urlscan.io logo urlscan.io
SecurityTrails logo

notebook.community Open in urlscan Pro
2001:4860:4802:32::15  Public Scan

Back to summary
URL: https://notebook.community/Cyb3rWard0g/HELK/docker/helk-jupyter/notebooks/sigma/proxy_ua_cryptominer
Submission: On July 15 via api from SK — Scanned from DE

Form analysis 0 forms found in the DOM

Text Content

notebook.community

Edit and run


CRYPTO MINER USER AGENT

Detects suspicious user agent strings used by crypto miners in proxy logs


RULE CONTENT

- title: Crypto Miner User Agent
  id: fa935401-513b-467b-81f4-f9e77aa0dd78
  status: experimental
  description: Detects suspicious user agent strings used by crypto miners in proxy
    logs
  references:
  - https://github.com/xmrig/xmrig/blob/da22b3e6c45825f3ac1f208255126cb8585cd4fc/src/base/kernel/Platform_win.cpp#L65
  - https://github.com/xmrig/xmrig/blob/427b6516e0550200c17ca28675118f0fffcc323f/src/version.h
  author: Florian Roth
  date: 2019/10/21
  logsource:
    category: proxy
    product: null
    service: null
  detection:
    selection:
      c-useragent:
      - XMRig *
      - ccminer*
    condition: selection
  fields:
  - ClientIP
  - c-uri
  - c-useragent
  falsepositives:
  - Unknown
  level: high


QUERYING ELASTICSEARCH


IMPORT LIBRARIES





In [ ]:


    



from elasticsearch import Elasticsearch
from elasticsearch_dsl import Search
import pandas as pd


    






INITIALIZE ELASTICSEARCH CLIENT





In [ ]:


    



es = Elasticsearch(['http://helk-elasticsearch:9200'])
searchContext = Search(using=es, index='logs-*', doc_type='doc')


    






RUN ELASTICSEARCH QUERY





In [ ]:


    



s = searchContext.query('query_string', query='c-useragent.keyword:(XMRig\ * OR ccminer*)')
response = s.execute()
if response.success():
    df = pd.DataFrame((d.to_dict() for d in s.scan()))


    






SHOW RESULTS





In [ ]:


    



df.head()


    





--------------------------------------------------------------------------------

Content source: Cyb3rWard0g/HELK

Similar notebooks:

 * proxy_ua_cryptominer
 * proxy_ua_hacktool
 * proxy_empty_ua
 * proxy_ua_suspicious
 * proxy_ios_implant
 * proxy_telegram_api
 * net_mal_dns_cobaltstrike
 * net_susp_telegram_api
 * proxy_chafer_malware
 * proxy_download_susp_tlds_blacklist

notebook.community | gallery | about