XMRig

Try in Splunk Security Cloud

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to the xmrig monero, including looking for file writes associated with its payload, process command-line, defense evasion (killing services, deleting users, modifying files or folder permission, killing other malware or other coin miner) and hacking tools including Telegram as mean of Command And Control (C2) to download other files. Adversaries may leverage the resources of co-opted systems in order to solve resource intensive problems which may impact system and/or hosted service availability. One common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive. (1) Servers and cloud-based (2) systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for Resource Hijacking and cryptocurrency mining.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint
• Last Updated: 2021-05-07
• Author: Teoderick Contreras, Rod Soto Splunk
• ID: 06723e6a-6bd8-4817-ace2-5fb8a7b06628

Narrative

XMRig is a high performance, open source, cross platform RandomX, KawPow, CryptoNight and AstroBWT unified CPU/GPU miner. This monero is seen in the wild on May 2017.

Detections

Name	Technique	Type
Attacker Tools On Endpoint	Match Legitimate Name or Location, Masquerading, OS Credential Dumping, Active Scanning	TTP
Attempt To Delete Services	Service Stop, Create or Modify System Process, Windows Service	TTP
Attempt To Disable Services	Service Stop	TTP
Delete A Net User	Account Access Removal	Anomaly
Deleting Of Net Users	Account Access Removal	TTP
Deny Permission using Cacls Utility	File and Directory Permissions Modification	TTP
Disable Net User Account	Service Stop, Valid Accounts	TTP
Disable Windows App Hotkeys	Disable or Modify Tools, Impair Defenses, Modify Registry	TTP
Disabling Net User Account	Account Access Removal	TTP
Download Files Using Telegram	Ingress Tool Transfer	TTP
Enumerate Users Local Group Using Telegram	Account Discovery	TTP
Excessive Attempt To Disable Services	Service Stop	Anomaly
Excessive Service Stop Attempt	Service Stop	Anomaly
Excessive Usage Of Cacls App	File and Directory Permissions Modification	Anomaly
Excessive Usage Of Net App	Account Access Removal	Anomaly
Excessive Usage Of Taskkill	Disable or Modify Tools, Impair Defenses	Anomaly
Executables Or Script Creation In Suspicious Path	Masquerading	Anomaly
Grant Permission Using Cacls Utility	File and Directory Permissions Modification	TTP
Hide User Account From Sign-In Screen	Disable or Modify Tools, Impair Defenses	TTP
ICACLS Grant Command	File and Directory Permissions Modification	TTP
Icacls Deny Command	File and Directory Permissions Modification	TTP
Modify ACL permission To Files Or Folder	File and Directory Permissions Modification	Anomaly
Modify ACLs Permission Of Files Or Folders	File and Directory Permissions Modification	Anomaly
Process Kill Base On File Path	Disable or Modify Tools, Impair Defenses	TTP
Schtasks Run Task On Demand	Scheduled Task/Job	TTP
Suspicious Driver Loaded Path	Windows Service, Create or Modify System Process	TTP
Suspicious Process File Path	Create or Modify System Process	TTP
XMRIG Driver Loaded	Windows Service, Create or Modify System Process	TTP

Reference

• https://github.com/xmrig/xmrig
• https://www.getmonero.org/resources/user-guides/mine-to-pool.html
• https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/
• https://blog.checkpoint.com/2021/03/11/february-2021s-most-wanted-malware-trickbot-takes-over-following-emotet-shutdown/

source | version: 1