Table of Contents
How to detect crypto mining in your organization?
Adversaries may install cryptocurrency mining applications on hijacked hosts, as one of the impact of malicious activity. In addition, the installation of such cryptocurrency mining applications can be done by the organization’s employees to take advantage of the free computing power, which is usually a violation of the organization’s security policy.
So, how could we try to detect the Resource Hijacking technique (https://attack.mitre.org/techniques/T1496/), a MITRE ATT&CK technique related to crypto mining activity?
Detection of such activity may be possible thanks to monitor communications from/to unusual ports, e.g. 3333, 4444, 5555, 6666, 7777, 8888, 9999, as well as reputation of IPs and URLs related to cryptocurrency hosts. So you can use logs and flows from such data sources as Network Traffic (Web Proxy, Firewall, Load Balancer, IDS/IPS, NetFlow), DNS Logs, Application Logs, Sysmon/Security Logs, to detect such activity.
In the Sycope NSM you can use the following search to hunt for such network activities: lookupKeyExists(“sec-port-cryptomining”, {“Port”: serverPort }) or lookupKeyExists(“sec-port-cryptomining”, {“Port”: clientPort })
As you can see, analyzing this type of activity is simple and quick, especially if you have the right tool to create such quick threat hunting queries.
FAQ
Adversaries may install cryptocurrency mining applications on hijacked hosts. Detection can be achieved by monitoring communications from/to unusual ports (e.g., 3333, 4444, 5555, 6666, 7777, 8888, 9999) and checking the reputation of IPs and URLs related to cryptocurrency hosts using logs from Network Traffic, DNS Logs, Application Logs, Sysmon/Security Logs.
It is known as the Resource Hijacking technique (https://attack.mitre.org/techniques/T1496/), which relates to crypto mining activity.
You can use search queries such as lookupKeyExists("sec-port-cryptomining", {"Port": serverPort }) or lookupKeyExists("sec-port-cryptomining", {"Port": clientPort }) to detect network activities related to crypto mining.
