Adversaries may establish connections to Monero crypto mining pools to covertly execute mining operations on compromised Linux systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential resource exploitation and unauthorized cryptocurrency mining activities.
Detection Rule
title: Linux Crypto Mining Pool Connections
id: a46c93b7-55ed-4d27-a41b-c259456c4746
status: stable
description: Detects process connections to a Monero crypto mining pool
references:
- https://www.poolwatch.io/coin/monero
author: Florian Roth (Nextron Systems)
date: 2021-10-26
tags:
- attack.impact
- attack.t1496
logsource:
product: linux
category: network_connection
detection:
selection:
DestinationHostname:
- 'pool.minexmr.com'
- 'fr.minexmr.com'
- 'de.minexmr.com'
- 'sg.minexmr.com'
- 'ca.minexmr.com'
- 'us-west.minexmr.com'
- 'pool.supportxmr.com'
- 'mine.c3pool.com'
- 'xmr-eu1.nanopool.org'
- 'xmr-eu2.nanopool.org'
- 'xmr-us-east1.nanopool.org'
- 'xmr-us-west1.nanopool.org'
- 'xmr-asia1.nanopool.org'
- 'xmr-jp1.nanopool.org'
- 'xmr-au1.nanopool.org'
- 'xmr.2miners.com'
- 'xmr.hashcity.org'
- 'xmr.f2pool.com'
- 'xmrpool.eu'
- 'pool.hashvault.pro'
- 'moneroocean.stream'
- 'monerocean.stream'
condition: selection
falsepositives:
- Legitimate use of crypto miners
level: high
imNetworkSession
| where DstHostname in~ ("pool.minexmr.com", "fr.minexmr.com", "de.minexmr.com", "sg.minexmr.com", "ca.minexmr.com", "us-west.minexmr.com", "pool.supportxmr.com", "mine.c3pool.com", "xmr-eu1.nanopool.org", "xmr-eu2.nanopool.org", "xmr-us-east1.nanopool.org", "xmr-us-west1.nanopool.org", "xmr-asia1.nanopool.org", "xmr-jp1.nanopool.org", "xmr-au1.nanopool.org", "xmr.2miners.com", "xmr.hashcity.org", "xmr.f2pool.com", "xmrpool.eu", "pool.hashvault.pro", "moneroocean.stream", "monerocean.stream")Scenario: System Update via apt or yum
Description: A legitimate system update process may temporarily connect to external repositories or mirrors, which could be mistaken for a mining pool connection.
Filter/Exclusion: Exclude connections to known package repositories (e.g., http://archive.ubuntu.com, https://repo.yarnpkg.com).
Scenario: Scheduled Job Using cron or systemd
Description: A scheduled job, such as a backup or log rotation script, might use external services or APIs that resemble mining pool connections.
Filter/Exclusion: Exclude connections to internal or known external services used by the organization (e.g., https://api.example.com, https://internal.metrics.service).
Scenario: Admin Task Using ssh or scp
Description: An administrator might use ssh or scp to transfer files to a remote server, which could be misinterpreted as a mining connection.
Filter/Exclusion: Exclude connections to known internal hosts or IPs used for administrative tasks (e.g., ssh -p 22 [email protected]).
Scenario: Log Collection or Monitoring Tool (e.g., Fluentd, Logstash)
Description: A log aggregation tool might connect to a remote server for data transmission, which could be flagged as a mining pool connection.
Filter/Exclusion: Exclude connections to known log aggregation services (e.g., https://logserver.example.com, tcp://10.10.10.10:12345).
Scenario: Docker or Kubernetes Container Communication
Description: Containers may communicate with external services or internal services within a Kubernetes cluster, which could be mistaken for mining pool connections.
*Filter