Versions (5)
Version DetailsCurrent
Rev: 1 • Jan 4, 2018, 12:00 PMET COINMINER CoinMiner Malicious Authline Seen After CVE-2017-10271 Exploit
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET COINMINER CoinMiner Malicious Authline Seen After CVE-2017-10271 Exploit"; flow:established,to_server; content:"{|22|id|22 3A|"; depth:6; content:"|22|method|22 3a 20 22|mining.authorize|22 2c|"; within:100; content:"|22|params|22|"; within:50; content:"|5b 22|4AQe5sAFWZKECiaeNTt59LG7kVtqRoSRJMjrmQ6GiMFAeUvoL3MFeTE6zwwHkFPrAyNw2JHDxUSWL82RiZThPpk4SEg7Vqe|22 2c 20 22|"; distance:0; reference:url,otx.alienvault.com/pulse/5a4e1c4993199b299f90a212; classtype:coin-mining; sid:2025186; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_01_04, cve CVE_2017_10271, deployment Perimeter, deployment Datacenter, malware_family CoinMiner, confidence High, signature_severity Major, tag Coinminer, tag CISA_KEV, updated_at 2019_07_26, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
Jan 4, 2018, 12:00 PM
Jul 26, 2019, 12:00 PM
Sep 21, 2024, 3:00 AM
May 30, 2025, 12:04 AM
rules/emerging-coinminer.rules