Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionlowtest

DNS Events Related To Mining Pools

Identifies clients that may be performing DNS lookups associated with common currency mining pools.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Saw Winn Naung, Azure-SentinelCreated Thu Aug 19Updated Thu Jul 07bf74135c-18e8-4a72-a926-0e4f47888c19network
Log Source
Zeek (Bro)dns
ProductZeek (Bro)← raw: zeek
Servicedns← raw: dns
Detection Logic
Detection Logic3 selectors
detection:
    selection:
        query|endswith:
            - 'monerohash.com'
            - 'do-dear.com'
            - 'xmrminerpro.com'
            - 'secumine.net'
            - 'xmrpool.com'
            - 'minexmr.org'
            - 'hashanywhere.com'
            - 'xmrget.com'
            - 'mininglottery.eu'
            - 'minergate.com'
            - 'moriaxmr.com'
            - 'multipooler.com'
            - 'moneropools.com'
            - 'xmrpool.eu'
            - 'coolmining.club'
            - 'supportxmr.com'
            - 'minexmr.com'
            - 'hashvault.pro'
            - 'xmrpool.net'
            - 'crypto-pool.fr'
            - 'xmr.pt'
            - 'miner.rocks'
            - 'walpool.com'
            - 'herominers.com'
            - 'gntl.co.uk'
            - 'semipool.com'
            - 'coinfoundry.org'
            - 'cryptoknight.cc'
            - 'fairhash.org'
            - 'baikalmine.com'
            - 'tubepool.xyz'
            - 'fairpool.xyz'
            - 'asiapool.io'
            - 'coinpoolit.webhop.me'
            - 'nanopool.org'
            - 'moneropool.com'
            - 'miner.center'
            - 'prohash.net'
            - 'poolto.be'
            - 'cryptoescrow.eu'
            - 'monerominers.net'
            - 'cryptonotepool.org'
            - 'extrmepool.org'
            - 'webcoin.me'
            - 'kippo.eu'
            - 'hashinvest.ws'
            - 'monero.farm'
            - 'linux-repository-updates.com'
            - '1gh.com'
            - 'dwarfpool.com'
            - 'hash-to-coins.com'
            - 'pool-proxy.com'
            - 'hashfor.cash'
            - 'fairpool.cloud'
            - 'litecoinpool.org'
            - 'mineshaft.ml'
            - 'abcxyz.stream'
            - 'moneropool.ru'
            - 'cryptonotepool.org.uk'
            - 'extremepool.org'
            - 'extremehash.com'
            - 'hashinvest.net'
            - 'unipool.pro'
            - 'crypto-pools.org'
            - 'monero.net'
            - 'backup-pool.com'
            - 'mooo.com' # Dynamic DNS, may want to exclude
            - 'freeyy.me'
            - 'cryptonight.net'
            - 'shscrypto.net'
    exclude_answers:
        answers:
            - '127.0.0.1'
            - '0.0.0.0'
    exclude_rejected:
        rejected: 'true'
    condition: selection and not 1 of exclude_*
False Positives

A DNS lookup does not necessarily mean a successful attempt, verify a) if there was a response using the zeek answers field, if there was then verify the connections (conn.log) to those IPs. b) verify if HTTP, SSL, or TLS activity to the domain that was queried. http.log field is 'host' and ssl/tls is 'server_name'.

References
1
Resolving title…
github.com
MITRE ATT&CK
Rule Metadata
Rule ID
bf74135c-18e8-4a72-a926-0e4f47888c19
Status
test
Level
low
Type
Detection
Created
Thu Aug 19
Modified
Thu Jul 07
Author
Saw Winn Naung, Azure-Sentinel
Path
rules/network/zeek/zeek_dns_mining_pools.yml
Raw Tags
attack.executionattack.t1569.002attack.impactattack.t1496
View on GitHub