Cryptocurrency Mining Process Execution
No violationsstackroxhighruntimeCryptocurrency mining process spawned
- Rationale
- Cryptocurrency mining binaries are often evidence of malicious activity or a hijacked cluster.
- Remediation
- Ensure that the base image used to create the Dockerfile doesn't have cryptocurrency mining software packaged with it. Check for open ports that may allow for remote code execution
CategoriesCryptocurrency Mining
Compliance mappingsView coverage →
- DORA EU 2022/2554
- Art. 10.1
- ISO/IEC 27001 2022
- A.8.7
- NIST SP 800-53 rev. 5
- SI-3
- PCI DSS 4.0
- 5.2.1
- SOC 2 2017 TSC
- CC6.8
Generated artifacts
1 of 5 targets supportedcryptocurrency-mining-process-execution.yaml
- rule: cryptocurrency-mining-process-execution
desc: Cryptocurrency mining process spawned
condition: proc.name in (".*sgminer|.*cgminer|.*cpuminer|.*minerd|.*geth|.*ethminer|.*xmr-stak.*|.*xmrminer|.*cpuminer-multi|.*xmrig")
output: Process %proc.name executed by user %user.name (uid=%user.uid) in container %container.id image=%container.image.repository (policy=Cryptocurrency Mining Process Execution)
priority: ERROR
source: syscall
tags:
- stackrox-import
- policy
IR (canonical)
{
"id": "e9635b83-4ec5-4e7a-9be1-1bcdd6d82bb7",
"name": "Cryptocurrency Mining Process Execution",
"description": "Cryptocurrency mining process spawned",
"rationale": "Cryptocurrency mining binaries are often evidence of malicious activity or a hijacked cluster.",
"remediation": "Ensure that the base image used to create the Dockerfile doesn't have cryptocurrency mining software packaged with it. Check for open ports that may allow for remote code execution",
"severity": "high",
"categories": [
"Cryptocurrency Mining"
],
"lifecycle": [
"runtime"
],
"eventSource": "deployment",
"scope": [],
"exclusions": [],
"enforcement": {
"failBuild": false
},
"expression": {
"op": "criterion",
"field": "process-name",
"values": [
".*sgminer|.*cgminer|.*cpuminer|.*minerd|.*geth|.*ethminer|.*xmr-stak.*|.*xmrminer|.*cpuminer-multi|.*xmrig"
],
"valuesOp": "or",
"negate": false
},
"disabled": false
}Original StackRox JSON
{
"id": "e9635b83-4ec5-4e7a-9be1-1bcdd6d82bb7",
"name": "Cryptocurrency Mining Process Execution",
"description": "Cryptocurrency mining process spawned",
"rationale": "Cryptocurrency mining binaries are often evidence of malicious activity or a hijacked cluster.",
"remediation": "Ensure that the base image used to create the Dockerfile doesn't have cryptocurrency mining software packaged with it. Check for open ports that may allow for remote code execution",
"disabled": false,
"categories": [
"Cryptocurrency Mining"
],
"lifecycleStages": [
"RUNTIME"
],
"eventSource": "DEPLOYMENT_EVENT",
"exclusions": [],
"scope": [],
"severity": "HIGH_SEVERITY",
"enforcementActions": [],
"policySections": [
{
"sectionName": "",
"policyGroups": [
{
"fieldName": "Process Name",
"booleanOperator": "OR",
"negate": false,
"values": [
{
"value": ".*sgminer|.*cgminer|.*cpuminer|.*minerd|.*geth|.*ethminer|.*xmr-stak.*|.*xmrminer|.*cpuminer-multi|.*xmrig"
}
]
}
]
}
],
"notifiers": [],
"lastUpdated": null,
"SORTName": "",
"SORTLifecycleStage": "",
"SORTEnforcement": false,
"policyVersion": "1.1",
"mitreAttackVectors": [
{
"tactic": "TA0040",
"techniques": [
"T1496"
]
}
],
"criteriaLocked": true,
"mitreVectorsLocked": true,
"isDefault": true,
"source": "IMPERATIVE"
}