Cloud provider activity observed from IP associated with cryptomining

This rule is part of a beta feature. To learn more, contact Support.

Classification:

threat-intel

Tactic:

TA0011-command-and-control

Technique:

T1071-application-layer-protocol

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください

Goal

Detect when a host in AWS, GCP, or Azure is potentially infected with a cryptominer.

Strategy

This rule compares the @network.client.ip standard attribute to a curated threat intelligence list of known cryptomining IP addresses.

Triage and response

  1. Determine if the resource should be contacting a cryptomining associated IP address.
  2. If not, begin your company’s incident response process.