Unusual outbound network connections to known cryptocurrency mining pools may indicate an adversary is leveraging compromised hosts to mine cryptocurrency. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential resource exploitation and financial loss.
YARA Rule
rule bitcoin {
meta:
author = "x0r"
description = "Perform crypto currency mining"
version = "0.1"
strings:
$f1 = "OpenCL.dll" nocase
$f2 = "nvcuda.dll" nocase
$f3 = "opengl32.dll" nocase
$s1 = "cpuminer 2.2.2X-Mining-Extensions"
$s2 = "cpuminer 2.2.3X-Mining-Extensions"
$s3 = "Ufasoft bitcoin-miner/0.20"
$s4 = "bitcoin" nocase
$s5 = "stratum" nocase
condition:
1 of ($f*) and 1 of ($s*)
}This YARA rule can be deployed in the following contexts:
This rule contains 8 string patterns in its detection logic.
Scenario: Scheduled cryptocurrency mining job for a legitimate mining pool
Filter/Exclusion: Exclude processes associated with known mining pools (e.g., minex or minexd) or jobs scheduled via cron/task scheduler with known mining-related scripts.
Scenario: System administrator running a crypto mining benchmark test
Filter/Exclusion: Exclude processes initiated by admin users (e.g., root or Administrator) during scheduled maintenance windows or with known benchmarking tools (e.g., mining-bench).
Scenario: Legitimate cryptocurrency wallet service running on the server
Filter/Exclusion: Exclude processes related to wallet services (e.g., bitcoind, litecoind) or known cryptocurrency nodes that are part of the enterprise’s blockchain infrastructure.
Scenario: Automated backup job using a crypto mining-related tool
Filter/Exclusion: Exclude processes initiated by backup systems (e.g., rsync, Veeam) or scripts that use mining-related tools for data encryption or transfer.
Scenario: User running a crypto mining simulation for educational purposes
Filter/Exclusion: Exclude processes started by users in a controlled environment (e.g., student or demo) or those using simulation tools (e.g., mining-sim, crypto-sim).