Back to catalog

Cryptocurrency Mining Process Execution

No violationsstackroxhighruntime

Cryptocurrency mining process spawned

Rationale
Cryptocurrency mining binaries are often evidence of malicious activity or a hijacked cluster.
Remediation
Ensure that the base image used to create the Dockerfile doesn't have cryptocurrency mining software packaged with it. Check for open ports that may allow for remote code execution
CategoriesCryptocurrency Mining
Compliance mappingsView coverage →
DORA EU 2022/2554
Art. 10.1
ISO/IEC 27001 2022
A.8.7
NIST SP 800-53 rev. 5
SI-3
PCI DSS 4.0
5.2.1
SOC 2 2017 TSC
CC6.8

Generated artifacts

1 of 5 targets supported
cryptocurrency-mining-process-execution.yaml
- rule: cryptocurrency-mining-process-execution
  desc: Cryptocurrency mining process spawned
  condition: proc.name in (".*sgminer|.*cgminer|.*cpuminer|.*minerd|.*geth|.*ethminer|.*xmr-stak.*|.*xmrminer|.*cpuminer-multi|.*xmrig")
  output: Process %proc.name executed by user %user.name (uid=%user.uid) in container %container.id image=%container.image.repository (policy=Cryptocurrency Mining Process Execution)
  priority: ERROR
  source: syscall
  tags:
    - stackrox-import
    - policy
IR (canonical)
{
  "id": "e9635b83-4ec5-4e7a-9be1-1bcdd6d82bb7",
  "name": "Cryptocurrency Mining Process Execution",
  "description": "Cryptocurrency mining process spawned",
  "rationale": "Cryptocurrency mining binaries are often evidence of malicious activity or a hijacked cluster.",
  "remediation": "Ensure that the base image used to create the Dockerfile doesn't have cryptocurrency mining software packaged with it. Check for open ports that may allow for remote code execution",
  "severity": "high",
  "categories": [
    "Cryptocurrency Mining"
  ],
  "lifecycle": [
    "runtime"
  ],
  "eventSource": "deployment",
  "scope": [],
  "exclusions": [],
  "enforcement": {
    "failBuild": false
  },
  "expression": {
    "op": "criterion",
    "field": "process-name",
    "values": [
      ".*sgminer|.*cgminer|.*cpuminer|.*minerd|.*geth|.*ethminer|.*xmr-stak.*|.*xmrminer|.*cpuminer-multi|.*xmrig"
    ],
    "valuesOp": "or",
    "negate": false
  },
  "disabled": false
}
Original StackRox JSON
{
  "id": "e9635b83-4ec5-4e7a-9be1-1bcdd6d82bb7",
  "name": "Cryptocurrency Mining Process Execution",
  "description": "Cryptocurrency mining process spawned",
  "rationale": "Cryptocurrency mining binaries are often evidence of malicious activity or a hijacked cluster.",
  "remediation": "Ensure that the base image used to create the Dockerfile doesn't have cryptocurrency mining software packaged with it. Check for open ports that may allow for remote code execution",
  "disabled": false,
  "categories": [
    "Cryptocurrency Mining"
  ],
  "lifecycleStages": [
    "RUNTIME"
  ],
  "eventSource": "DEPLOYMENT_EVENT",
  "exclusions": [],
  "scope": [],
  "severity": "HIGH_SEVERITY",
  "enforcementActions": [],
  "policySections": [
    {
      "sectionName": "",
      "policyGroups": [
        {
          "fieldName": "Process Name",
          "booleanOperator": "OR",
          "negate": false,
          "values": [
            {
              "value": ".*sgminer|.*cgminer|.*cpuminer|.*minerd|.*geth|.*ethminer|.*xmr-stak.*|.*xmrminer|.*cpuminer-multi|.*xmrig"
            }
          ]
        }
      ]
    }
  ],
  "notifiers": [],
  "lastUpdated": null,
  "SORTName": "",
  "SORTLifecycleStage": "",
  "SORTEnforcement": false,
  "policyVersion": "1.1",
  "mitreAttackVectors": [
    {
      "tactic": "TA0040",
      "techniques": [
        "T1496"
      ]
    }
  ],
  "criteriaLocked": true,
  "mitreVectorsLocked": true,
  "isDefault": true,
  "source": "IMPERATIVE"
}