Cloud provider activity observed from IP associated with cryptomining

This rule is part of a beta feature. To learn more, contact Support.

Classification:

threat-intel

Tactic:

TA0011-command-and-control

Technique:

T1071-application-layer-protocol

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect when a host in AWS, GCP, or Azure is potentially infected with a cryptominer.

Strategy

This rule compares the @network.client.ip standard attribute to a curated threat intelligence list of known cryptomining IP addresses.

Triage and response

  1. Determine if the resource should be contacting a cryptomining associated IP address.
  2. If not, begin your company’s incident response process.