Alerts  /  CPU/GPU Miner Network Traffic

CPU/GPU Miner Network Traffic

Is this alert valuable?

Details

This alert title has been seen 1 times in the last 7 days across Smiths Cogwheels, Inc.

Status:
Status Reason:
None
First Activity:
2024/03/07 00:21:17 UTC (23 days ago)
Last Activity:
2024/03/09 14:29:16 UTC (21 days ago)
Inserted At:
2024/03/07 00:25:05 UTC (23 days ago)
Severity:
Medium (0.5)
Threat Score:
5.0
Tenant:
Smiths Cogwheels, Inc. (96072)
Detector:
Taegis Watchlist
Tactics:
Impact
Techniques:
Resource Hijacking (T1496)
Sensor Types:
Corelight
Confidence:
100%
Source IP Address:
172.16.23.15
Destination IP Address:
172.16.14.100
IP Address:
107.191.99.221
Hostname:
SRA-DC01
Agent/Sensor ID:
sensor_172_16_11_5
Domain:
monerohash.com
Investigations:
This alert has not been added to an investigation.
Occurrence Count:
59
Grouped by (Group Key):
96072:app:event-filter:dnsquery:26911605-7860-4597-985e-f804a67b7055:sensor_172_16_11_5:172.16.23.15:172.16.14.100:monerohash.com:2024-03-07

Affected Agents  (4)

ENDPOINT_TAEGISSRA-DC01
Last Updated:
2024/03/30 09:55:45 UTC
OS Distributor:
OS Family:
WINDOWS
OS Version:
10.0.14393
Tags:
PRA:CRITICAL_NO_RESPONSEROLE:DCTestTag:JP
ENDPOINT_MICROSOFT_ATPsro-ki04.sci.local
Last Updated:
2024/03/30 09:18:11 UTC
OS Distributor:
Microsoft
OS Family:
WINDOWS
OS Version:
WindowsServer2019
Most Recent Address:
172.16.23.15 
ENDPOINT_MICROSOFT_ATPsro-ki01.sci.local
Last Updated:
2023/07/10 22:50:22 UTC
OS Distributor:
Microsoft
OS Family:
WINDOWS
OS Version:
WindowsServer2019
Most Recent Address:
172.16.23.15 
ENDPOINT_REDCLOAKDelve_Win2016_1
Last Updated:
2022/08/18 17:51:50 UTC
OS Distributor:
Microsoft
OS Family:
WINDOWS
OS Version:
VERSION_SERVER_2016
Most Recent Address:
172.16.14.100 
Tags:
TAG_YOUR_IT:PTisolation_test:DomainController:VIP:

Open alerts (0) for Related Entities

Open alerts within past 72 hours from alert creation
NO DATA
Agent/Sensor ID (sensor_172_16_11_5)
0
Destination IP Address (172.16.14.100)
0
Domain (monerohash.com)
0
Hostname (SRA-DC01)
0
IP Address (107.191.99.221)
0
Similar Alert Titles based on Rule ID (26911605-7860-4597-985e-f804a67b7055)
0
Source IP Address (172.16.23.15)
0

Closed alerts (1636) for Related Entities

Closed alerts within past 30 days from alert creation
Not Actionable (19)True Positive Malicious (79)Suppressed (1.5k)
Agent/Sensor ID (sensor_172_16_11_5)
7
26
1.5k
1.6k
Destination IP Address (172.16.14.100)
3
6
9
Domain (monerohash.com)
1
7
8
Hostname (SRA-DC01)
3
6
9
IP Address (107.191.99.221)
5
25
30
Similar Alert Titles based on Rule ID (26911605-7860-4597-985e-f804a67b7055)
1
6
7
Source IP Address (172.16.23.15)
5
9
14

Open or closed investigations (19) for Related Entities

Open or closed investigations within past 30 days
DNS Server (ip_address:172.16.14.100)
5
Domain Name (monerohash.com)
7
IP Addresses (172.16.23.15 +1 more)
7
Alert Description
Counter Threat Unit™
A netflow event associated with the open source CPU/GPU miner XMRig was identified. This activity may indicate that the host has been compromised.

External References

No external references for this alert.

First Event Details

We are showing the First Event Details out of 60 events. If you want to see more, please go to Events tab.

DNS
Event Time:
2024/03/07 00:21:17 UTC · 23 days ago
Ingest Time:
2024/03/07 00:24:53 UTC · 23 days ago
Query Name:
monerohash.com
Query Class:
IN: Internet
Query Type:
A: Address record RFC-1035
Responses:
107.191.99.221
Sensor ID:
sensor_172_16_11_5
Tenant:
(96072)

WHOIS (1)

Domain Name:
monerohash.com
Admin Name:
WhoisAgent