Cloud provider activity observed from IP associated with cryptomining

This rule is part of a beta feature. To learn more, contact Support.

Classification:

threat-intel

Tactic:

TA0011-command-and-control

Technique:

T1071-application-layer-protocol

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect when a host in AWS, GCP, or Azure is potentially infected with a cryptominer.

Strategy

This rule compares the @network.client.ip standard attribute to a curated threat intelligence list of known cryptomining IP addresses.

Triage and response

  1. Determine if the resource should be contacting a cryptomining associated IP address.
  2. If not, begin your company’s incident response process.