detection.wiki

Detection rules › Kusto

DNS events related to mining pools

Status
available
Severity
low
Time window
1d
Source
github.com/Azure/Azure-Sentinel

'Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.'

MITRE ATT&CK coverage

TacticTechniques
ImpactT1496 Resource Hijacking

Rule body kusto

id: 0d76e9cf-788d-4a69-ac7d-f234826b5bed
name: DNS events related to mining pools
description: |
  'Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.'
severity: Low
status: Available
requiredDataConnectors:
  - connectorId: DNS
    dataTypes:
      - DnsEvents
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
  - Impact
relevantTechniques:
  - T1496
query: |
  DnsEvents
  | where Name contains "."
  | where Name has_any ("monerohash.com", "do-dear.com", "xmrminerpro.com", "secumine.net", "xmrpool.com", "minexmr.org", "hashanywhere.com",
  "xmrget.com", "mininglottery.eu", "minergate.com", "moriaxmr.com", "multipooler.com", "moneropools.com", "xmrpool.eu", "coolmining.club",
  "supportxmr.com", "minexmr.com", "hashvault.pro", "xmrpool.net", "crypto-pool.fr", "xmr.pt", "miner.rocks", "walpool.com", "herominers.com",
  "gntl.co.uk", "semipool.com", "coinfoundry.org", "cryptoknight.cc", "fairhash.org", "baikalmine.com", "tubepool.xyz", "fairpool.xyz", "asiapool.io",
  "coinpoolit.webhop.me", "nanopool.org", "moneropool.com", "miner.center", "prohash.net", "poolto.be", "cryptoescrow.eu", "monerominers.net", "cryptonotepool.org",
  "extrmepool.org", "webcoin.me", "kippo.eu", "hashinvest.ws", "monero.farm", "supportxmr.com", "xmrpool.eu", "linux-repository-updates.com", "1gh.com",
  "dwarfpool.com", "hash-to-coins.com", "hashvault.pro", "pool-proxy.com", "hashfor.cash", "fairpool.cloud", "litecoinpool.org", "mineshaft.ml", "abcxyz.stream",
  "moneropool.ru", "cryptonotepool.org.uk", "extremepool.org", "extremehash.com", "hashinvest.net", "unipool.pro", "crypto-pools.org", "monero.net",
  "backup-pool.com", "mooo.com", "freeyy.me", "cryptonight.net", "shscrypto.net")
  | extend HostName = iff(Computer has '.', substring(Computer,0,indexof(Computer,'.')),Computer)
  | extend DnsDomain = iff(Computer has '.', substring(Computer,indexof(Computer,'.')+1),"")
entityMappings:
  - entityType: Host
    fieldMappings:
      - identifier: FullName
        columnName: Computer
      - identifier: HostName
        columnName: HostName
      - identifier: DnsDomain
        columnName: DnsDomain
  - entityType: IP
    fieldMappings:
      - identifier: Address
        columnName: ClientIP
version: 1.0.3
kind: Scheduled

Stages and Predicates

Stage 1: source

DnsEvents

Stage 2: where

| where Name contains "."

Stage 3: where

| where Name has_any ("monerohash.com", "do-dear.com", "xmrminerpro.com", "secumine.net", "xmrpool.com", "minexmr.org", "hashanywhere.com",
"xmrget.com", "mininglottery.eu", "minergate.com", "moriaxmr.com", "multipooler.com", "moneropools.com", "xmrpool.eu", "coolmining.club",
"supportxmr.com", "minexmr.com", "hashvault.pro", "xmrpool.net", "crypto-pool.fr", "xmr.pt", "miner.rocks", "walpool.com", "herominers.com",
"gntl.co.uk", "semipool.com", "coinfoundry.org", "cryptoknight.cc", "fairhash.org", "baikalmine.com", "tubepool.xyz", "fairpool.xyz", "asiapool.io",
"coinpoolit.webhop.me", "nanopool.org", "moneropool.com", "miner.center", "prohash.net", "poolto.be", "cryptoescrow.eu", "monerominers.net", "cryptonotepool.org",
"extrmepool.org", "webcoin.me", "kippo.eu", "hashinvest.ws", "monero.farm", "supportxmr.com", "xmrpool.eu", "linux-repository-updates.com", "1gh.com",
"dwarfpool.com", "hash-to-coins.com", "hashvault.pro", "pool-proxy.com", "hashfor.cash", "fairpool.cloud", "litecoinpool.org", "mineshaft.ml", "abcxyz.stream",
"moneropool.ru", "cryptonotepool.org.uk", "extremepool.org", "extremehash.com", "hashinvest.net", "unipool.pro", "crypto-pools.org", "monero.net",
"backup-pool.com", "mooo.com", "freeyy.me", "cryptonight.net", "shscrypto.net")

Stage 4: extend

| extend HostName = iff(Computer has '.', substring(Computer,0,indexof(Computer,'.')),Computer)
HostName =
ifComputer has "."substring(Computer, 0, indexof(Computer, '.'))
elseComputer

Stage 5: extend

| extend DnsDomain = iff(Computer has '.', substring(Computer,indexof(Computer,'.')+1),"")
DnsDomain =
ifComputer has "."substring(Computer, (indexof(Computer, '.') + 1))
else""

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Namecontains
  • .
Namematch
  • 1gh.com
  • abcxyz.stream
  • asiapool.io
  • backup-pool.com
  • baikalmine.com
  • coinfoundry.org
  • coinpoolit.webhop.me
  • coolmining.club
  • crypto-pool.fr
  • crypto-pools.org
  • cryptoescrow.eu
  • cryptoknight.cc
  • cryptonight.net
  • cryptonotepool.org
  • cryptonotepool.org.uk
  • do-dear.com
  • dwarfpool.com
  • extremehash.com
  • extremepool.org
  • extrmepool.org
  • fairhash.org
  • fairpool.cloud
  • fairpool.xyz
  • freeyy.me
  • gntl.co.uk
  • hash-to-coins.com
  • hashanywhere.com
  • hashfor.cash
  • hashinvest.net
  • hashinvest.ws
  • hashvault.pro
  • herominers.com
  • kippo.eu
  • linux-repository-updates.com
  • litecoinpool.org
  • miner.center
  • miner.rocks
  • minergate.com
  • mineshaft.ml
  • minexmr.com
  • minexmr.org
  • mininglottery.eu
  • monero.farm
  • monero.net
  • monerohash.com
  • monerominers.net
  • moneropool.com
  • moneropool.ru
  • moneropools.com
  • mooo.com
  • moriaxmr.com
  • multipooler.com
  • nanopool.org
  • pool-proxy.com
  • poolto.be
  • prohash.net
  • secumine.net
  • semipool.com
  • shscrypto.net
  • supportxmr.com
  • tubepool.xyz
  • unipool.pro
  • walpool.com
  • webcoin.me
  • xmr.pt
  • xmrget.com
  • xmrminerpro.com
  • xmrpool.com
  • xmrpool.eu
  • xmrpool.net

Output fields

Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.

FieldSource
HostNameextend
DnsDomainextend