Cryptomining

Use the IBM® QRadar® Cryptomining Content Extension to closely monitor for cryptomining in your deployment. Baseline Maintenance content extension 1.05 or higher is required for Cryptomining to perform correctly. Install the Baseline Maintenance content extension before you install Cryptomining.

Important: To avoid content errors in this content extension, keep the associated DSMs up to date. DSMs are updated as part of the automatic updates. If automatic updates are not enabled, download the most recent version of the associated DSMs from IBM Fix Central (https://www.ibm.com/support/fixcentral).

IBM Security QRadar Cryptomining Content Extensions

IBM Security QRadar Cryptomining Content Extension 1.1.1
IBM Security QRadar Cryptomining Content Extension 1.1.0
IBM Security QRadar Cryptomining Content Extension 1.0.0

IBM Security QRadar Cryptomining Content Extension 1.1.1

The following table shows the custom properties that are included in IBM Security QRadar Cryptomining Content Extension 1.1.1.

Table 1. Custom Properties in IBM Security QRadar Cryptomining 1.1.1
Custom property	Found in
Command Arguments	Linux
Filename	Amazon AWS Azure Bit9 Security Platform Blue Coat Carbon Black Protection Cisco AMP Cisco Firepower Cisco Ironport Endpoint FireEye MPS Fortinet FortiAnalyzer Linux McAfee EPO Microsoft Office 365 Microsoft Windows osquery Palo Alto PA Series Postfix Squid Sysmon VMware Microsoft 365 Defender
Machine ID	Linux Microsoft Windows
MD5 Hash	Cisco AMP Microsoft 365 Defender Microsoft Windows
Process CommandLine	Carbon Black Response Kubernetes Microsoft Windows osquery Sysmon
Process Name	Carbon Black Response Endpoint FireEye MPS Linux Microsoft Windows ObserveIT osquery
SHA256 Hash	Cisco AMP Microsoft 365 Defender osquery Sysmon
UrlHost	Blue Coat Cisco Ironport IBM Cloud Discovery App for QRadar McAfee EPO Squid Microsoft 365 Defender

The following table shows the rules in IBM Security QRadar Cryptomining 1.1.1.

Table 2. Rules in IBM Security QRadar Cryptomining 1.1.1
Type	Name	Description
Rule	Exploit Attempt Followed By Cryptocurrency Mining Activity	Triggers when an exploit or attack type activity is followed by cryptocurrency mining activity on the same host. This could indicate a machine infected by a malware or a misuse of a corporate asset.

_{(Back to top)}

IBM Security QRadar Cryptomining Content Extension 1.1.0

Note: Some of the custom properties that are included in this content extension are placeholders. You can download other content extensions that include custom properties with these names, or you can create your own.

The following table shows the custom properties that are included in IBM Security QRadar Cryptomining Content Extension 1.1.0.

Table 3. Custom Properties in IBM Security QRadar Cryptomining 1.1.0
Name	Optimized	Capture Group	Regex
File Hash	Yes	1	FILE_HASH=([^\s]+)
Threat Name	Yes	1	EVC_EV_VIRUS_NAME=([^\s]+)

The following table shows the custom properties that are included as placeholders in IBM Security QRadar Cryptomining Content Extension 1.1.0.

Table 4. Placeholder Custom Properties in IBM Security QRadar Cryptomining Content Extension 1.1.0
Custom Property	Found in
Command Arguments	Linux
Machine ID	Linux Microsoft Windows
MD5 Hash	Cisco AMP Microsoft 365 Defender Microsoft Windows
Process Name	Carbon Black Response Endpoint FireEye MPS Linux Microsoft Windows ObserveIT osquery
SHA1 Hash	Cisco AMP Microsoft 365 Defender Microsoft Windows Sysmon
SHA256 Hash	Cisco AMP Microsoft 365 Defender osquery Sysmon

The following table shows the rules and building blocks in IBM Security QRadar Cryptomining 1.1.0.

