title: Windows Crypto Mining Pool Connections
author: Florian Roth
date: 2021/10/26
description: Detects process connections to a Monero crypto mining pool
detection:
    SELECTION_1:
        EventID: 3
    SELECTION_10:
        DestinationHostname: xmr-eu1.nanopool.org
    SELECTION_11:
        DestinationHostname: xmr-eu2.nanopool.org
    SELECTION_12:
        DestinationHostname: xmr-us-east1.nanopool.org
    SELECTION_13:
        DestinationHostname: xmr-us-west1.nanopool.org
    SELECTION_14:
        DestinationHostname: xmr-asia1.nanopool.org
    SELECTION_15:
        DestinationHostname: xmr-jp1.nanopool.org
    SELECTION_16:
        DestinationHostname: xmr-au1.nanopool.org
    SELECTION_17:
        DestinationHostname: xmr.2miners.com
    SELECTION_18:
        DestinationHostname: xmr.hashcity.org
    SELECTION_19:
        DestinationHostname: xmr.f2pool.com
    SELECTION_2:
        DestinationHostname: pool.minexmr.com
    SELECTION_20:
        DestinationHostname: xmrpool.eu
    SELECTION_21:
        DestinationHostname: pool.hashvault.pro
    SELECTION_22:
        DestinationHostname: moneroocean.stream
    SELECTION_23:
        DestinationHostname: monerocean.stream
    SELECTION_3:
        DestinationHostname: fr.minexmr.com
    SELECTION_4:
        DestinationHostname: de.minexmr.com
    SELECTION_5:
        DestinationHostname: sg.minexmr.com
    SELECTION_6:
        DestinationHostname: ca.minexmr.com
    SELECTION_7:
        DestinationHostname: us-west.minexmr.com
    SELECTION_8:
        DestinationHostname: pool.supportxmr.com
    SELECTION_9:
        DestinationHostname: mine.c3pool.com
    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
        or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15
        or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or SELECTION_20
        or SELECTION_21 or SELECTION_22 or SELECTION_23))
falsepositives:
- Legitimate use of crypto miners
id: fa5b1358-b040-4403-9868-15f7d9ab6329
level: high
logsource:
    category: network_connection
    product: windows
references:
- https://www.poolwatch.io/coin/monero
status: stable
yml_filename: win_net_crypto_mining.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/network_connection