Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Ubiquiti - Possible connection to cryptominning pool

Back
Id7feb3c32-2a11-4eb8-a2d7-e3792b31cb80
RulenameUbiquiti - Possible connection to cryptominning pool
DescriptionDetects connections which may indicate that device is infected with cryptominer.
SeverityMedium
TacticsCommandAndControl
TechniquesT1071
T1095
T1571
Required data connectorsUbiquitiUnifi
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiCryptominer.yaml
Version1.0.0
Arm template7feb3c32-2a11-4eb8-a2d7-e3792b31cb80.json
Deploy To Azure
let susp_dst_ports = dynamic(['14433', '14444', '3333', '3334', '3335', '3336', '4444', '45560', '45700', '5555', '5556', '6666', '7777', '8788', '8888', '8899', '9999', '10034']);
UbiquitiAuditEvent
| where ipv4_is_private(SrcIpAddr)
| where ipv4_is_private(DstIpAddr) == 'False'
| where DstPortNumber in (susp_dst_ports)  or (DnsQuery contains 'pool' and DnsQuery contains 'xmr')
| extend IPCustomEntity = SrcIpAddr
queryFrequency: 1h
triggerOperator: gt
tactics:
- CommandAndControl
description: |
    'Detects connections which may indicate that device is infected with cryptominer.'
status: Available
relevantTechniques:
- T1071
- T1095
- T1571
name: Ubiquiti - Possible connection to cryptominning pool
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiCryptominer.yaml
severity: Medium
triggerThreshold: 0
version: 1.0.0
entityMappings:
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
query: |
  let susp_dst_ports = dynamic(['14433', '14444', '3333', '3334', '3335', '3336', '4444', '45560', '45700', '5555', '5556', '6666', '7777', '8788', '8888', '8899', '9999', '10034']);
  UbiquitiAuditEvent
  | where ipv4_is_private(SrcIpAddr)
  | where ipv4_is_private(DstIpAddr) == 'False'
  | where DstPortNumber in (susp_dst_ports)  or (DnsQuery contains 'pool' and DnsQuery contains 'xmr')
  | extend IPCustomEntity = SrcIpAddr  
id: 7feb3c32-2a11-4eb8-a2d7-e3792b31cb80
requiredDataConnectors:
- connectorId: UbiquitiUnifi
  dataTypes:
  - UbiquitiAuditEvent
kind: Scheduled
queryPeriod: 1h
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7feb3c32-2a11-4eb8-a2d7-e3792b31cb80')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7feb3c32-2a11-4eb8-a2d7-e3792b31cb80')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "Ubiquiti - Possible connection to cryptominning pool",
        "description": "'Detects connections which may indicate that device is infected with cryptominer.'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "let susp_dst_ports = dynamic(['14433', '14444', '3333', '3334', '3335', '3336', '4444', '45560', '45700', '5555', '5556', '6666', '7777', '8788', '8888', '8899', '9999', '10034']);\nUbiquitiAuditEvent\n| where ipv4_is_private(SrcIpAddr)\n| where ipv4_is_private(DstIpAddr) == 'False'\n| where DstPortNumber in (susp_dst_ports)  or (DnsQuery contains 'pool' and DnsQuery contains 'xmr')\n| extend IPCustomEntity = SrcIpAddr\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl"
        ],
        "techniques": [
          "T1071",
          "T1095",
          "T1571"
        ],
        "alertRuleTemplateName": "7feb3c32-2a11-4eb8-a2d7-e3792b31cb80",
        "customDetails": null,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "identifier": "Address",
                "columnName": "IPCustomEntity"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiCryptominer.yaml",
        "status": "Available",
        "templateVersion": "1.0.0"
      }
    }
  ]
}