Crypto miners often use custom user-agent strings to mask their malicious activity, making them difficult to detect through standard means. Proactively hunting for these suspicious user-agent patterns in Azure Sentinel can help identify potential crypto mining operations before they cause significant resource consumption or data exfiltration.
KQL Query
let timeframe = 15m;
Cisco_Umbrella
| where EventType == "proxylogs"
| where TimeGenerated > ago(timeframe)
| where HttpUserAgentOriginal contains "XMRig" or HttpUserAgentOriginal contains "ccminer"
| extend Message = "Crypto Miner User Agent"
| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated,HttpUserAgentOriginal
id: b619d1f1-7f39-4c7e-bf9e-afbb46457997
name: Cisco Umbrella - Crypto Miner User-Agent Detected
description: |
'Detects suspicious user agent strings used by crypto miners in proxy logs.'
severity: Medium
requiredDataConnectors:
- connectorId: CiscoUmbrellaDataConnector
dataTypes:
- Cisco_Umbrella_proxy_CL
queryFrequency: 15m
queryPeriod: 15m
triggerOperator: gt
triggerThreshold: 0
tactics:
- CommandAndControl
query: |
let timeframe = 15m;
Cisco_Umbrella
| where EventType == "proxylogs"
| where TimeGenerated > ago(timeframe)
| where HttpUserAgentOriginal contains "XMRig" or HttpUserAgentOriginal contains "ccminer"
| extend Message = "Crypto Miner User Agent"
| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated,HttpUserAgentOriginal
entityMappings:
- entityType: URL
fieldMappings:
- identifier: Url
columnName: UrlOriginal
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SrcIpAddr
version: 1.1.2
kind: Scheduled
Scenario: A system administrator is using a crypto miner user-agent for testing purposes to simulate malicious activity in a controlled environment.
Filter/Exclusion: Exclude user agents associated with known testing tools like CryptoMinerTestAgent_v2.1 or any user agent containing the string test-miner.
Scenario: A scheduled job runs a script that uses a crypto miner user-agent for legitimate system monitoring or performance benchmarking.
Filter/Exclusion: Exclude user agents that match the script’s known identifiers, such as BenchmarkingTool-UserAgent-1.0 or any user agent containing benchmark.
Scenario: A legitimate enterprise application uses a crypto miner user-agent string as part of its internal logging or analytics system.
Filter/Exclusion: Exclude user agents that match the application’s internal logging format, such as InternalLogAgent_v3.5 or any user agent containing internal-log.
Scenario: A developer is using a crypto miner user-agent in a local development environment to mimic real-world traffic for testing purposes.
Filter/Exclusion: Exclude traffic originating from local IP ranges (e.g., 192.168.0.0/16, 10.0.0.0/8) or user agents containing dev-env or local-test.
Scenario: A legitimate security tool or SIEM system uses a crypto miner user-agent to simulate attacker behavior during penetration testing.
Filter/Exclusion: Exclude user agents that match the known penetration testing tools, such as PenTestTool-UserAgent-2023 or any user agent containing pentest or attack-sim.