Detection rules › Panther
Crowdstrike Cryptomining Tools
Detects execution of cryptocurrency mining tools like XMRig, CGMiner, and ETHMiner that hijack computing resources for unauthorized financial gain. These tools consume significant CPU/GPU resources, degrade system performance, and increase costs. Unauthorized deployment typically indicates compromise through malware, supply chain attacks, or exploitation of vulnerable services.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Impact | T1496 Resource Hijacking |
Rule body yaml
AnalysisType: rule
Description: >
Detects execution of cryptocurrency mining tools like XMRig, CGMiner, and ETHMiner that hijack computing resources for unauthorized financial gain. These tools consume significant CPU/GPU resources, degrade system performance, and increase costs. Unauthorized deployment typically indicates compromise through malware, supply chain attacks, or exploitation of vulnerable services.
DisplayName: "Crowdstrike Cryptomining Tools"
Enabled: true
Filename: crowdstrike_cryptomining_tools.py
Reference: https://www.crowdstrike.com/cybersecurity-101/cryptojacking/
Severity: Critical
Tags:
- CrowdStrike
- Windows
- Resource Hijacking
- Cryptojacking
- Cryptomining
- Impact
- Endpoint Detection
- Performance Degradation
Runbook: |
1. Review the process tree in CrowdStrike for event:ParentBaseFileName and event:SourceProcessId to identify what launched the cryptomining tool and determine the initial access vector
2. Query CrowdStrike DNS logs and network telemetry from the affected host (aid and aip) in the 24 hours around this event to identify mining pool domains contacted (e.g., xmr-pool.com, nanopool.org, ethermine.org)
3. Search CrowdStrike for the event:SHA256HashData across all endpoints to identify other hosts running the same cryptomining tool and assess the scope of the cryptojacking campaign
Reports:
MITRE ATT&CK:
- TA0040:T1496
Tests:
- ExpectedResult: true
Log:
aid: 1234567890abcdefghijklmnop9876
aip: 11.10.9.8
cid: abcdefghijklmnop123467890
configbuild: 1007.3.0016606.11
configstatehash: "3799024366"
entitlements: "15"
event:
AuthenticationId: "293628"
AuthenticodeHashData: 5540c470218d209b7c3eca3d12e190580814d566
CommandLine: C:\Windows\System32\ethminer.exe
ConfigBuild: 1007.3.0016606.11
ConfigStateHash: "3799024366"
EffectiveTransmissionClass: "2"
Entitlements: "15"
ImageFileName: \Device\HarddiskVolume2\Windows\System32\ethminer.exe
ImageSubsystem: "3"
IntegrityLevel: "12288"
MD5HashData: 5fd22b915c232378e567160d641cc9f2
ParentAuthenticationId: "293628"
ParentBaseFileName: pwsh.exe
ParentProcessId: "4370948876"
ProcessCreateFlags: "0"
ProcessEndTime: ""
ProcessParameterFlags: "24577"
ProcessStartTime: "1682106752.006"
ProcessSxsFlags: "64"
RawProcessId: "1468"
SHA1HashData: "0000000000000000000000000000000000000000"
SHA256HashData: 488e74e2026d03f21b33f470c23b3de2f466643186c2e06ae7b4883cc2e59377
SessionId: "2"
SignInfoFlags: "8683538"
SourceProcessId: "4370948876"
SourceThreadId: "6364981533"
Tags: 25, 27, 40, 151, 874, 924, 12094627905582, 12094627906234, 237494511599633
TargetProcessId: "4390327988"
TokenType: "1"
TreeId: "4295752857"
UserSid: S-1-5-21-239183934-720705223-383019856-500
aid: 1234567890abcdefghijklmnop9876
aip: 11.10.9.8
cid: abcdefghijklmnop123467890
event_platform: Win
event_simpleName: ProcessRollup2
id: 081d64d7-17fb-40c0-8767-48ff1e2ee2dd
name: ProcessRollup2V19
timestamp: "1682106752722"
event_platform: Win
event_simplename: ProcessRollup2
fdr_event_type: ProcessRollup2
id: 081d64d7-17fb-40c0-8767-48ff1e2ee2dd
name: ProcessRollup2V19
p_any_ip_addresses:
- 11.10.9.8
p_any_md5_hashes:
- 5fd22b915c232378e567160d641cc9f2
- 1234567890abcdefghijklmnop9876
- abcdefghijklmnop123467890
p_any_sha1_hashes:
