Hunting cryptominers with NexThink
I know, its been a minute since my last post, nevertheless, Cryptominers is where the money is right now so following yesterday's post by Xavier Mertens (@xme) in the SANS Diary, I thought it would be cool to write something in NextThink to use the IOCs.. and yes next step will be getting the data in Splunk so we can alert on it properly.
Going to NexThink world (Documentation here) you can use the NxQL Editor to confirm your logic for the API (if you are using Web API V2 which is kind of recommended). You can usually access that from the portal (newest version) or directly from the engine you want to query like so:
https://nxtengine.mydomain.local:1671/2/editor/nxql_editor.html
I will post a breakdown of the tables and their fields on a later post but for the time being here is the rule based on the above IOCs with some added tuning on the side too.
(select ((binary (first_seen last_seen executable_name paths hash threat_level)))
(from binary
(where binary (eq executable_name (pattern "*AMDDriver64*")))
(where binary (eq executable_name (pattern "*Silence*")))
(where binary (eq executable_name (pattern "*Carbon*")))
(where binary (eq executable_name (pattern "*xmrig32*")))
(where binary (eq executable_name (pattern "*nscpucnminer64*")))
(where binary (eq executable_name (pattern "*mrservicehost*")))
(where binary (eq executable_name (pattern "*servisce*")))
(where binary (eq executable_name (pattern "*svchosts3*")))
(where binary (eq executable_name (pattern "*svhosts*")))
(where binary (eq executable_name (pattern "*system64*")))
(where binary (eq executable_name (pattern "*systemiissec*")))
(where binary (eq executable_name (pattern "*winlogo*"))
(ne paths (path "%System%/winlogon.exe")))
(where binary (eq executable_name (pattern "*taskhost*"))
(ne paths (path "%System%/taskhost.exe"))
(ne paths (path "%System%/backgroundtaskhost.exe"))
(ne paths (path "%System%/taskhostw.exe")))
(where binary (eq executable_name (pattern "*vrmserver*")))
(where binary (eq executable_name (pattern "*vshell*")))
(where binary (eq executable_name (pattern "*winlogan*")))
(where binary (eq executable_name (pattern "*logon*"))
(ne paths (path "%System%/logonui.exe"))
(ne paths (path "%System%/winlogon.exe")))
(where binary (eq executable_name (pattern "*win1nit*")))
(where binary (eq executable_name (pattern "*wininits*")))
(where binary (eq executable_name (pattern "*winlnlts*")))
(where binary (eq executable_name (pattern "*taskngr*")))
(where binary (eq executable_name (pattern "*tasksvr*")))
(where binary (eq executable_name (pattern "*mscl*")))
(where binary (eq executable_name (pattern "*cpuminer*")))
(where binary (eq executable_name (pattern "*sql31*")))
(where binary (eq executable_name (pattern "*taskhots*")))
(where binary (eq executable_name (pattern "*svchostx*")))
(where binary (eq executable_name (pattern "*xmr86*")))
(where binary (eq executable_name (pattern "*xmrig*")))
(where binary (eq executable_name (pattern "*xmr*")))
(where binary (eq executable_name (pattern "*win1ogin*")))
(where binary (eq executable_name (pattern "*win1ogins*")))
(where binary (eq executable_name (pattern "*ccsvchst*")))
(where binary (eq executable_name (pattern "*nscpucnminer64*")))
(where binary (eq executable_name (pattern "*update_windows*")))
)
(limit 1000))
This provides very few false positives in my environment so I would recommend giving it a try but also tune accordingly.
To make that into your command line URL you need to take that request, put it in the CyberChef, URL Encode it and then run it like so:
curl -u myusername -k "https://nxtengine.mydomain.local:1671/2/query?query=<add_your_output_here>&platform=windows&format=json"
JSON is easier for Splunk to digest so thats why I have chosen it, its up to you if you want to choose csv. The result should look something like this:
That's all for now. I wish you all get 0 results.