Detection rules › Sigma
Network Communication With Crypto Mining Pool
Detects initiated network connections to crypto mining pools
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Impact | T1496 Resource Hijacking |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 3 | Network connection |
Stages and Predicates
Stage 1: selection
DestinationHostname: [alimabi.cn, ap.luckpool.net, bcn.pool.minergate.com, bcn.vip.pool.minergate.com, bohemianpool.com, ca-aipg.miningocean.org, ca-dynex.miningocean.org, ca-neurai.miningocean.org, ca-qrl.miningocean.org, ca-upx.miningocean.org, ca-zephyr.miningocean.org, ca.minexmr.com, ca.monero.herominers.com, cbd.monerpool.org, cbdv2.monerpool.org, cryptmonero.com, crypto-pool.fr, crypto-pool.info, 'cryptonight-hub.miningpoolhub.com', d1pool.ddns.net, d5pool.us, daili01.monerpool.org, de-aipg.miningocean.org, de-dynex.miningocean.org, de-zephyr.miningocean.org, de.minexmr.com, dl.nbminer.com, donate.graef.in, donate.ssl.xmrig.com, donate.v2.xmrig.com, donate.xmrig.com, donate2.graef.in, drill.moneroworld.com, dwarfpool.com, emercoin.com, emercoin.net, emergate.net, ethereumpool.co, eu.luckpool.net, eu.minerpool.pw, fcn-xmr.pool.minergate.com, fee.xmrig.com, fr-aipg.miningocean.org, fr-dynex.miningocean.org, fr-neurai.miningocean.org, fr-qrl.miningocean.org, fr-upx.miningocean.org, fr-zephyr.miningocean.org, fr.minexmr.com, hellominer.com, herominers.com, hk-aipg.miningocean.org, hk-dynex.miningocean.org, hk-neurai.miningocean.org, hk-qrl.miningocean.org, hk-upx.miningocean.org, hk-zephyr.miningocean.org, huadong1-aeon.ppxxmr.com, iwanttoearn.money, jw-js1.ppxxmr.com, koto-pool.work, lhr.nbminer.com, lhr3.nbminer.com, linux.monerpool.org, lokiturtle.herominers.com, luckpool.net, masari.miner.rocks, mine.c3pool.com, mine.moneropool.com, mine.ppxxmr.com, mine.zpool.ca, mine1.ppxxmr.com, minemonero.gq, miner.ppxxmr.com, miner.rocks, minercircle.com, minergate.com, minerpool.pw, minerrocks.com, miners.pro, minerxmr.ru, minexmr.cn, minexmr.com, mining-help.ru, miningpoolhub.com, mixpools.org, moner.monerpool.org, moner1min.monerpool.org, monero-master.crypto-pool.fr, monero.crypto-pool.fr, monero.hashvault.pro, monero.herominers.com, monero.lindon-pool.win, monero.miners.pro, monero.riefly.id, monero.us.to, monerocean.stream, monerogb.com, monerohash.com, moneroocean.stream, moneropool.com, moneropool.nl, monerorx.com, monerpool.org, moriaxmr.com, mro.pool.minergate.com, multipool.us, myxmr.pw, na.luckpool.net, nanopool.org, nbminer.com, node3.luckpool.net, noobxmr.com, 'pangolinminer.comgandalph3000.com', pool.4i7i.com, pool.armornetwork.org, pool.cortins.tk, pool.gntl.co.uk, pool.hashvault.pro, pool.minergate.com, pool.minexmr.com, pool.monero.hashvault.pro, pool.ppxxmr.com, pool.somec.cc, pool.support, pool.supportxmr.com, pool.usa-138.com, pool.xmr.pt, pool.xmrfast.com, pool2.armornetwork.org, poolchange.ppxxmr.com, pooldd.com, poolmining.org, poolto.be, ppxvip1.ppxxmr.com, ppxxmr.com, prohash.net, r.twotouchauthentication.online, randomx.xmrig.com, ratchetmining.com, seed.emercoin.com, seed.emercoin.net, seed.emergate.net, seed1.joulecoin.org, seed2.joulecoin.org, seed3.joulecoin.org, seed4.joulecoin.org, seed5.joulecoin.org, seed6.joulecoin.org, seed7.joulecoin.org, seed8.joulecoin.org, sg-aipg.miningocean.org, sg-dynex.miningocean.org, sg-neurai.miningocean.org, sg-qrl.miningocean.org, sg-upx.miningocean.org, sg-zephyr.miningocean.org, sg.minexmr.com, sheepman.mine.bz, siamining.com, sumokoin.minerrocks.com, supportxmr.com, suprnova.cc, teracycle.net, trtl.cnpool.cc, trtl.pool.mine2gether.com, turtle.miner.rocks, us-aipg.miningocean.org, us-dynex.miningocean.org, us-neurai.miningocean.org, us-west.minexmr.com, us-zephyr.miningocean.org, usxmrpool.com, viaxmr.com, webservicepag.webhop.net, xiazai.monerpool.org, xiazai1.monerpool.org, xmc.pool.minergate.com, xmo.pool.minergate.com, xmr-asia1.nanopool.org, xmr-au1.nanopool.org, xmr-eu1.nanopool.org, xmr-eu2.nanopool.org, xmr-jp1.nanopool.org, xmr-us-east1.nanopool.org, xmr-us-west1.nanopool.org, xmr-us.suprnova.cc, xmr-usa.dwarfpool.com, xmr.2miners.com, xmr.5b6b7b.ru, xmr.alimabi.cn, xmr.bohemianpool.com, xmr.crypto-pool.fr, xmr.crypto-pool.info, xmr.f2pool.com, xmr.hashcity.org, xmr.hex7e4.ru, xmr.ip28.net, xmr.monerpool.org, xmr.mypool.online, xmr.nanopool.org, xmr.pool.gntl.co.uk, xmr.pool.minergate.com, xmr.poolto.be, xmr.ppxxmr.com, xmr.prohash.net, xmr.simka.pw, xmr.somec.cc, xmr.suprnova.cc, xmr.usa-138.com, xmr.vip.pool.minergate.com, xmr1min.monerpool.org, xmrf.520fjh.org, xmrf.fjhan.club, xmrfast.com, xmrigcc.graef.in, xmrminer.cc, xmrpool.de, xmrpool.eu, xmrpool.me, xmrpool.net, xmrpool.xyz, xx11m.monerpool.org, xx11mv2.monerpool.org, xxx.hex7e4.ru, zarabotaibitok.ru, zer0day.ru]
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
DestinationHostname | eq |
|