security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e91fc4486e57fc40e30d12253694de4c80a9e4ea
blue-team-tools/rules/network/zeek/zeek_dns_mining_pools.yml
T
frack113 4631d0c482 remove invalid tag
2022-01-19 18:23:30 +01:00

106 lines
3.3 KiB
YAML
Raw Blame History

title: DNS Events Related To Mining Pools
id: bf74135c-18e8-4a72-a926-0e4f47888c19
description: Identifies clients that may be performing DNS lookups associated with common currency mining pools.
status: experimental
references:
- https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_Miners.yaml
date: 2021/08/19
modified: 2021/08/23
author: Saw Winn Naung, Azure-Sentinel, @neu5ron
level: low
logsource:
service: dns
product: zeek
tags:
- attack.t1569.002
- attack.t1496
detection:
selection:
query|endswith:
- 'monerohash.com'
- 'do-dear.com'
- 'xmrminerpro.com'
- 'secumine.net'
- 'xmrpool.com'
- 'minexmr.org'
- 'hashanywhere.com'
- 'xmrget.com'
- 'mininglottery.eu'
- 'minergate.com'
- 'moriaxmr.com'
- 'multipooler.com'
- 'moneropools.com'
- 'xmrpool.eu'
- 'coolmining.club'
- 'supportxmr.com'
- 'minexmr.com'
- 'hashvault.pro'
- 'xmrpool.net'
- 'crypto-pool.fr'
- 'xmr.pt'
- 'miner.rocks'
- 'walpool.com'
- 'herominers.com'
- 'gntl.co.uk'
- 'semipool.com'
- 'coinfoundry.org'
- 'cryptoknight.cc'
- 'fairhash.org'
- 'baikalmine.com'
- 'tubepool.xyz'
- 'fairpool.xyz'
- 'asiapool.io'
- 'coinpoolit.webhop.me'
- 'nanopool.org'
- 'moneropool.com'
- 'miner.center'
- 'prohash.net'
- 'poolto.be'
- 'cryptoescrow.eu'
- 'monerominers.net'
- 'cryptonotepool.org'
- 'extrmepool.org'
- 'webcoin.me'
- 'kippo.eu'
- 'hashinvest.ws'
- 'monero.farm'
- 'linux-repository-updates.com'
- '1gh.com'
- 'dwarfpool.com'
- 'hash-to-coins.com'
- 'pool-proxy.com'
- 'hashfor.cash'
- 'fairpool.cloud'
- 'litecoinpool.org'
- 'mineshaft.ml'
- 'abcxyz.stream'
- 'moneropool.ru'
- 'cryptonotepool.org.uk'
- 'extremepool.org'
- 'extremehash.com'
- 'hashinvest.net'
- 'unipool.pro'
- 'crypto-pools.org'
- 'monero.net'
- 'backup-pool.com'
- 'mooo.com' # Dynamic DNS, may want to exclude
- 'freeyy.me'
- 'cryptonight.net'
- 'shscrypto.net'
exclude_answers:
answers:
- '127.0.0.1'
- '0.0.0.0'
exclude_rejected:
rejected: 'true'
condition: selection and not (exclude_answers or exclude_rejected)
falsepositives:
- A DNS lookup does not necessarily mean a successful attempt, verify a) if there was a response using the zeek answers field, if there was then verify the connections (conn.log) to those IPs. b) verify if HTTP, SSL, or TLS activity to the domain that was queried. http.log field is 'host' and ssl/tls is 'server_name'.
fields:
- id.orig_h
- id.resp_h
- query
- answers
- qtype_name
- rcode_name
Reference in New Issue View Git Blame Copy Permalink