Table 5. Rules and Building Blocks in IBM Security QRadar Cryptomining 1.1.0
Type	Name	Description
Building Block	BB:Threats: Communication to Cryptocurrency Mining URL for Events	Triggers when a communication to a cryptocurrency mining host is detected. Populate the Cryptocurrency Mining Hosts reference set with relevant URLs.
Building Block	BB:Threats: Cryptocurrency Mining Ports	Triggers when a communication using a common cryptocurrency mining port is detected.
Building Block	BB:Threats: Cryptocurrency Mining Process Name Patterns	Triggers when a cryptocurrency mining process starts.
Building Block	BB:Threats: Cryptocurrency Mining Process Names	Triggers when a cryptocurrency mining process starts.
Building Block	BB:Threats: Cryptocurrency Mining Threat Hashes for Events	Triggers when a cryptocurrency mining file hash is observed. Populate the Cryptocurrency Mining Threat Hashes reference set with relevant file hashes.
Building Block	BB:Threats: Cryptocurrency Mining Threat Hashes for Flows	Triggers when a cryptocurrency mining file hash is observed. Populate the Cryptocurrency Mining Threat Hashes reference set with relevant file hashes.
Building Block	BB:Threats: Cryptocurrency Mining Threat Name Patterns	Triggers when a cryptocurrency mining threat name is detected.
Building Block	BB:Threats: Cryptocurrency Mining Threat Names	Triggers when a cryptocurrency mining threat name is detected.
Building Block	BB:Threats: X-Force Premium: Internal Connection to Host Categorized as Cryptocurrency Mining	Triggers when an internal system communicates with an IP address that is considered to be hosting cryptocurrency mining. It could be an indicator of a cryptocurrency mining malware infection. The default confidence (75) indicates a strong possibility that this is a cryptocurrency mining host.
Building Block	BB:Threats: X-Force Premium: Internal Host Communication with Cryptocurrency Mining URL for Events	Triggers when an internal system communicates with a URL that is considered to be hosting cryptocurrency mining. It could be an indicator of a cryptocurrency mining malware infection.
Rule	Cryptocurrency Mining Command Execution	Triggers when a cryptocurrency mining command is detected. This could indicate a machine infected by a malware or a misuse of a corporate asset.
Rule	Cryptocurrency Mining File Hash	Triggers when a cryptocurrency mining file hash is detected. This could indicate a machine infected by a malware or a misuse of a corporate asset.
Rule	Cryptocurrency Mining Process	Triggers when a cryptocurrency mining process is detected. This could indicate a machine infected by a malware or a misuse of a corporate asset.
Rule	Cryptocurrency Mining Threat Name	Triggers when cryptocurrency mining threats (e.g. virus, malware) are detected. This could indicate a machine infected by a malware or a misuse of a corporate asset.
Rule	Cryptocurrency Mining Traffic	Triggers when cryptocurrency mining traffic is detected. This could indicate a machine communicating with a cryptocurrency mining pool using an uncategorized IP.
Rule	Exploit Attempt Followed By Cryptocurrency Mining Activity	Triggers when an exploit or attack type activity is followed by cryptocurrency mining activity on the same host. This could indicate a machine infected by a malware or a misuse of a corporate asset.
Rule	In-Browser Cryptojacking - JavaScript File Hash	Triggers when a JavaScript file hash related to cryptojacking is detected. This could indicate that the browser sent a GET request to load a cryptojacking JavaScript file and could be infected by a malware or reveal the misuse of a corporate asset.
Rule	In-Browser Cryptojacking - JavaScript Filename	Triggers when a JavaScript filename related to cryptojacking is detected. This could indicate that the browser sent a GET request to load a cryptojacking JavaScript file and could be infected by a malware or reveal the misuse of a corporate asset.
Rule	Successful Communication to Cryptocurrency Mining Host	Triggers when a successful communication to a cryptocurrency mining host is detected. This could indicate a machine infected by a malware or a misuse of a corporate asset.

The following table shows the reference sets in IBM Security QRadar Cryptomining 1.1.0.

Table 6. Reference Sets in IBM Security QRadar Cryptomining 1.1.0
Name	Description
Cryptocurrency Mining JavaScript File Hashes	Contains a list of cryptocurrency mining JavaScript file hashes.

The following table shows the saved searches in IBM Security QRadar Cryptomining 1.1.0.

