title: Crypto Miner User Agent id: fa935401-513b-467b-81f4-f9e77aa0dd78 status: experimental description: Detects suspicious user agent strings used by crypto miners in proxy logs author: Florian Roth date: 2019/10/21 modified: 2020/09/03 references: - https://github.com/xmrig/xmrig/blob/da22b3e6c45825f3ac1f208255126cb8585cd4fc/src/base/kernel/Platform_win.cpp#L65 - https://github.com/xmrig/xmrig/blob/427b6516e0550200c17ca28675118f0fffcc323f/src/version.h logsource: category: proxy detection: selection: c-useragent|startswith: # XMRig - 'XMRig ' # CCMiner - 'ccminer' condition: selection fields: - ClientIP - c-uri - c-useragent falsepositives: - Unknown level: high tags: - attack.command_and_control - attack.t1071.001