Cryptomining
Use the JSA Cryptomining Content Extension to closely monitor for cryptomining in your deployment. Baseline Maintenance V1.05 or higher is required for Cryptomining to perform correctly. Install Baseline Maintenance before you install Cryptomining.
JSA Cryptomining Content Extension V1.0.0
The following table shows the custom properties that are included in JSA Cryptomining Content Extension V1.0.0.
The custom properties that are included in this content extension are placeholders. You can download other content extensions that include custom properties with these names, or you can create your own.
Table 1: Custom Properties in JSA Cryptomining Content Extension V1.0.0
Custom Property | Found in |
|---|---|
File Hash | |
Filename | |
ImageName | |
Process CommandLine | |
Process Name | |
Threat Name | |
URL | |
URLHost |
The following table shows the rules and building blocks in JSA Cryptomining Content Extension V1.0.0.
Table 2: Rules and Building Blocks in JSA Cryptomining Content Extension V1.0.0
Type | Name | Description |
|---|---|---|
Building Block | BB:DeviceDefinition: Operating System | This rule defines all operating systems on the system. |
Building Block | BB:Threats: Communication to Cryptocurrency Mining IP | Detects communications to cryptocurrency mining IP addresses. Update the reference set for tuning. |
Building Block | BB:Threats: Communication to Cryptocurrency Mining URL for Events | Detects communications to cryptocurrency mining hosts. Update the reference set for tuning. |
Building Block | BB:Threats: Communication to Cryptocurrency Mining URL for Flows | Detects communications to cryptocurrency mining hosts. Update the reference set for tuning. |
Building Block | BB:Threats: Cryptocurrency Mining Process Name Patterns | Detects when a well-known cryptocurrency mining process starts. |
Building Block | BB:Threats: Cryptocurrency Mining Process Names | Detects when a well-known cryptocurrency mining process starts. |
Building Block | BB:Threats: Cryptocurrency Mining Threat Hashes for Events | Detects threats to cryptocurrency mining with an SHA256 Hash. Update the reference set for tuning. |
Building Block | BB:Threats: Cryptocurrency Mining Threat Hashes for Flows | Detects communications to cryptocurrency mining hosts. Update the reference set for tuning. |
Building Block | BB:Threats: Cryptocurrency Mining Threat Name Patterns | Detects threats to cryptocurrency mining with frequently used terms, such as coin, crypto, and mine. Update the regular expression for tuning. |
Building Block | BB:Threats: Cryptocurrency Mining Threat Names | Detects threats to cryptocurrency mining. Update the reference set for tuning. |
Building Block | BB:Threats: X-Force Premium: Internal Connection to Host Categorized as Cryptocurrency Mining | This rule notifies when an internal system communicates with an IP address that is considered to be hosting cryptocurrency mining. It might be an indicator of a cryptocurrency mining malware infection. The default confidence (75) indicates a strong possibility that this is a cryptocurrency mining host. |
Building Block | BB:Threats: X-Force Premium: Internal Host Communication with Cryptocurrency Mining URL for Events | This rule notifies when an internal client loads a web URL known for cryptocurrency mining activity. |
Building Block | BB:Threats: X-Force Premium: Internal Host Communication with Cryptocurrency Mining URL for Flows | This rule notifies when an internal system communicates with an HTTP host that is considered to be hosting cryptocurrency mining. It might be an indicator of a cryptocurrency mining malware infection. |
Rule | Detected a Communication to Cryptocurrency Mining Host | Detects communications to a cryptocurrency mining destination. This might indicate a compromised host by cryptocurrency mining malware. |
Rule | Detected a Cryptocurrency Mining Activity Based on File Hash | Detects cryptocurrency mining file hashes. |
Rule | Detected a Cryptocurrency Mining Activity Based on Process Command Line | Detects when a cryptocurrency mining activity based on process command line. |
Rule | Detected a Cryptocurrency Mining Activity Based on Threat Name | Detects cryptocurrency mining threats. |
Rule | Detected a Cryptocurrency Mining Process | Detects when a well-known cryptocurrency mining process starts. |
Rule | Detected In-Browser Cryptojacking based on Loaded Javascript File Hash | Detects when the browser sends a GET request to load a cryptojacking javascript file. The rule uses the file hash to detect that activity. |
Rule | Detected In-Browser Cryptojacking based on Loaded Javascript File Name | Detects when the browser sends a GET request to load a cryptojacking javascript file. The rule uses the URL file name component to detect that activity. |
Rule | Exploit Attempt Followed By Cryptocurrency Mining Activity | Reports an exploit or attack type activity from the same source IP address followed by cryptocurrency mining activity from the same destination IP address as the original event within 15 minutes. |
The following table shows the reports in JSA Cryptomining Content Extension V1.0.0.
Table 3: Reports in JSA Cryptomining Content Extension V1.0.0
Report Name | Search Name and Dependencies |
|---|---|
IPs with Cryptocurrency Mining Activities | This report provides an overview of IP addresses related to cryptocurrency mining. Update the search filter for more tuning. |
The following table shows the reference data in JSA Cryptomining Content Extension V1.0.0.
The elements in the Reference Sets do not expire by default. To ensure your Reference Sets are not overfilled, you can set an expiration date to the elements.
Table 4: Reference Data in JSA Cryptomining Content Extension V1.0.0
Type | Name | Description |
|---|---|---|
Reference Set | Cryptocurrency Mining Hosts | Contains a list of cryptocurrency mining hosts. |
Reference Set | Cryptocurrency Mining Javascript File Hashes | Contains a list of cryptocurrency mining Javascript file hashes. |
Reference Set | Cryptocurrency Mining Threat Hashes | Contains a list of cryptocurrency mining threat file hashes. |
Reference Set | Cryptocurrency Mining Javascript File Names | Contains a list of cryptocurrency mining Javascript file names. |
Reference Set | Cryptocurrency Mining IPs | Contains a list of cryptocurrency mining IP addresses. |
Reference Set | Cryptocurrency Mining Threat Names | Contains a list of cryptocurrency mining threat file names. |
Reference Set | Cryptocurrency Mining Process Names | Contains a list of cryptocurrency mining processes. |
The following table shows the saved searches in JSA Cryptomining Content Extension V1.0.0.
Table 5: Saved Searches in JSA Cryptomining Content Extension V1.0.0
Name | Description |
|---|---|
Source Addresses with Cryptocurrency Mining Activities | Shows all events with cryptocurrency mining activities (triggered one of the rules) and groups them by source address and source port. |
Destination Addresses with Cryptocurrency Mining Activities | Shows all events with cryptocurrency mining activities (triggered one of the rules) and groups them by destination address and destination port. |
Source Addresses with Cryptocurrency Mining Activities | Shows all flows with cryptocurrency mining activities (triggered one of the rules) and groups them by source address and source port. |
Destination Addresses with Cryptocurrency Mining Activities | Shows all flows with cryptocurrency mining activities (triggered one of the rules) and groups them by destination address and destination port. |