Table 7. Saved Searches in IBM Security QRadar Cryptomining 1.1.0
Name	Description
Destination Addresses with Cryptocurrency Mining Activities	Shows all events with cryptocurrency mining activities (triggered one of the rules) and groups them by destination address and destination port.
Destination Addresses with Cryptocurrency Mining Activities	Shows all flows with cryptocurrency mining activities (triggered one of the rules) and groups them by destination address and destination port.
Source Addresses with Cryptocurrency Mining Activities	Shows all events with cryptocurrency mining activities (triggered one of the rules) and groups them by source address and source port.
Source Addresses with Cryptocurrency Mining Activities	Shows all flows with cryptocurrency mining activities (triggered one of the rules) and groups them by source address and source port.

_{(Back to top)}

IBM Security QRadar Cryptomining Content Extension 1.0.0

The following table shows the custom properties that are included in IBM Security QRadar Cryptomining Content Extension 1.0.0.

Note: The custom properties that are included in this content extension are placeholders. You can download other content extensions that include custom properties with these names, or you can create your own.

Table 8. Custom Properties in IBM Security QRadar Cryptomining Content Extension 1.0.0
Custom Property	Found in
File Hash	Bit9 Security Platform Carbon Black Protection Carbon Black Response Cisco AMP Cisco Firepower FireEye MPS Lastline Enterprise McAfee EPO Microsoft 365 Defender osquery Sysmon
File_Hash	Endpoint QRadar Network Insights Content Extension
Filename	Amazon AWS Azure Bit9 Security Platform Blue Coat Carbon Black Protection Cisco AMP Cisco Firepower Cisco Ironport Endpoint FireEye MPS Fortinet FortiAnalyzer Linux McAfee EPO Microsoft Office 365 Microsoft Windows osquery Palo Alto PA Series Postfix Squid Sysmon VMware Microsoft 365 Defender
HTTP Host	Endpoint QRadar Network Insights Content Extension
ImageName	Sysmon
Process CommandLine	Carbon Black Response Kubernetes Microsoft Windows osquery Sysmon
Process Name	Carbon Black Response Endpoint FireEye MPS Linux Microsoft Windows ObserveIT osquery
Threat Name	Amazon AWS Cisco AMP Cisco Ironport Fortinet FortiAnalyzer McAfee EPO Threat Monitoring Microsoft 365 Defender Zscaler
URL	Blue Coat Check Point Cisco Ironport IBM Security QRadar DNS Analyzer FireEye MPS Fortinet FortiAnalyzer Juniper SSL VPN McAfee EPO Palo Alto PA Series Squid Symantec Endpoint Protection Threat Monitoring Microsoft 365 Defender
URLHost	Blue Coat Cisco Ironport IBM Cloud Discovery App for QRadar McAfee EPO Squid Microsoft 365 Defender

The following table shows the rules and building blocks in IBM Security QRadar Cryptomining Content Extension 1.0.0.

