Try in Splunk Security Cloud
Description
Leverage searches that allow you to detect and investigate unusual activities that might relate to the xmrig monero, including looking for file writes associated with its payload, process command-line, defense evasion (killing services, deleting users, modifying files or folder permission, killing other malware or other coin miner) and hacking tools including Telegram as mean of Command And Control (C2) to download other files. Adversaries may leverage the resources of co-opted systems in order to solve resource intensive problems which may impact system and/or hosted service availability. One common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive. (1) Servers and cloud-based (2) systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for Resource Hijacking and cryptocurrency mining.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Endpoint
- Last Updated: 2021-05-07
- Author: Teoderick Contreras, Rod Soto Splunk
- ID: 06723e6a-6bd8-4817-ace2-5fb8a7b06628
Narrative
XMRig is a high performance, open source, cross platform RandomX, KawPow, CryptoNight and AstroBWT unified CPU/GPU miner. This monero is seen in the wild on May 2017.
Detections
Name |
Technique |
Type |
Attacker Tools On Endpoint |
Match Legitimate Name or Location, Masquerading, OS Credential Dumping, Active Scanning |
TTP |
Attempt To Delete Services |
Service Stop, Create or Modify System Process, Windows Service |
TTP |
Attempt To Disable Services |
Service Stop |
TTP |
Create Local Admin Accounts Using Net Exe |
Local Account, Create Account |
Anomaly |
Create Local User Accounts Using Net Exe |
Local Account, Create Account |
Anomaly |
Delete A Net User |
Account Access Removal |
Anomaly |
Deleting Of Net Users |
Account Access Removal |
TTP |
Deny Permission using Cacls Utility |
File and Directory Permissions Modification |
TTP |
Disable Net User Account |
Service Stop, Valid Accounts |
TTP |
Disable Windows App Hotkeys |
Disable or Modify Tools, Impair Defenses, Modify Registry |
TTP |
Disabling Net User Account |
Account Access Removal |
TTP |
Download Files Using Telegram |
Ingress Tool Transfer |
TTP |
Enumerate Users Local Group Using Telegram |
Account Discovery |
TTP |
Excessive Attempt To Disable Services |
Service Stop |
Anomaly |
Excessive Service Stop Attempt |
Service Stop |
Anomaly |
Excessive Usage Of Cacls App |
File and Directory Permissions Modification |
Anomaly |
Excessive Usage Of Net App |
Account Access Removal |
Anomaly |
Excessive Usage Of Taskkill |
Disable or Modify Tools, Impair Defenses |
Anomaly |
Executables Or Script Creation In Suspicious Path |
Masquerading |
Anomaly |
Grant Permission Using Cacls Utility |
File and Directory Permissions Modification |
TTP |
Hide User Account From Sign-In Screen |
Disable or Modify Tools, Impair Defenses |
TTP |
ICACLS Grant Command |
File and Directory Permissions Modification |
TTP |
Icacls Deny Command |
File and Directory Permissions Modification |
TTP |
Modify ACL permission To Files Or Folder |
File and Directory Permissions Modification |
Anomaly |
Modify ACLs Permission Of Files Or Folders |
File and Directory Permissions Modification |
Anomaly |
Process Kill Base On File Path |
Disable or Modify Tools, Impair Defenses |
TTP |
Schtasks Run Task On Demand |
Scheduled Task/Job |
TTP |
Suspicious Driver Loaded Path |
Windows Service, Create or Modify System Process |
TTP |
Suspicious Process File Path |
Create or Modify System Process |
TTP |
XMRIG Driver Loaded |
Windows Service, Create or Modify System Process |
TTP |
Reference
source | version: 1