← Back to SOC feed Coverage →

Potential Crypto Mining Activity

sigma HIGH SigmaHQ
T1496
imProcessCreate
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-20T23:00:01Z · Confidence: high

Hunt Hypothesis

Detects command line parameters or strings often used by crypto miners

Detection Rule

Sigma (Original)

title: Potential Crypto Mining Activity
id: 66c3b204-9f88-4d0a-a7f7-8a57d521ca55
status: stable
description: Detects command line parameters or strings often used by crypto miners
references:
    - https://www.poolwatch.io/coin/monero
author: Florian Roth (Nextron Systems)
date: 2021-10-26
modified: 2023-02-13
tags:
    - attack.impact
    - attack.t1496
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            - ' --cpu-priority='
            - '--donate-level=0'
            - ' -o pool.'
            - ' --nicehash'
            - ' --algo=rx/0 '
            - 'stratum+tcp://'
            - 'stratum+udp://'
            # base64 encoded: --donate-level=
            - 'LS1kb25hdGUtbGV2ZWw9'
            - '0tZG9uYXRlLWxldmVsP'
            - 'tLWRvbmF0ZS1sZXZlbD'
            # base64 encoded: stratum+tcp:// and stratum+udp://
            - 'c3RyYXR1bSt0Y3A6Ly'
            - 'N0cmF0dW0rdGNwOi8v'
            - 'zdHJhdHVtK3RjcDovL'
            - 'c3RyYXR1bSt1ZHA6Ly'
            - 'N0cmF0dW0rdWRwOi8v'
            - 'zdHJhdHVtK3VkcDovL'
    filter:
        CommandLine|contains:
            - ' pool.c '
            - ' pool.o '
            - 'gcc -'
    condition: selection and not filter
falsepositives:
    - Legitimate use of crypto miners
    - Some build frameworks
level: high

KQL (Azure Sentinel)

imProcessCreate
| where (TargetProcessCommandLine contains " --cpu-priority=" or TargetProcessCommandLine contains "--donate-level=0" or TargetProcessCommandLine contains " -o pool." or TargetProcessCommandLine contains " --nicehash" or TargetProcessCommandLine contains " --algo=rx/0 " or TargetProcessCommandLine contains "stratum+tcp://" or TargetProcessCommandLine contains "stratum+udp://" or TargetProcessCommandLine contains "LS1kb25hdGUtbGV2ZWw9" or TargetProcessCommandLine contains "0tZG9uYXRlLWxldmVsP" or TargetProcessCommandLine contains "tLWRvbmF0ZS1sZXZlbD" or TargetProcessCommandLine contains "c3RyYXR1bSt0Y3A6Ly" or TargetProcessCommandLine contains "N0cmF0dW0rdGNwOi8v" or TargetProcessCommandLine contains "zdHJhdHVtK3RjcDovL" or TargetProcessCommandLine contains "c3RyYXR1bSt1ZHA6Ly" or TargetProcessCommandLine contains "N0cmF0dW0rdWRwOi8v" or TargetProcessCommandLine contains "zdHJhdHVtK3VkcDovL") and (not((TargetProcessCommandLine contains " pool.c " or TargetProcessCommandLine contains " pool.o " or TargetProcessCommandLine contains "gcc -")))

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_crypto_mining_monero.yml