XMRig is a Trojan Horse that hijacks a user's computer and uses its resources to mine digital currency. It is high performance, open source, and cross platform. Attackers typically aim to hijack the resources of affected systems to validate transactions in cryptocurrency networks, earning the attackers virtual currency.
Transaction validation usually requires heavy system resource usage, and enough system resources can be consumed to negatively impact machines or cause them to become unresponsive. Servers and cloud-based systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised.
These searches allow you to detect and investigate unusual activities that might relate to XMRig, including looking for file writes associated with its payload, process command-line, defense evasion, and hacking tools including Telegram to download other files.
How to use Splunk software for this use case
To deploy this use case, make sure that you have the Splunk ES Content Updates installed on your Splunk Enterprise Security deployment. This extensive content library empowers you to deploy out-of-the-box security detections and analytic stories to enhance your investigations and improve your security posture. If you do not have Splunk Enterprise Security, these detections will still give you an idea of what you can accomplish with SPL in the Splunk platform or with the free app, Splunk Security Essentials.
Some of the detections that can help you with this use case include:
- Attacker tools on endpoint
- Attempt to delete services
- Attempt to disable services
- Delete a net user
- Deny permission using Cacls utility
- Disable net user account
- Disable Windows app hotkeys
- Download files using telegram
- Enumerate users local group using Telegram
- Excessive attempt to disable services
- Excessive service stop attempt
- Excessive usage of Cacls app
- Excessive usage of Net App
- Excessive usage of taskkill
- Executables or script creation in suspicious path
- Grant permission using Cacls utility
- Hide user account from sign-in screen
- ICACLS grant command
- Icacls deny command
- Modify ACL permission to files or folder
- Process kill base on file path
- Schtasks run task on demand
- Suspicious driver loaded path
- Suspicious process file path
- XMRIG driver loaded
Splunk OnDemand Services: Use these credit-based services for direct access to Splunk technical consultants with a variety of technical services from a pre-defined catalog. Most customers have OnDemand Services per their license support plan. Engage the ODS team at OnDemand-Inquires@splunk.
In addition, these Splunk resources might help you understand and implement this use case:
- Blog: Threat Hunting with Splunk: Hands-on Tutorials for the Active Hunter
- If you are a Splunk Enterprise Security customer, you can also get help from the Security Research team's support options on GitHub.