Rules: Crypto Miner HTTP User Agent
This signal looks for HTTP requests where the user agent matches common names associated with crypto miners. It is common for attackers to install crypto miners on compromised hosts to use your CPU resources for their profit.
| Detail | Value |
|---|---|
| Type | Match |
| Category | Execution |
| Apply Risk to Entities | device_ip, srcDevice_ip, dstDevice_ip, device_hostname, srcDevice_hostname, dstDevice_hostname |
| Signal Name | Crypto Miner HTTP User Agent |
| Summary Expression | User agent string: {{http_userAgent}} contains keywords associated with crypto miners. |
| Score/Severity | Static: 2 |
| Enabled by Default | True |
| Prototype | False |
| Tags | _mitreAttackTactic:TA0002, _mitreAttackTactic:TA0040, _mitreAttackTechnique:T1496, _mitreAttackTechnique:T1071.001, _mitreAttackTechnique:T1071 |
- Akamai - SIEM
- Amazon AWS - AWS S3 Server Access Logs
- Amazon AWS - CloudFront
- Amazon AWS - CloudTrail
- Amazon AWS - Elastic Load Balancer
- Amazon AWS - Web Application Firewall (WAF)
- Bro - Bro
- Cloudflare - Logpush
- Forcepoint - Web Security
- Microsoft - IIS
- Okta - Single Sign-On
| Origin | Field |
|---|---|
| Normalized Schema | device_hostname |
| Normalized Schema | device_ip |
| Normalized Schema | dstDevice_hostname |
| Normalized Schema | dstDevice_ip |
| Normalized Schema | http_userAgent |
| Normalized Schema | srcDevice_hostname |
| Normalized Schema | srcDevice_ip |