Product: Zeek
Use-Case: Cryptomining
| Rules | Models | MITRE ATT&CK® TTPs | Activity Types | Parsers |
|---|---|---|---|---|
| 3 | 0 | 2 | 4 | 5 |
| Event Type | Rules | Models |
|---|---|---|
| network-connection-failed | T1496 - Resource Hijacking ↳ A-NET-Coin-IP: Connection to IP associated with cryptocurrency mining |
|
| network-connection-successful | T1496 - Resource Hijacking ↳ A-NET-Coin-IP: Connection to IP associated with cryptocurrency mining |
|
| web-activity-allowed | T1496 - Resource Hijacking ↳ WEB-Shadow-Mining-IP: User has connected to a known coinmining/shadowmining IP ↳ A-WEB-Shadow-Mining: Host has browsed to a known coinmining/shadowmining domain ↳ A-NET-Coin-IP: Connection to IP associated with cryptocurrency mining T1071.001 - Application Layer Protocol: Web Protocols ↳ WEB-Shadow-Mining-IP: User has connected to a known coinmining/shadowmining IP |
|
| web-activity-denied | T1496 - Resource Hijacking ↳ WEB-Shadow-Mining-IP: User has connected to a known coinmining/shadowmining IP ↳ A-WEB-Shadow-Mining: Host has browsed to a known coinmining/shadowmining domain ↳ A-NET-Coin-IP: Connection to IP associated with cryptocurrency mining T1071.001 - Application Layer Protocol: Web Protocols ↳ WEB-Shadow-Mining-IP: User has connected to a known coinmining/shadowmining IP |