How to detect crypto mining in your organization?

Adversaries may install cryptocurrency mining applications on hijacked hosts, as one of the impact of malicious activity. In addition, the installation of such cryptocurrency mining applications can be done by the organization's employees to take advantage of the free computing power, which is usually a violation of the organization's security policy.

How to detect crypto mining in your organization?

Adversaries may install cryptocurrency mining applications on hijacked hosts, as one of the impact of malicious activity. In addition, the installation of such cryptocurrency mining applications can be done by the organization’s employees to take advantage of the free computing power, which is usually a violation of the organization’s security policy.

So, how could we try to detect the Resource Hijacking technique (https://attack.mitre.org/techniques/T1496/), a MITRE ATT&CK technique related to crypto mining activity?

Detection of such activity may be possible thanks to monitor communications from/to unusual ports, e.g. 3333, 4444, 5555, 6666, 7777, 8888, 9999, as well as reputation of IPs and URLs related to cryptocurrency hosts. So you can use logs and flows from such data sources as Network Traffic (Web Proxy, Firewall, Load Balancer, IDS/IPS, NetFlow), DNS Logs, Application Logs, Sysmon/Security Logs, to detect such activity.

In the Sycope NSM you can use the following search to hunt for such network activities: lookupKeyExists(“sec-port-cryptomining”, {“Port”: serverPort }) or lookupKeyExists(“sec-port-cryptomining”, {“Port”: clientPort })

Figure 1. Lookups containing ports regarding crypto mining activity

Figure 2 Analysis potential crypto mining activity in Sycope NSM system

As you can see, analyzing this type of activity is simple and quick, especially if you have the right tool to create such quick threat hunting queries.