Crypto miners often use custom user agent strings to mask their malicious activity, making them difficult to detect through standard means. Proactively hunting for these suspicious user agents in Azure Sentinel helps identify potential crypto mining operations early, reducing the risk of resource exhaustion and data exfiltration.
Detection Rule
title: Crypto Miner User Agent
id: fa935401-513b-467b-81f4-f9e77aa0dd78
status: test
description: Detects suspicious user agent strings used by crypto miners in proxy logs
references:
- https://github.com/xmrig/xmrig/blob/da22b3e6c45825f3ac1f208255126cb8585cd4fc/src/base/kernel/Platform_win.cpp#L65
- https://github.com/xmrig/xmrig/blob/427b6516e0550200c17ca28675118f0fffcc323f/src/version.h
author: Florian Roth (Nextron Systems)
date: 2019-10-21
modified: 2021-11-27
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
category: proxy
detection:
selection:
c-useragent|startswith:
# XMRig
- 'XMRig '
# CCMiner
- 'ccminer'
condition: selection
falsepositives:
- Unknown
level: high
imWebSession
| where HttpUserAgent startswith "XMRig " or HttpUserAgent startswith "ccminer"Scenario: System Monitoring Tool with Known Miner User Agent
Description: A legitimate system monitoring tool (e.g., Prometheus or Grafana) may use a user agent string that resembles a crypto miner.
Filter/Exclusion: Exclude user agents containing "Prometheus" or "Grafana" in the User-Agent field.
Scenario: Scheduled Job for Blockchain Data Sync
Description: A scheduled job (e.g., using cron or Task Scheduler) is syncing blockchain data and uses a user agent string that matches known miner patterns.
Filter/Exclusion: Exclude requests with User-Agent containing "blockchain-sync" or "blockchain-data".
Scenario: Admin Task Using Miner-like User Agent for Debugging
Description: An admin is testing or debugging a system using a tool like curl or wget with a custom user agent that mimics a miner.
Filter/Exclusion: Exclude requests with User-Agent containing "debug" or "test" and originating from known admin IPs.
Scenario: Legacy Proxy Server with Default User Agent
Description: A legacy proxy server (e.g., Squid) may use a default user agent string that matches known miner patterns.
Filter/Exclusion: Exclude requests from the proxy server’s internal IP range or where the User-Agent is "Squid/3.5".
Scenario: DevOps Tool with Miner-like User Agent
Description: A DevOps tool like Ansible or Jenkins may use a user agent string that appears to be a miner during automated tasks.
Filter/Exclusion: Exclude requests with User-Agent containing "Ansible" or "Jenkins" and originating from the DevOps tool’s IP range.