Xmrig Miner
Description
Automatically categorized datasets in directory xmrig_miner
MITRE ATT&CK Techniques
No MITRE techniques specified for this dataset.
Environment Details
| Field | Value |
|---|---|
| Environment | attack_range |
| Directory | xmrig_miner |
| Test Date | 2025-08-12 |
Datasets
The following datasets were collected during this attack simulation:
Windows-Sysmon
- Path:
/datasets/malware/xmrig_miner/windows-sysmon.log - Sourcetype:
XmlWinEventLog - Source:
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Related Detections
The following detections in our security content repository use this attack data for testing:
| Detection Name | Type | Source | MITRE ATT&CK | Analytic Story |
|---|---|---|---|---|
| ICACLS Grant Command | Anomaly |
Endpoint | T1222 | Ransomware, Crypto Stealer, XMRig, Defense Evasion or Unauthorized Access Via SDDL Tampering |
| Windows Excessive Service Stop Attempt | TTP |
Endpoint | T1489 | XMRig, Ransomware, BlackByte Ransomware |
| Modify ACL permission To Files Or Folder | Anomaly |
Endpoint | T1222 | Crypto Stealer, XMRig, Defense Evasion or Unauthorized Access Via SDDL Tampering |
| Windows User Disabled Via Net | Anomaly |
Endpoint | T1531 | XMRig |
| Windows Excessive Usage Of Net App | Anomaly |
Endpoint | T1531 | Prestige Ransomware, Graceful Wipe Out Attack, XMRig, Windows Post-Exploitation, Azorult, Ransomware, Rhysida Ransomware |
| Excessive Attempt To Disable Services | Anomaly |
Endpoint | T1489 | XMRig, Azorult |
| Excessive Usage Of Taskkill | Anomaly |
Endpoint | T1562.001 | Azorult, AgentTesla, CISA AA22-277A, NjRAT, CISA AA22-264A, XMRig, Crypto Stealer |
| Schtasks Run Task On Demand | TTP |
Endpoint | T1053 | Industroyer2, CISA AA22-257A, Data Destruction, Qakbot, XMRig, Medusa Ransomware, Scheduled Tasks |
| XMRIG Driver Loaded | TTP |
Endpoint | T1543.003 | CISA AA22-320A, Crypto Stealer, XMRig |
| Executables Or Script Creation In Temp Path | Anomaly |
Endpoint | T1036 | Snake Keylogger, China-Nexus Threat Activity, Remcos, LockBit Ransomware, AsyncRAT, DarkCrystal RAT, Derusbi, WinDealer RAT, DarkGate Malware, AcidPour, ValleyRAT, Crypto Stealer, PlugX, Data Destruction, Qakbot, CISA AA23-347A, Hermetic Wiper, Volt Typhoon, Double Zero Destructor, NjRAT, Trickbot, Meduza Stealer, AgentTesla, SnappyBee, Azorult, WhisperGate, Warzone RAT, Swift Slicer, Rhysida Ransomware, Brute Ratel C4, BlackByte Ransomware, Graceful Wipe Out Attack, Chaos Ransomware, Handala Wiper, RedLine Stealer, Salt Typhoon, XMRig, MoonPeak, Industroyer2, Amadey, IcedID, Interlock Rat, APT37 Rustonotto and FadeStealer, PromptLock, Lokibot |
| Windows Suspicious Driver Loaded Path | TTP |
Endpoint | T1543.003 | XMRig, CISA AA22-320A, AgentTesla, BlackByte Ransomware, Snake Keylogger, Interlock Ransomware, APT37 Rustonotto and FadeStealer |
| Excessive Usage Of Cacls App | Anomaly |
Endpoint | T1222 | Azorult, Windows Post-Exploitation, Prestige Ransomware, XMRig, Crypto Stealer, Defense Evasion or Unauthorized Access Via SDDL Tampering |
| Process Kill Base On File Path | TTP |
Endpoint | T1562.001 | XMRig |
| Windows User Deletion Via Net | Anomaly |
Endpoint | T1531 | XMRig, Graceful Wipe Out Attack, DarkGate Malware |
| Icacls Deny Command | Anomaly |
Endpoint | T1222 | Azorult, Sandworm Tools, Compromised Windows Host, XMRig, Crypto Stealer, Defense Evasion or Unauthorized Access Via SDDL Tampering |
Usage Instructions
Replay with Splunk Attack Data
Replay attack data with replay.py from Splunk Attack Data.
1python replay.py --dataset /datasets/malware/xmrig_miner/windows-sysmon.log --index attack_data
Manual Import
- Download the dataset files from the paths listed above
- Configure your Splunk instance with the appropriate sourcetypes
- Import the logs using the Splunk Add Data wizard
Related Content
Find more detections and analytics for this attack technique in our security content repository.
Source: GitHub | Version: 1.0