kinsing-miner-download | SOC Hunt Feed

Hunt Hypothesis

The kinsing-miner-download rule detects potential Sysrv botnet activity where an adversary is downloading a cryptocurrency mining payload to compromise and exploit server resources. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage botnet infections before they cause widespread resource exhaustion and data exfiltration.

KQL Query

DeviceProcessEvents
| where ProcessCommandLine has_all('curl', '-o /etc/kinsing')

Analytic Rule Definition

id: b7d58293-7cb6-4e39-8788-03447f971f96
name: kinsing-miner-download
description: |
  This query was originally published in the threat analytics report, Sysrv botnet evolution.
  Sysrv is a Go-based botnet that targets both Windows and Linux servers, and steals resources to mine cryptocurrency.
  The following query finds instances where the attacker commanded the Kinsing miner file to be downloaded on Linux devices.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
query: |
  DeviceProcessEvents
  | where ProcessCommandLine has_all('curl', '-o /etc/kinsing')

Required Data Sources

Sentinel Table	Notes
`DeviceProcessEvents`	Ensure this data connector is enabled

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Campaigns/Sysrv-botnet/kinsing-miner-download.yaml)

False Positive Guidance

Scenario: Legitimate system update via package manager
Description: A system administrator uses apt-get or yum to download and install a legitimate software update, which coincidentally matches the hash or filename of a Kinsing miner.
Filter/Exclusion: process.name:*apt* OR process.name:*yum* OR process.name:*dnf*
Scenario: Scheduled job for log rotation or backup
Description: A scheduled task (e.g., via cron or task scheduler) runs a script that downloads a file from an internal server, which is falsely identified as a Kinsing miner.
Filter/Exclusion: process.name:*cron* OR process.name:*task* OR process.command_line:*/etc/cron*
Scenario: Admin using wget to download a legitimate tool
Description: An admin uses wget to download a legitimate tool (e.g., nmap, curl, or jq) from an internal repository, which is mistakenly flagged by the rule.
Filter/Exclusion: process.name:*wget* AND destination.file:*nmap* OR destination.file:*curl*
Scenario: Internal tool deployment via CI/CD pipeline
Description: A CI/CD pipeline (e.g., Jenkins, GitLab CI) downloads a binary from a private artifact repository, which is incorrectly identified as a Kinsing miner.
Filter/Exclusion: process.name:*jenkins* OR process.name:*gitlab-runner* OR process.name:*docker*
Scenario: User manually downloading a file for testing
Description: A user manually downloads a file (e.g., a test payload or a script) for development or testing purposes, which triggers the Kinsing