Campaigns
Cryptojacking Campaign Targets Docker and Kubernetes: A Surge in Container-Based Attacks

Cryptojacking Campaign Targets Docker and Kubernetes: A Surge in Container-Based Attacks

CryptojackingCryptoMiningMalwareMisconfiguredContainersCryptocurrencyMiningAttackDocker cryptojackingKubernetes malware attack
A new cryptojacking campaign has emerged that exploits unsecured Docker installations to spread malware for cryptocurrency mining purposes. Attackers are leveraging open application programming interfaces (APIs) to gain access to Docker hosts and deploy containers that consume resources and potentially degrade performance by engaging in illegal crypto mining activities.

Indicators of Compromise

x.solscan.live
metadata.name
solscan.live
borg.wtf

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

T1222.002 - Linux and Mac File and Directory Permissions Modification


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Many of the commands used to modify ACLs and file/directory ownership are built-in system utilities and may generate a high false positive alert rate, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible. Commonly abused command arguments include chmod +x, chmod -R 755, and chmod 777.[3]

DS0022

File

File Metadata

Monitor and investigate attempts to modify ACLs and file/directory ownership. Consider enabling file/directory permission change auditing on folders containing key binary/configuration files.

This looks for any invocations of chmod. Note that this is likely to be more noisy than the Windows-specific implementation, although Linux does not generate logs for system triggered activities like in Windows. In addition, it may be necessary to whitelist cron jobs that regularly run and execute chmod.

Linux environment logs can be more noisy than the Windows-specific implementation, although Linux does not generate logs for system triggered activities like in Windows. In addition, it may be necessary to whitelist cron jobs that regularly run and execute chmod.

Analytic 1 - Access Permission Modification for Linux

source="linux:" CommandLine="chmod*"

DS0009

Process

Process Creation

Monitor for newly executed processes that may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.[1][2]


T1053.003 - Cron


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed atq command and ensure IP addresses stored in the SSH_CONNECTION and SSH_CLIENT variables, machines that created the jobs, are trusted hosts. All at jobs are stored in /var/spool/cron/atjobs/.

DS0022

File

File Modification

Monitor for changes made to files for unexpected modifications to access permissions and attributes.

Analytic 1 - Modified Files in Linux Cron Directories

source="Linux:" (Path LIKE "/etc/cron.allow.d" OR Path LIKE "/etc/cron.d/" OR Path LIKE "/etc/cron.hourly" OR Path LIKE "/etc/cron.daily" OR Path LIKE "/etc/cron.weeky" OR Path LIKE "/etc/cron.monthly")

DS0009

Process

Process Creation

Create a baseline of cron jobs and the processes that they spawn in your environment. Monitor for newly spawned outlier processes that are executed through cron jobs that have not been seen before when compared against the baseline data.

Analytic 1 - Unusual Cron Job Creation

source="Linux:" Image= "crontab" OR Image= "cron" AND CommandLine LIKE "crontab -e" OR CommandLine LIKE "cron"

Analytic 2 - Unusual Execution Frequency

source="Linux:" Image= "crond" OR Image= "cron" AND ImageCount >= "100"

DS0003

Scheduled Job

Scheduled Job Creation

Monitor for newly constructed scheduled jobs. Legitimate scheduled tasks may be created during installation of new software or through system administration functions. Look for changes to tasks that do not correlate with known software, patch cycles, etc.



T1021.004 - SSH


ID

Data Source

Data Component

Detects

DS0028

Logon Session

Logon Session Creation

Monitor for user accounts logged into systems that may use Valid Accounts to log into remote machines using Secure Shell (SSH). For example, on Linux systems SSH logon activity can be found in the logs located in /var/log/auth.log or /var/log/secure depending on the distro you are using.

For Linux systems, the Audit framework (auditd) can be used to monitor any writes to SSH log files that store information about logged in accounts such as /var/log/auth.log.

