Potential cryptomining detected through IP callback

Classification:

attack

Tactic:

TA0040-impact

Technique:

T1496-resource-hijacking

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detect when a host is potentially infected with a cryptominer.

Strategy

This rule compares the @network.client.ip standard attribute to a curated list of cryptomining pools.

Triage and response

  1. Determine if the {{host}} host should be contacting a cryptomining pool.
  2. If not, begin your company’s IR process.

Note You can use the signal sidepanel to assist with the initial investigation by looking at CPU utilization and processes to identify unauthorized activity.

Changelog

  • 8 April 2022 - Initial beta release to select organizations.
  • 13 April 2022 - Added additional filters for specific ports to reduce false positives.
  • 26 April 2022 - Removed restrictedToOrgs settings, launching rule to all of production.