- "0000000000000000000000000000000000000000"
p_any_sha256_hashes:
- 488e74e2026d03f21b33f470c23b3de2f466643186c2e06ae7b4883cc2e59377
p_any_trace_ids:
- "4295752857"
- 1234567890abcdefghijklmnop9876
- abcdefghijklmnop123467890
p_event_time: "2023-04-21 19:52:32.722"
p_log_type: Crowdstrike.FDREvent
p_parse_time: "2023-04-21 20:05:52.94"
p_row_id: 7ac82dbb43a99bfec196bdda178c8101
p_schema_version: 0
p_source_id: 1f33f64c-124d-413c-a9e3-d51ccedd8e77
p_source_label: Crowdstrike-FDR-Dev
timestamp: "2023-04-21 19:52:32.722"
treeid: "4295752857"
Name: Crypto tool
- ExpectedResult: false
Log:
aid: 1234567890abcdefghijklmnop9876
aip: 11.10.9.8
cid: abcdefghijklmnop123467890
configbuild: 1007.3.0016606.11
configstatehash: "3799024366"
entitlements: "15"
event:
AuthenticationId: "293628"
AuthenticodeHashData: 5540c470218d209b7c3eca3d12e190580814d566
CommandLine: '"C:\Windows\System32\at.exe" at 09:00 /interactive /every:m,t,w,th,f,s,su'
ConfigBuild: 1007.3.0016606.11
ConfigStateHash: "3799024366"
EffectiveTransmissionClass: "2"
Entitlements: "15"
ImageFileName: \Device\HarddiskVolume2\Windows\System32\at.exe
ImageSubsystem: "3"
IntegrityLevel: "12288"
MD5HashData: 5fd22b915c232378e567160d641cc9f2
ParentAuthenticationId: "293628"
ParentBaseFileName: pwsh.exe
ParentProcessId: "4370948876"
ProcessCreateFlags: "0"
ProcessEndTime: ""
ProcessParameterFlags: "24577"
ProcessStartTime: "1682106752.006"
ProcessSxsFlags: "64"
RawProcessId: "1468"
SHA1HashData: "0000000000000000000000000000000000000000"
SHA256HashData: 488e74e2026d03f21b33f470c23b3de2f466643186c2e06ae7b4883cc2e59377
SessionId: "2"
SignInfoFlags: "8683538"
SourceProcessId: "4370948876"
SourceThreadId: "6364981533"
Tags: 25, 27, 40, 151, 874, 924, 12094627905582, 12094627906234, 237494511599633
TargetProcessId: "4390327988"
TokenType: "1"
TreeId: "4295752857"
UserSid: S-1-5-21-239183934-720705223-383019856-500
aid: 1234567890abcdefghijklmnop9876
aip: 11.10.9.8
cid: abcdefghijklmnop123467890
event_platform: Win
event_simpleName: ProcessRollup2
id: 081d64d7-17fb-40c0-8767-48ff1e2ee2dd
name: ProcessRollup2V19
timestamp: "1682106752722"
event_platform: Win
event_simplename: ProcessRollup2
fdr_event_type: ProcessRollup2
id: 081d64d7-17fb-40c0-8767-48ff1e2ee2dd
name: ProcessRollup2V19
p_any_ip_addresses:
- 11.10.9.8
p_any_md5_hashes:
- 5fd22b915c232378e567160d641cc9f2
- 1234567890abcdefghijklmnop9876
- abcdefghijklmnop123467890
p_any_sha1_hashes:
- "0000000000000000000000000000000000000000"
p_any_sha256_hashes:
- 488e74e2026d03f21b33f470c23b3de2f466643186c2e06ae7b4883cc2e59377
p_any_trace_ids:
- "4295752857"
- 1234567890abcdefghijklmnop9876
- abcdefghijklmnop123467890
p_event_time: "2023-04-21 19:52:32.722"
p_log_type: Crowdstrike.FDREvent
p_parse_time: "2023-04-21 20:05:52.94"
p_row_id: 7ac82dbb43a99bfec196bdda178c8101
p_schema_version: 0
p_source_id: 1f33f64c-124d-413c-a9e3-d51ccedd8e77
p_source_label: Crowdstrike-FDR-Dev
timestamp: "2023-04-21 19:52:32.722"
treeid: "4295752857"
Name: Other
DedupPeriodMinutes: 60
LogTypes:
- Crowdstrike.FDREvent
RuleID: "Crowdstrike.Cryptomining.Tools"
Threshold: 1
Detection logic
Condition
fdr_event_type eq "ProcessRollup2"
event_platform eq "Win"
This rule also runs imperative logic the parser cannot express as a filter; the conditions above are the structured part it could extract.
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
event_platform | eq |
|
fdr_event_type | eq |
|
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field | Source |
|---|---|
aid | |
user | UserName |
console-link | FalconHostLink |
commandline | CommandLine |
parentcommandline | ParentCommandLine |
filename | FileName |
filepath | FilePath |
description | Description |
action | PatternDispositionDescription |
ComputerName |