For macOS systems (10.12+), Unified Logs can be queried to show SSH daemon (sshd) messages that include information on logged in accounts. The following command-line can be used to query the last hour’s worth of unified logs in this manner: log show -info --debug --predicate 'processImagePath CONTAINS "sshd" AND eventMessage CONTAINS "Accepted"' --last 1h | grep sshd

DS0029

Network Traffic

Network Connection Creation

Monitor for newly constructed network connections (typically port 22) that may use Valid Accounts to log into remote machines using Secure Shell (SSH). Use of SSH may be legitimate depending on the environment and how it’s used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with SSH.

Network Analysis Frameworks such as Zeek can be used to capture, decode, and alert on network traffic. Accordingly, they can be used to look for the creation of SSH network connections.

DS0009

Process

Process Creation

Monitor for newly executed processes that may use Valid Accounts to log into remote machines using Secure Shell (SSH). For example, on macOS systems log show --predicate 'process = "sshd"' can be used to review incoming SSH connection attempts for suspicious activity. The command log show --info --predicate 'process = "ssh" or eventMessage contains "ssh"' can be used to review outgoing SSH connection activity.[21]

For Linux systems, the Audit framework (auditd) can be used to monitor for the creation of SSH related processes such as ssh.

For macOS systems (10.12+), the above command can be used to look through the Unified Logs for SSH connection activity, though we also recommend including the "—debug" parameter to ensure that all relevant data is returned: log show --info --debug --predicate 'process = "ssh" or eventMessage contains "ssh"'


T1552.002 - Credentials in Registry


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments that may search the Registry on compromised systems for insecurely stored credentials.

DS0009

Process

Process Creation

Monitor newly executed processes for applications that can be used to query the Registry, such as Reg, and collect command parameters that may indicate credentials are being searched. Correlate activity with related suspicious behavior that may indicate an active intrusion to reduce false positives.

Note: Pseudocode Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). The Analytic looks for command-line instances of searching the Windows Registry for insecurely stored credentials. This can be accomplished using the query functionality of the Reg system utility, by looking for keys and values that contain strings such as "password". In addition, adversaries may use toolkits such as PowerSploit in order to dump credentials from various applications such as IIS. Accordingly, this analytic looks for invocations of reg.exe in this capacity as well as that of several PowerSploit modules with similar functionality.

Analytic 1 - Credentials in Files & Registry

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688")
CommandLine="reg query HKLM /f password /t REG_SZ /s" ORCommandLine="reg query HKCU /f password /t REG_SZ /s" ORCommandLine="Get-UnattendedInstallFile" ORCommandLine="Get-Webconfig" ORCommandLine="Get-ApplicationHost" ORCommandLine="Get-SiteListPassword" ORCommandLine="Get-CachedGPPPassword" ORCommandLine="Get-RegistryAutoLogon*"

DS0024

Windows Registry

Windows Registry Key Access

Monitor for unexpected windows registry key being accessed that may search the Registry on compromised systems for insecurely stored credentials.


T1082 - System Information Discovery


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments that may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. For network devices, monitor executed commands in AAA logs, especially those run by unexpected or unauthorized users.

DS0009

Process

OS API Execution

Monitor for API calls that may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell. In cloud-based systems, native logging can be used to identify access to certain APIs and dashboards that may contain system information. Depending on how the environment is used, that data alone may not be useful due to benign use during normal operations.



Process Creation

Monitor newly executed processes that may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.


T1562.004 - Disable or Modify System Firewall


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments associated with disabling or the modification of system firewalls such as netsh advfirewall firewall set rule group="file and printer sharing" new enable=Yes,ufw disable, and ufw logging off.

DS0018

Firewall

Firewall Disable

Monitor for changes in the status of the system firewall such as Windows Security Auditing events 5025 (The Windows firewall service has been stopped) and 5034 (The Windows firewall driver was stopped).



Firewall Rule Modification

Monitor for changes made to firewall rules that might allow remote communication over protocols such as SMD and RDP. Modification of firewall rules might also consider opening local ports and services for different network profiles such as public and domain.

DS0024

Windows Registry

Windows Registry Key Modification

Monitor for changes made to windows Registry keys and/or values that adversaries might use to disable or modify System Firewall settings such as HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy.