Table 9. Rules and Building Blocks in IBM Security QRadar Cryptomining Content Extension 1.0.0
Type	Name	Description
Building Block	BB:DeviceDefinition: Operating System	This rule defines all operating systems on the system.
Building Block	BB:Threats: Communication to Cryptocurrency Mining IP	Detects communications to cryptocurrency mining IP addresses. Update the reference set for tuning.
Building Block	BB:Threats: Communication to Cryptocurrency Mining URL for Events	Detects communications to cryptocurrency mining hosts. Update the reference set for tuning.
Building Block	BB:Threats: Communication to Cryptocurrency Mining URL for Flows	Detects communications to cryptocurrency mining hosts. Update the reference set for tuning.
Building Block	BB:Threats: Cryptocurrency Mining Process Name Patterns	Detects when a well-known cryptocurrency mining process starts.
Building Block	BB:Threats: Cryptocurrency Mining Process Names	Detects when a well-known cryptocurrency mining process starts.
Building Block	BB:Threats: Cryptocurrency Mining Threat Hashes for Events	Detects threats to cryptocurrency mining with an SHA256 Hash. Update the reference set for tuning.
Building Block	BB:Threats: Cryptocurrency Mining Threat Hashes for Flows	Detects communications to cryptocurrency mining hosts. Update the reference set for tuning.
Building Block	BB:Threats: Cryptocurrency Mining Threat Name Patterns	Detects threats to cryptocurrency mining with frequently used terms, such as coin, crypto, and mine. Update the regular expression for tuning.
Building Block	BB:Threats: Cryptocurrency Mining Threat Names	Detects threats to cryptocurrency mining. Update the reference set for tuning.
Building Block	BB:Threats: X-Force Premium: Internal Connection to Host Categorized as Cryptocurrency Mining	This rule notifies when an internal system communicates with an IP address that is considered to be hosting cryptocurrency mining. It might be an indicator of a cryptocurrency mining malware infection. The default confidence (75) indicates a strong possibility that this is a cryptocurrency mining host.
Building Block	BB:Threats: X-Force Premium: Internal Host Communication with Cryptocurrency Mining URL for Events	This rule notifies when an internal client loads a web URL known for cryptocurrency mining activity.
Building Block	BB:Threats: X-Force Premium: Internal Host Communication with Cryptocurrency Mining URL for Flows	This rule notifies when an internal system communicates with an HTTP host that is considered to be hosting cryptocurrency mining. It might be an indicator of a cryptocurrency mining malware infection.
Rule	Detected a Communication to Cryptocurrency Mining Host	Detects communications to a cryptocurrency mining destination. This might indicate a compromised host by cryptocurrency mining malware.
Rule	Detected a Cryptocurrency Mining Activity Based on File Hash	Detects cryptocurrency mining file hashes.
Rule	Detected a Cryptocurrency Mining Activity Based on Process Command Line	Detects when a cryptocurrency mining activity based on process command line.
Rule	Detected a Cryptocurrency Mining Activity Based on Threat Name	Detects cryptocurrency mining threats.
Rule	Detected a Cryptocurrency Mining Process	Detects when a well-known cryptocurrency mining process starts.
Rule	Detected In-Browser Cryptojacking based on Loaded Javascript File Hash	Detects when the browser sends a GET request to load a cryptojacking javascript file. The rule uses the file hash to detect that activity.
Rule	Detected In-Browser Cryptojacking based on Loaded Javascript File Name	Detects when the browser sends a GET request to load a cryptojacking javascript file. The rule uses the URL file name component to detect that activity.
Rule	Exploit Attempt Followed By Cryptocurrency Mining Activity	Reports an exploit or attack type activity from the same source IP address followed by cryptocurrency mining activity from the same destination IP address as the original event within 15 minutes.

The following table shows the reports in IBM Security QRadar Cryptomining Content Extension 1.0.0.

Table 10. Reports in IBM Security QRadar Cryptomining Content Extension 1.0.0
Report Name	Search Name and Dependencies
IPs with Cryptocurrency Mining Activities	This report provides an overview of IP addresses related to cryptocurrency mining. Update the search filter for more tuning.

The following table shows the reference sets in IBM Security QRadar Cryptomining Content Extension 1.0.0.

Note: The elements in the Reference Sets do not expire by default. To ensure your reference sets are not overfilled, you can set an expiration date to the elements.

Table 11. Reference Sets in IBM Security QRadar Cryptomining Content Extension 1.0.0
Name	Description
Cryptocurrency Mining Hosts	Contains a list of cryptocurrency mining hosts.
Cryptocurrency Mining Javascript File Hashes	Contains a list of cryptocurrency mining Javascript file hashes.
Cryptocurrency Mining Threat Hashes	Contains a list of cryptocurrency mining threat file hashes.
Cryptocurrency Mining Javascript File Names	Contains a list of cryptocurrency mining Javascript file names.
Cryptocurrency Mining IPs	Contains a list of cryptocurrency mining IP addresses.
Cryptocurrency Mining Threat Names	Contains a list of cryptocurrency mining threat file names.
Cryptocurrency Mining Process Names	Contains a list of cryptocurrency mining processes.

The following table shows the saved searches in IBM Security QRadar Cryptomining Content Extension 1.0.0.

Table 12. Saved Searches in IBM Security QRadar Cryptomining Content Extension 1.0.0
Name	Description
Source Addresses with Cryptocurrency Mining Activities	Shows all events with cryptocurrency mining activities (triggered one of the rules) and groups them by source address and source port.
Destination Addresses with Cryptocurrency Mining Activities	Shows all events with cryptocurrency mining activities (triggered one of the rules) and groups them by destination address and destination port.
Source Addresses with Cryptocurrency Mining Activities	Shows all flows with cryptocurrency mining activities (triggered one of the rules) and groups them by source address and source port.
Destination Addresses with Cryptocurrency Mining Activities	Shows all flows with cryptocurrency mining activities (triggered one of the rules) and groups them by destination address and destination port.

_{(Back to top)}