""ET POLICY W32/BitCoinMiner.MultiThreat Getblocktemplate Protocol Server Connection""

SID: 2017878

Revision: 3

Class Type: trojan-activity

Metadata: attack_target Client_Endpoint, created_at 2013_12_17, deployment Perimeter, signature_severity Major, tag Coinminer, updated_at 2013_12_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking

Reference:

• Link

Protocol: tcp

Source Network: $HOME_NET

Source Port: any

Destination Network: $EXTERNAL_NET

Destination Port: any

Flow: established,to_server

Contents:

• Value: "{|22|id|22 3A|" Depth: 6

• Value: "|22|method|22 3A| |22|getblocktemplate|22|"

Within: 40

PCRE:

Special Options:

source