2021-10-26 08:52:07 +02:00
|
|
|
title: Linux Crypto Mining Indicators
|
|
|
|
|
id: 9069ea3c-b213-4c52-be13-86506a227ab1
|
2022-12-27 12:29:10 +01:00
|
|
|
status: test
|
2021-10-26 08:52:07 +02:00
|
|
|
description: Detects command line parameters or strings often used by crypto miners
|
|
|
|
|
references:
|
2022-09-16 09:22:57 +02:00
|
|
|
- https://www.poolwatch.io/coin/monero
|
2023-02-01 11:14:59 +01:00
|
|
|
author: Florian Roth (Nextron Systems)
|
2024-08-12 12:02:50 +02:00
|
|
|
date: 2021-10-26
|
|
|
|
|
modified: 2022-12-25
|
2023-08-28 10:53:27 -04:00
|
|
|
tags:
|
|
|
|
|
- attack.impact
|
|
|
|
|
- attack.t1496
|
2021-10-26 08:52:07 +02:00
|
|
|
logsource:
|
2022-09-16 09:22:57 +02:00
|
|
|
product: linux
|
|
|
|
|
category: process_creation
|
2021-10-26 08:52:07 +02:00
|
|
|
detection:
|
2022-09-16 09:22:57 +02:00
|
|
|
selection:
|
|
|
|
|
CommandLine|contains:
|
|
|
|
|
- ' --cpu-priority='
|
|
|
|
|
- '--donate-level=0'
|
|
|
|
|
- ' -o pool.'
|
|
|
|
|
- ' --nicehash'
|
|
|
|
|
- ' --algo=rx/0 '
|
|
|
|
|
- 'stratum+tcp://'
|
|
|
|
|
- 'stratum+udp://'
|
|
|
|
|
# Sub process started by xmrig - the most popular Monero crypto miner - unknown if this causes any false positives
|
|
|
|
|
- 'sh -c /sbin/modprobe msr allow_writes=on'
|
|
|
|
|
# base64 encoded: --donate-level=
|
|
|
|
|
- 'LS1kb25hdGUtbGV2ZWw9'
|
|
|
|
|
- '0tZG9uYXRlLWxldmVsP'
|
|
|
|
|
- 'tLWRvbmF0ZS1sZXZlbD'
|
|
|
|
|
# base64 encoded: stratum+tcp:// and stratum+udp://
|
|
|
|
|
- 'c3RyYXR1bSt0Y3A6Ly'
|
|
|
|
|
- 'N0cmF0dW0rdGNwOi8v'
|
|
|
|
|
- 'zdHJhdHVtK3RjcDovL'
|
|
|
|
|
- 'c3RyYXR1bSt1ZHA6Ly'
|
|
|
|
|
- 'N0cmF0dW0rdWRwOi8v'
|
|
|
|
|
- 'zdHJhdHVtK3VkcDovL'
|
|
|
|
|
condition: selection
|
2021-10-26 08:52:07 +02:00
|
|
|
falsepositives:
|
2022-09-16 09:22:57 +02:00
|
|
|
- Legitimate use of crypto miners
|
2021-10-26 08:52:07 +02:00
|
|
|
level: high
|
