tags

campaignsransomware
Raw Content
# Kinsing miner download

This query was originally published in the threat analytics report, *Sysrv botnet evolution*.

Sysrv is a Go-based botnet that targets both Windows and Linux servers, and steals resources to mine cryptocurrency.

The following query finds instances where the attacker commanded the Kinsing miner file to be downloaded on Linux devices.

## Query

```kusto
DeviceProcessEvents
| where ProcessCommandLine has_all('curl', '-o /etc/kinsing')
```

## Category

This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.

Technique, tactic, or state | Covered? (v=yes) | Notes
-|-|-
Initial access |  |  
Execution | v |  
Persistence |  |  
Privilege escalation |  |  
Defense evasion | v |  
Credential Access |  |  
Discovery |  |  
Lateral movement |  |  
Collection |  |  
Command and control |  |  
Exfiltration |  |  
Impact |  |  
Vulnerability |  |  
Exploit |  |  
Misconfiguration |  |  
Malware, component | v |  
Ransomware |  |  

## Contributor info

**Contributor:** Microsoft Threat Protection team