Detection rules › Kusto Query Language
Chia_Crypto_Mining IOC - June 2021
'Identifies a match across IOC's related to Chia cryptocurrency farming/plotting activity'
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Impact | T1496 Resource Hijacking |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 4688 | A new process has been created. |
Stages and Predicates
Stage 1: source
WindowsEvent
Stage 2: where
and
EventData match "process"
EventID eq "4688"
Stage 3: extend
Stage 4: where
NewProcessName match "process"
Stage 5: extend
Stage 6: extend
Stage 7: extend
Stage 8: project
Stage 9: extend
Stage 10: extend
Stage 11: extend
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventData | match |
|
EventID | eq |
|
NewProcessName | match |
|