T1078.001 - Default Accounts


ID

Data Source

Data Component

Detects

DS0028

Logon Session

Logon Session Creation

Monitor for newly constructed logon behavior across default accounts that have been activated or logged into. These audits should also include checks on any appliances and applications for default credentials or SSH keys, and if any are discovered, they should be updated immediately.

DS0002

User Account

User Account Authentication

Monitor for an attempt by a user to gain access to a network or computing resource, often by providing credentials


T1574.006 - Dynamic Linker Hijacking


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments associated with modifications to variables and files associated with loading shared libraries such as LD_PRELOAD on Linux and DYLD_INSERT_LIBRARIES on macOS.

DS0022

File

File Creation

Monitor for newly constructed files that are added to absolute paths of shared libraries such as LD_PRELOAD on Linux and DYLD_INSERT_LIBRARIES on macOS.



File Modification

Monitor for changes to environment variables and files associated with loading shared libraries such as LD_PRELOAD on Linux and DYLD_INSERT_LIBRARIES on macOS.

DS0011

Module

Module Load

Monitor library metadata, such as a hash, and compare libraries that are loaded at process execution time against previous executions to detect differences that do not correlate with patching or updates.

DS0009

Process

Process Creation

Monitor for newly executed processes for unusual activity (e.g., a process that does not use the network begins to do so).


T1016 - System Network Configuration Discovery


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments that may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. For network devices, monitor executed commands in AAA logs, especially those run by unexpected or unauthorized users.

DS0009

Process

OS API Execution

Monitor for API calls (such as GetAdaptersInfo() and GetIpNetTable()) that may gather details about the network configuration and settings, such as IP and/or MAC addresses.



Process Creation

Monitor for executed processes (such as ipconfig/ifconfig and arp) with arguments that may look for details about the network configuration and settings, such as IP and/or MAC addresses.

Note: The Analytic looks for the creation of ipconfig, route, and nbtstat processes, all of which are system administration utilities that can be used for the purpose of system network configuration discovery. If these tools are commonly used in your environment (e.g., by system administrators) this may lead to false positives and this analytic will therefore require tuning.

Analytic 1 - Suspicious Process

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") AND (Image="C:\Windows\System32\ipconfig.exe" OR Image="C:\Windows\System32\route.exe" OR Image="C:\Windows\System32\nbtstat.exe")

DS0012

Script

Script Execution

Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.


T1552.001 - Credentials In Files


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

While detecting adversaries accessing these files may be difficult without knowing they exist in the first place, it may be possible to detect adversary use of credentials they have obtained. Monitor executed commands and arguments of executing processes for suspicious words or regular expressions that may indicate searching for a password (for example: password, pwd, login, secure, or credentials). See Valid Accounts for more information.

DS0022

File

File Access

Monitor for files being accessed that may search local file systems and remote file shares for files containing insecurely stored credentials. While detecting adversaries accessing these files may be difficult without knowing they exist in the first place, it may be possible to detect adversary use of credentials they have obtained.

DS0009

Process

Process Creation

Monitor newly executed processes for local file systems and remote file shares for files containing insecurely stored credentials.

Note: Pseudocode Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). The Analytic looks for command-line instances of searching the Windows Registry for insecurely stored credentials. This can be accomplished using the query functionality of the Reg system utility, by looking for keys and values that contain strings such as "password". In addition, adversaries may use toolkits such as PowerSploit in order to dump credentials from various applications such as IIS. Accordingly, this analytic looks for invocations of reg.exe in this capacity as well as that of several PowerSploit modules with similar functionality.

Analytic 1 - Credentials in Files & Registry

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688")
CommandLine="reg query HKLM /f password /t REG_SZ /s" ORCommandLine="reg query HKCU /f password /t REG_SZ /s" ORCommandLine="Get-UnattendedInstallFile" ORCommandLine="Get-Webconfig" ORCommandLine="Get-ApplicationHost" ORCommandLine="Get-SiteListPassword" ORCommandLine="Get-CachedGPPPassword" ORCommandLine="Get-RegistryAutoLogon*"


T1027.004 - Compile After Delivery


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments for actions that could be taken to gather common compilers, such as csc.exe and GCC/MinGW, and correlate with other suspicious behavior to reduce false positives from normal user and administrator behavior.

