KQL Search

# Rule : Crypto Mining Detection

## Description
Detects potential cryptocurrency mining activities by monitoring process command lines for common indicators associated with mining software. Cryptocurrency mining on compromised systems can lead to degraded performance, increased power consumption, and potential hardware damage.

- Source: [Sigma rule for detecting cryptocurrency mining](https://github.com/SigmaHQ/sigma/blob/0bb6f0c0d75ae3e1c37f9ab77d68f20cdb32ecd3/rules/linux/process_creation/proc_creation_lnx_crypto_mining.yml)

## Detection Logic
- Monitors process events for command lines containing common parameters and commands used by cryptocurrency mining software, such as:
  - `--cpu-priority=`
  - `--donate-level=0`
  - `-o pool.`
  - `--nicehash`
  - `--algo=rx/0`
  - `stratum+tcp://`
  - `stratum+udp://`
  - `sh -c /sbin/modprobe msr allow_writes=on`
  - Encoded strings associated with mining configurations and commands.

## Tags
- Cryptocurrency Mining
- Process Events
- Linux

## Search Query
```kql
DeviceProcessEvents
| where ProcessCommandLine has_any ( 
    "--cpu-priority=", 
    "--donate-level=0", 
    " -o pool.", 
    " --nicehash", 
    " --algo=rx/0 ", 
    "stratum+tcp://", 
    "stratum+udp://", 
    "sh -c /sbin/modprobe msr allow_writes=on", 
    "LS1kb25hdGUtbGV2ZWw9", 
    "0tZG9uYXRlLWxldmVsP", 
    "tLWRvbmF0ZS1sZXZlbD", 
    "c3RyYXR1bSt0Y3A6Ly", 
    "N0cmF0dW0rdGNwOi8v", 
    "zdHJhdHVtK3RjcDovL", 
    "c3RyYXR1bSt1ZHA6Ly", 
    "N0cmF0dW0rdWRwOi8v", 
    "zdHJhdHVtK3VkcDovL"
)