Detectioncriticaltest
Possible Coin Miner CPU Priority Param
Detects command line parameter very often used with coin miners
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Florian Roth (Nextron Systems)Created Sat Oct 09Updated Sun Dec 25071d5e5a-9cef-47ec-bc4e-a42e34d8d0edlinux
Log Source
Linuxauditd
ProductLinux← raw: linux
Serviceauditd← raw: auditd
Detection Logic
Detection Logic7 selectors
detection:
cmd1:
a1|startswith: '--cpu-priority'
cmd2:
a2|startswith: '--cpu-priority'
cmd3:
a3|startswith: '--cpu-priority'
cmd4:
a4|startswith: '--cpu-priority'
cmd5:
a5|startswith: '--cpu-priority'
cmd6:
a6|startswith: '--cpu-priority'
cmd7:
a7|startswith: '--cpu-priority'
condition: 1 of cmd*False Positives
Other tools that use a --cpu-priority flag
References
MITRE ATT&CK
Rule Metadata
Rule ID
071d5e5a-9cef-47ec-bc4e-a42e34d8d0ed
Status
test
Level
critical
Type
Detection
Created
Sat Oct 09
Modified
Sun Dec 25
Path
rules/linux/auditd/execve/lnx_auditd_coinminer.yml
Raw Tags
attack.privilege-escalationattack.t1068