Detecting XMRig CPU or GPU mining
XMRig is a Trojan Horse that hijacks a user's computer and uses its resources to mine digital currency. It is high performance, open source, and cross platform. Attackers typically aim to hijack the resources of affected systems to validate transactions in cryptocurrency networks, earning the attackers virtual currency.
Transaction validation usually requires heavy system resource usage, and enough system resources can be consumed to negatively impact machines or cause them to become unresponsive. Servers and cloud-based systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised.
These searches allow you to detect and investigate unusual activities that might relate to XMRig, including looking for file writes associated with its payload, process command-line, defense evasion, and hacking tools including Telegram to download other files.
Required data
How to use Splunk software for this use case
- Attacker tools on endpoint
- Attempt to delete services
- Attempt to disable services
- Delete a net user
- Deny permission using Cacls utility
- Disable net user account
- Disable Windows app hotkeys
- Download files using telegram
- Enumerate users local group using Telegram
- Excessive attempt to disable services
- Excessive service stop attempt
- Excessive usage of Cacls app
- Excessive usage of Net App
- Excessive usage of taskkill
- Executables or script creation in suspicious path
- Grant permission using Cacls utility
- Hide user account from sign-in screen
- ICACLS grant command
- Icacls deny command
- Modify ACL permission to files or folder
- Process kill base on file path
- Schtasks run task on demand
- Suspicious driver loaded path
- Suspicious process file path
- XMRIG driver loaded
Next steps
In addition, these Splunk resources might help you understand and implement this use case:
- Blog: Threat Hunting with Splunk: Hands-on Tutorials for the Active Hunter
- If you are a Splunk Enterprise Security customer, you can also get help from the Security Research team's support options on GitHub.