Analytics Story: XMRig

Date: 2021-05-07 ID: 06723e6a-6bd8-4817-ace2-5fb8a7b06628 Author: Teoderick Contreras, Rod Soto Splunk Product: Splunk Enterprise Security

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to the xmrig monero, including looking for file writes associated with its payload, process command-line, defense evasion (killing services, deleting users, modifying files or folder permission, killing other malware or other coin miner) and hacking tools including Telegram as mean of Command And Control (C2) to download other files. Adversaries may leverage the resources of co-opted systems in order to solve resource intensive problems which may impact system and/or hosted service availability. One common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive. (1) Servers and cloud-based (2) systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for Resource Hijacking and cryptocurrency mining.

Why it matters

XMRig is a high performance, open source, cross platform RandomX, KawPow, CryptoNight and AstroBWT unified CPU/GPU miner. This monero is seen in the wild on May 2017.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Attacker Tools On Endpoint Match Legitimate Name or Location, Masquerading, OS Credential Dumping, Active Scanning TTP
Deleting Of Net Users Account Access Removal TTP
Disable Windows App Hotkeys Disable or Modify Tools, Impair Defenses, Modify Registry TTP
Disabling Net User Account Account Access Removal TTP
Download Files Using Telegram Ingress Tool Transfer TTP
Enumerate Users Local Group Using Telegram Account Discovery TTP
Excessive Attempt To Disable Services Service Stop Anomaly
Excessive Service Stop Attempt Service Stop Anomaly
Excessive Usage Of Cacls App File and Directory Permissions Modification Anomaly
Excessive Usage Of Net App Account Access Removal Anomaly
Excessive Usage Of Taskkill Disable or Modify Tools, Impair Defenses Anomaly
Executables Or Script Creation In Suspicious Path Masquerading Anomaly
Hide User Account From Sign-In Screen Disable or Modify Tools, Impair Defenses TTP
Icacls Deny Command File and Directory Permissions Modification TTP
ICACLS Grant Command File and Directory Permissions Modification TTP
Modify ACL permission To Files Or Folder File and Directory Permissions Modification Anomaly
Process Kill Base On File Path Disable or Modify Tools, Impair Defenses TTP
Schtasks Run Task On Demand Scheduled Task/Job TTP
Suspicious Driver Loaded Path Windows Service, Create or Modify System Process TTP
Suspicious Process File Path Create or Modify System Process TTP
XMRIG Driver Loaded Windows Service, Create or Modify System Process TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 12 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 15 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 6 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4798 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References

Source: GitHub | Version: 1