Rule : Crypto Mining Detection
Crypto Mining Detection
Query
DeviceProcessEvents
| where ProcessCommandLine has_any (
"--cpu-priority=",
"--donate-level=0",
" -o pool.",
" --nicehash",
" --algo=rx/0 ",
"stratum+tcp://",
"stratum+udp://",
"sh -c /sbin/modprobe msr allow_writes=on",
"LS1kb25hdGUtbGV2ZWw9",
"0tZG9uYXRlLWxldmVsP",
"tLWRvbmF0ZS1sZXZlbD",
"c3RyYXR1bSt0Y3A6Ly",
"N0cmF0dW0rdGNwOi8v",
"zdHJhdHVtK3RjcDovL",
"c3RyYXR1bSt1ZHA6Ly",
"N0cmF0dW0rdWRwOi8v",
"zdHJhdHVtK3VkcDovL"
)About this query
Rule : Crypto Mining Detection
Description
Detects potential cryptocurrency mining activities by monitoring process command lines for common indicators associated with mining software. Cryptocurrency mining on compromised systems can lead to degraded performance, increased power consumption, and potential hardware damage.
Detection Logic
- Monitors process events for command lines containing common parameters and commands used by cryptocurrency mining software, such as:
--cpu-priority=--donate-level=0-o pool.--nicehash--algo=rx/0stratum+tcp://stratum+udp://sh -c /sbin/modprobe msr allow_writes=on- Encoded strings associated with mining configurations and commands.
Tags
- Cryptocurrency Mining
- Process Events
- Linux
Search Query
Explanation
This query looks for potential cryptocurrency mining activities by monitoring process command lines for specific indicators commonly associated with mining software. If any of these indicators are found in the command line, it suggests that the system may be compromised for mining purposes.
Details

Ali Hussein
Released: July 10, 2024
Tables
DeviceProcessEvents
Keywords
DeviceProcessEventsProcessCommandLine--cpu-priority=--donate-level=0-o pool.--nicehash--algo=rx/0stratum+tcp://stratum+udp://sh -c /sbin/modprobe msr allow_writes=onLS1kb25hdGUtbGV2ZWw90tZG9uYXRlLWxldmVsPtLWRvbmF0ZS1sZXZlbDc3RyYXR1bSt0Y3A6LyN0cmF0dW0rdGNwOi8vzdHJhdHVtK3RjcDovLc3RyYXR1bSt1ZHA6LyN0cmF0dW0rdWRwOi8vzdHJhdHVtK3VkcDovL
Operators
wherehas_any|()