Detectionhighstable
Linux Crypto Mining Pool Connections
Detects process connections to a Monero crypto mining pool
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
LinuxNetwork Connection
ProductLinux← raw: linux
CategoryNetwork Connection← raw: network_connection
Events for outbound and inbound network connections including DNS resolution.
Detection Logic
Detection Logic1 selector
detection:
selection:
DestinationHostname:
- 'pool.minexmr.com'
- 'fr.minexmr.com'
- 'de.minexmr.com'
- 'sg.minexmr.com'
- 'ca.minexmr.com'
- 'us-west.minexmr.com'
- 'pool.supportxmr.com'
- 'mine.c3pool.com'
- 'xmr-eu1.nanopool.org'
- 'xmr-eu2.nanopool.org'
- 'xmr-us-east1.nanopool.org'
- 'xmr-us-west1.nanopool.org'
- 'xmr-asia1.nanopool.org'
- 'xmr-jp1.nanopool.org'
- 'xmr-au1.nanopool.org'
- 'xmr.2miners.com'
- 'xmr.hashcity.org'
- 'xmr.f2pool.com'
- 'xmrpool.eu'
- 'pool.hashvault.pro'
- 'moneroocean.stream'
- 'monerocean.stream'
condition: selectionFalse Positives
Legitimate use of crypto miners
References
MITRE ATT&CK
Tactics
Techniques
Rule Metadata
Rule ID
a46c93b7-55ed-4d27-a41b-c259456c4746
Status
stable
Level
high
Type
Detection
Created
Tue Oct 26
Path
rules/linux/network_connection/net_connection_lnx_crypto_mining_indicators.yml
Raw Tags
attack.impactattack.t1496