<  Back to rules search

Potential cryptomining detected through IP callback

Classification:

attack

Tactic:

TA0040-impact

Technique:

T1496-resource-hijacking

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Goal

Detect when a host is potentially infected with a cryptominer.

Strategy

This rule compares the @network.client.ip standard attribute to a curated list of cryptomining pools.

Triage and response

  1. Determine if the {{host}} host should be contacting a cryptomining pool.
  2. If not, begin your company’s IR process.

Note You can use the signal sidepanel to assist with the initial investigation by looking at CPU utilization and processes to identify unauthorized activity.

Changelog

  • 8 April 2022 - Initial beta release to select organizations.
  • 13 April 2022 - Added additional filters for specific ports to reduce false positives.
  • 26 April 2022 - Removed restrictedToOrgs settings, launching rule to all of production.