Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
r
R0n
01/10/2020, 8:00 PMdoes anyone here have a query how to detect possible malware for crypto-mining?
u
8p8c
01/13/2020, 4:14 PMyou have two ways to approach this:
• collect all network and process data and do the specific searches to determine crypto mining on the log aggregation side
• hone the queries so you'll hit most of the mining ioc's and only collect when searches produce the output.
i personally would lean on the first option as that gives you ability to go back in time and have some kind of way to adjust for noise and changing landscape of miners.
the latter option can give you results also but very much depends on how much there is toleration for noise or things to slip through.
r
R0n
01/20/2020, 5:47 PMso it would be getting all network and process in a query. setup a Pack i assume to run x times a day and monitor that correct?
u
8p8c
01/21/2020, 7:21 PMi think yes.
by nature miners usually have to be long running processes, so they have to stick around and probably connect to certain ips.
r
R0n
01/22/2020, 7:11 PM👍