Potential cryptomining detected through IP callback

Classification:

attack

Tactic:

TA0040-impact

Technique:

T1496-resource-hijacking

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect when a host is potentially infected with a cryptominer.

Strategy

This rule compares the @network.client.ip standard attribute to a curated list of cryptomining pools.

Triage and response

  1. Determine if the {{host}} host should be contacting a cryptomining pool.
  2. If not, begin your company’s IR process.

Note You can use the signal sidepanel to assist with the initial investigation by looking at CPU utilization and processes to identify unauthorized activity.

Changelog

  • 8 April 2022 - Initial beta release to select organizations.
  • 13 April 2022 - Added additional filters for specific ports to reduce false positives.
  • 26 April 2022 - Removed restrictedToOrgs settings, launching rule to all of production.