Try in Splunk Security Cloud

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to the xmrig monero, including looking for file writes associated with its payload, process command-line, defense evasion (killing services, deleting users, modifying files or folder permission, killing other malware or other coin miner) and hacking tools including Telegram as mean of command and control (C2) to download other files. Adversaries may leverage the resources of co-opted systems in order to solve resource intensive problems which may impact system and/or hosted service availability. One common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive. (1) Servers and cloud-based (2) systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for Resource Hijacking and cryptocurrency mining.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2021-05-07
  • Author: Teoderick Contreras, Rod Soto Splunk
  • ID: 06723e6a-6bd8-4817-ace2-5fb8a7b06628

Narrative

XMRig is a high performance, open source, cross platform RandomX, KawPow, CryptoNight and AstroBWT unified CPU/GPU miner. This monero is seen in the wild on May 2017.

Detections

Name Technique Type
Attacker Tools On Endpoint Match Legitimate Name or Location, Masquerading, OS Credential Dumping, Active Scanning TTP
Attempt To Disable Services Service Stop TTP
Attempt To delete Services Service Stop TTP
Delete A Net User Service Stop Anomaly
Deleting Of Net Users Account Access Removal TTP
Deny Permission using Cacls Utility File and Directory Permissions Modification TTP
Disable Net User Account Service Stop TTP
Disable Windows App Hotkeys Disable or Modify Tools, Impair Defenses TTP
Disabling Net User Account Account Access Removal TTP
Download Files Using Telegram Ingress Tool Transfer TTP
Enumerate Users Local Group Using Telegram Account Discovery TTP
Excessive Attempt To Disable Services Service Stop Anomaly
Excessive Service Stop Attempt Service Stop Anomaly
Excessive Usage Of Cacls App File and Directory Permissions Modification Anomaly
Excessive Usage Of Net App Account Access Removal Anomaly
Excessive Usage Of Taskkill Disable or Modify Tools, Impair Defenses Anomaly
Executables Or Script Creation In Suspicious Path Masquerading TTP
Grant Permission Using Cacls Utility File and Directory Permissions Modification TTP
Hide User Account From Sign-In Screen Disable or Modify Tools, Impair Defenses TTP
ICACLS Grant Command File and Directory Permissions Modification TTP
Icacls Deny Command File and Directory Permissions Modification TTP
Modify ACL permission To Files Or Folder File and Directory Permissions Modification TTP
Modify ACLs Permission Of Files Or Folders File and Directory Permissions Modification Anomaly
Process Kill Base On File Path Disable or Modify Tools, Impair Defenses TTP
Schtasks Run Task On Demand Scheduled Task/Job TTP
Suspicious Driver Loaded Path Windows Service, Create or Modify System Process TTP
Suspicious Process File Path Create or Modify System Process TTP
XMRIG Driver Loaded Windows Service, Create or Modify System Process TTP

Reference

source | version: 1