DS0022

File

File Creation

Monitor for newly constructed files for payloads



File Metadata

Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc.

DS0009

Process

Process Creation

Monitor for newly constructed processes and/or command-lines that look for non-native binary formats and cross-platform compiler and execution frameworks like Mono and determine if they have a legitimate purpose on the system. Typically these should only be used in specific and limited cases, like for software development.


T1496 - Resource Hijacking


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments that may indicate common cryptomining or proxyware functionality.

DS0022

File

File Creation

Monitor for common cryptomining or proxyware files on local systems that may indicate compromise and resource usage.

DS0029

Network Traffic

Network Connection Creation

Monitor for newly constructed network connections that are sent or received by untrusted hosts, look for connections to/from strange ports, as well as reputation of IPs and URLs related cryptocurrency hosts.



Network Traffic Content

Monitor network traffic content for resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability.

Note: Destination Host Name is not a comprehensive list of potential cryptocurrency URLs. This analytic has a hardcoded domain name which may change.



Network Traffic Flow

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

DS0009

Process

Process Creation

Monitor for common cryptomining or proxyware software process names that may indicate compromise and resource usage.

DS0013

Sensor Health

Host Status

Consider monitoring process resource usage to determine anomalous activity associated with malicious hijacking of computer resources such as CPU, memory, and graphics processing resources.



T1070.004 - File Deletion


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments for actions that could be utilized to unlink, rename, or delete files.

DS0022

File

File Deletion

Monitor for unexpected deletion of files from the system


T1543.002 - Systemd Service


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Suspicious systemd services can also be identified by comparing results against a trusted system baseline. Malicious systemd services may be detected by using the systemctl utility to examine system wide services: systemctl list-units -–type=service –all. Auditing the execution and command-line arguments of the 'systemctl' utility, as well related utilities such as /usr/sbin/service may reveal malicious systemd service execution.

DS0022

File

File Creation

Systemd service unit files may be detected by auditing file creation and modification events within the /etc/systemd/system, /usr/lib/systemd/system/, and /home//.config/systemd/user/ directories, as well as associated symbolic links



File Modification

Systemd service unit files may be detected by auditing file creation and modification events within the /etc/systemd/system, /usr/lib/systemd/system/, and /home//.config/systemd/user/ directories, as well as associated symbolic links

DS0009

Process

Process Creation

Suspicious processes or scripts spawned in this manner will have a parent process of ‘systemd’, a parent process ID of 1, and will usually execute as the ‘root’ user.

DS0019

Service

Service Creation

Monitor for new constructed systemd services to repeatedly execute malicious payloads as part of persistence.



Service Modification

Analyze the contents of .service files present on the file system and ensure that they refer to legitimate, expected executables.


T1046 - Network Service Scanning


ID

Data Source

Data Component

Detects

DS0025

Cloud Service

Cloud Service Enumeration

Cloud service discovery techniques will likely occur throughout an operation where an adversary is targeting cloud-based systems and services. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.Normal, benign system and network events that look like cloud service discovery may be uncommon, depending on the environment and how they are used. Monitor cloud service usage for anomalous behavior that may indicate adversarial presence within the environment.

DS0017

Command

Command Execution

Monitor executed commands and arguments that may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation.

DS0029

Network Traffic

Network Traffic Flow

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. It should be noted that when a host/ port/ service scan is performed from a compromised machine, a single machine makes multiple calls to other hosts in the network to identify live hosts and services.

After compromising an initial machine, adversaries commonly attempt to laterally move across the network. The first step to attempt the Lateral Movement often involves conducting host identification, port and service scans on the internal network via the compromised machine using tools such as Nmap, Cobalt Strike, etc.

Note: It should be noted that when a host/ port/ service scan is performed from a compromised machine, a single machine makes multiple calls to other hosts in the network to identify live hosts and services. This can be detected using the following query

Analytic 1 - Identifying Port Scanning Activity

sourcetype='firewall_logs' dest_ip='internal_subnet' | stats dc(dest_port) as pcount by src_ip | where pcount >5

T1518 - Software Discovery


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments that may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment.

