Skip to main content
 
Splunk Lantern

Detecting XMRig CPU or GPU mining

 

XMRig is a Trojan Horse that hijacks a user's computer and uses its resources to mine digital currency. It is high performance, open source, and cross platform. Attackers typically aim to hijack the resources of affected systems to validate transactions in cryptocurrency networks, earning the attackers virtual currency. 

Transaction validation usually requires heavy system resource usage, and enough system resources can be consumed to negatively impact machines or cause them to become unresponsive. Servers and cloud-based systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised.

These searches allow you to detect and investigate unusual activities that might relate to XMRig, including looking for file writes associated with its payload, process command-line, defense evasion, and hacking tools including Telegram to download other files.

How to use Splunk software for this use case

To deploy this use case, make sure that you have the Splunk ES Content Updates installed on your Splunk Enterprise Security deployment. This extensive content library empowers you to deploy out-of-the-box security detections and analytic stories to enhance your investigations and improve your security posture. If you do not have Splunk Enterprise Security, these detections will still give you an idea of what you can accomplish with SPL in the Splunk platform or with the free app, Splunk Security Essentials.

Some of the detections that can help you with this use case include:

Next steps

Splunk OnDemand Services: Use these credit-based services for direct access to Splunk technical consultants with a variety of technical services from a pre-defined catalog. Most customers have OnDemand Services per their license support plan. Engage the ODS team at OnDemand-Inquires@splunk.com if you require assistance.

In addition, these Splunk resources might help you understand and implement this use case: