The Linux Crypto Mining Indicators rule detects potential crypto mining activity by identifying suspicious command line parameters and strings commonly associated with mining malware. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate unauthorized resource usage and potential financial loss from mining operations.
Detection Rule
title: Linux Crypto Mining Indicators
id: 9069ea3c-b213-4c52-be13-86506a227ab1
status: test
description: Detects command line parameters or strings often used by crypto miners
references:
- https://www.poolwatch.io/coin/monero
author: Florian Roth (Nextron Systems)
date: 2021-10-26
modified: 2022-12-25
tags:
- attack.impact
- attack.t1496
logsource:
product: linux
category: process_creation
detection:
selection:
CommandLine|contains:
- ' --cpu-priority='
- '--donate-level=0'
- ' -o pool.'
- ' --nicehash'
- ' --algo=rx/0 '
- 'stratum+tcp://'
- 'stratum+udp://'
# Sub process started by xmrig - the most popular Monero crypto miner - unknown if this causes any false positives
- 'sh -c /sbin/modprobe msr allow_writes=on'
# base64 encoded: --donate-level=
- 'LS1kb25hdGUtbGV2ZWw9'
- '0tZG9uYXRlLWxldmVsP'
- 'tLWRvbmF0ZS1sZXZlbD'
# base64 encoded: stratum+tcp:// and stratum+udp://
- 'c3RyYXR1bSt0Y3A6Ly'
- 'N0cmF0dW0rdGNwOi8v'
- 'zdHJhdHVtK3RjcDovL'
- 'c3RyYXR1bSt1ZHA6Ly'
- 'N0cmF0dW0rdWRwOi8v'
- 'zdHJhdHVtK3VkcDovL'
condition: selection
falsepositives:
- Legitimate use of crypto miners
level: high
imProcessCreate
| where TargetProcessCommandLine contains " --cpu-priority=" or TargetProcessCommandLine contains "--donate-level=0" or TargetProcessCommandLine contains " -o pool." or TargetProcessCommandLine contains " --nicehash" or TargetProcessCommandLine contains " --algo=rx/0 " or TargetProcessCommandLine contains "stratum+tcp://" or TargetProcessCommandLine contains "stratum+udp://" or TargetProcessCommandLine contains "sh -c /sbin/modprobe msr allow_writes=on" or TargetProcessCommandLine contains "LS1kb25hdGUtbGV2ZWw9" or TargetProcessCommandLine contains "0tZG9uYXRlLWxldmVsP" or TargetProcessCommandLine contains "tLWRvbmF0ZS1sZXZlbD" or TargetProcessCommandLine contains "c3RyYXR1bSt0Y3A6Ly" or TargetProcessCommandLine contains "N0cmF0dW0rdGNwOi8v" or TargetProcessCommandLine contains "zdHJhdHVtK3RjcDovL" or TargetProcessCommandLine contains "c3RyYXR1bSt1ZHA6Ly" or TargetProcessCommandLine contains "N0cmF0dW0rdWRwOi8v" or TargetProcessCommandLine contains "zdHJhdHVtK3VkcDovL"Scenario: Scheduled System Maintenance Task
Description: A legitimate system maintenance script uses nice or ionice to prioritize CPU usage for a background task.
Filter/Exclusion: Exclude processes with nice or ionice if the command includes a known maintenance script path (e.g., /usr/local/bin/maintenance.sh).
Scenario: Docker Container Runtime
Description: A Docker container runs a mining-related command as part of a containerized application, such as cpuminer or xmrig, but is properly isolated.
Filter/Exclusion: Exclude processes running inside Docker containers by checking the container field in the event or using a container ID filter.
Scenario: Admin Task for CPU Stress Testing
Description: An administrator runs a CPU stress test using stress-ng or stress with parameters that resemble mining commands (e.g., stress --cpu 4).
Filter/Exclusion: Exclude processes containing the string stress-ng or stress if the command includes --cpu or --io flags.
Scenario: Backup Job Using dd or rsync
Description: A backup job uses dd or rsync with command-line options that may be misinterpreted as mining activity (e.g., dd if=/dev/sda of=/backup.img).
Filter/Exclusion: Exclude processes containing dd or rsync if the command includes paths to known backup directories (e.g., /backup/ or /mnt/backup/).
Scenario: User-Initiated Mining for Educational Purposes
Description: A user or developer runs a mining tool (e.g., minerd, cpuminer) for educational or testing purposes on a personal VM.
*Filter/