DS0018

Firewall

Firewall Enumeration

Monitor for an extracted list of available firewalls and/or their associated settings/rules (ex: Azure Network Firewall CLI Show commands)



Firewall Metadata

Monitor for contextual data about a firewall and activity around it such as name, policy, or status

DS0009

Process

OS API Execution

Monitor for API calls that may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment.



Process Creation

Monitor newly executed processes that may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment.


T1105 - Ingress Tool Transfer


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments for suspicious activity associated with downloading external content.

DS0022

File

File Creation

Monitor for file creation and files transferred into the network

DS0029

Network Traffic

Network Connection Creation

Monitor for newly constructed network connections that are sent or received by untrusted hosts or creating files on-system may be suspicious. Use of utilities, such as FTP, that does not normally occur may also be suspicious.



Network Traffic Content

Monitor network traffic content for files and other potentially malicious content, especially data coming in from abnormal/unknown domain and IPs.



Network Traffic Flow

Monitor network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.



T1021.001 - Remote Desktop Protocol


ID

Data Source

Data Component

Detects

DS0028

Logon Session

Logon Session Creation

Monitor for user accounts logged into systems associated with RDP (ex: Windows EID 4624 Logon Type 10). Other factors, such as access patterns (ex: multiple systems over a relatively short period of time) and activity that occurs after a remote login, may indicate suspicious or malicious behavior with RDP.

Monitoring logon and logoff events for hosts on the network is very important for situational awareness. This information can be used as an indicator of unusual activity as well as to corroborate activity seen elsewhere.

Could be applied to a number of different types of monitoring depending on what information is desired. Some use cases include monitoring for all remote connections and building login timelines for users. Logon events are Windows Event Code 4624 for Windows Vista and above, 518 for pre-Vista. Logoff events are 4634 for Windows Vista and above, 538 for pre-Vista.

Note: This analytic looks for user logon events and filters out the top 30 account names to reduce the occurrence of noisy service accounts and the like. It is meant as a starting point for situational awareness around such events. This is liable to be quite noisy and will need tweaking, especially in terms of the number of top users filtered out.

Analytic 1

source="*WinEventLog:Security" EventCode IN (4624, 4634, 4647, 4778)|search user NOT IN top limit=30



Logon Session Metadata

Monitor authentication logs and analyze for unusual access patterns. A remote desktop logon, through RDP, may be typical of a system administrator or IT support, but only from select workstations. Monitoring remote desktop logons and comparing to known/approved originating systems can detect lateral movement of an adversary.

Analytic 1

source="WinEventLog:Security" EventCode="4624" AND LogonType="10" AND AuthenticationPackageName="Negotiate" AND TargetUserName="Admin")

DS0029

Network Traffic

Network Connection Creation

Monitor for newly constructed network connections (typically over port 3389) that may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with RDP.



Network Traffic Flow

Monitor network traffic for uncommon data flows that may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP).

The Remote Desktop Protocol (RDP), built in to Microsoft operating systems, allows a user to remotely log in to the desktop of another host. It allows for interactive access of the running windows, and forwards key presses, mouse clicks, etc. Network administrators, power users, and end-users may use RDP for day-to-day operations. From an adversary’s perspective, RDP provides a means to laterally move to a new host. Determining which RDP connections correspond to adversary activity can be a difficult problem in highly dynamic environments, but will be useful in identifying the scope of a compromise.Remote Desktop can be detected in several ways

  • Network connections to port 3389/tcp (assuming use of the default port)

  • Packet capture analysis

  • Detecting network connections from mstsc.exe

  • Execution of the process rdpclip.exe

  • Runs as the clipboard manager on the RDP target if clipboard sharing is enabled

Analytic 1

source="Zeek:" AND (port="3389") AND LogonType="10"

DS0009

Process

Process Creation

Monitor for newly executed processes (such as mstsc.exe) that may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions that spawn additional processes as the logged-on user.




Observed Countries3

DE (497)
NL (876)
US (930)