Moved parsers to Parsers directory, and reworked crypto currency miners hunting query into yaml and placed in Hunting Queries directory
This commit is contained in:
Kevin Sheldrake
Родитель
0f74948d7e
Коммит
2bdc91501f
|
|
@ -1,9 +0,0 @@
|
|||
// Use the SyslogExecve function from SyslogExecve.txt to hunt for crypto currency miners being downloaded
|
||||
//
|
||||
|
||||
SyslogExecve
|
||||
| where comm in ("wget", "curl")
|
||||
| where cmdline contains "nicehashminer" or cmdline contains "ethminer" or cmdline contains "equihash" or cmdline contains "NsCpuCNMiner64" or cmdline contains "minergate" or cmdline contains "minerd" or cmdline contains "cpuminer" or cmdline contains "xmr-stak-cpu" or cmdline contains "xmrig" or cmdline contains "stratum+tcp" or cmdline contains "cryptonight" or cmdline contains "monero" or cmdline contains "oceanhole" or cmdline contains "dockerminer" or cmdline contains "xmrdemo"
|
||||
| project TimeGenerated, Computer, audit_user, user, cmdline
|
||||
| sort by TimeGenerated desc
|
||||
|
||||
|
|
@ -0,0 +1,26 @@
|
|||
id: 1ef1c38f-26dd-4e28-b884-5b3665352648
|
||||
name: Crypto Currency Miners
|
||||
description: |
|
||||
'This query hunts through Execve syslog data generated by AUOMS to find instances of crypto currency miners being
|
||||
downloaded. It returns a table of suspicious command lines.'
|
||||
requiredDataConnectors:
|
||||
- connectorId: Syslog
|
||||
dataTypes:
|
||||
- Syslog
|
||||
tactics:
|
||||
- Persistence
|
||||
- Execution
|
||||
query: |
|
||||
// Extract EventType and EventData from AUOMS Syslog message
|
||||
Syslog
|
||||
| parse SyslogMessage with "type=" EventType " audit(" * "): " EventData
|
||||
| project TimeGenerated, EventType, Computer, EventData
|
||||
// Extract AUOMS_EXECVE details from EventData
|
||||
| where EventType == "AUOMS_EXECVE"
|
||||
| parse EventData with * "syscall=" syscall " syscall_r=" * " success=" success " exit=" exit " a0" * " ppid=" ppid " pid=" pid " audit_user=" audit_user " auid=" auid " user=" user " uid=" uid " group=" group " gid=" gid "effective_user=" effective_user " euid=" euid " set_user=" set_user " suid=" suid " filesystem_user=" filesystem_user " fsuid=" fsuid " effective_group=" effective_group " egid=" egid " set_group=" set_group " sgid=" sgid " filesystem_group=" filesystem_group " fsgid=" fsgid " tty=" tty " ses=" ses " comm=\"" comm "\" exe=\"" exe "\"" * "cwd=\"" cwd "\" name=\"" name "\"" * "cmdline=\"" cmdline "\" containerid=" containerid
|
||||
// Find wget and curl commands
|
||||
| where comm in ("wget", "curl")
|
||||
// Find command lines featuring known crypto currency miner names
|
||||
| where cmdline contains "nicehashminer" or cmdline contains "ethminer" or cmdline contains "equihash" or cmdline contains "NsCpuCNMiner64" or cmdline contains "minergate" or cmdline contains "minerd" or cmdline contains "cpuminer" or cmdline contains "xmr-stak-cpu" or cmdline contains "xmrig" or cmdline contains "stratum+tcp" or cmdline contains "cryptonight" or cmdline contains "monero" or cmdline contains "oceanhole" or cmdline contains "dockerminer" or cmdline contains "xmrdemo"
|
||||
| project TimeGenerated, Computer, audit_user, user, cmdline
|
||||
| sort by TimeGenerated desc
|
||||
Загрузка…
Ссылка в новой задаче