T1204.003 CrowdStrike LogScale · LogScale

Detect Malicious Image in CrowdStrike LogScale

Adversaries may rely on a user running a malicious image to facilitate execution. Amazon Web Services AMIs, Google Cloud Platform Images, Azure Images, and container runtimes such as Docker can be backdoored. Backdoored images may be uploaded to public repositories, and users may download and deploy an instance or container without realizing the image is malicious. This technique is commonly used to deploy cryptocurrency miners, backdoors, and data exfiltration tools. TeamTNT is a prominent threat actor known for publishing malicious Docker images to Docker Hub containing XMRig cryptocurrency miners and credential stealers. Adversaries may also typosquat popular image names to increase the likelihood of accidental deployment.

MITRE ATT&CK

Tactic
Execution
Technique
T1204 User Execution
Sub-technique
T1204.003 Malicious Image
Canonical reference
https://attack.mitre.org/techniques/T1204/003/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
// Branch 1: Cryptocurrency miner process execution
#event_simpleName=ProcessRollup2
| ImageFileName = /(?i)(xmrig|xmrig-notls|minerd|cpuminer|cryptonight|nbminer|t-rex|lolminer|ethminer|cgminer|bfgminer|claymore|phoenixminer|teamtntbot)/
  OR CommandLine = /(?i)(stratum\+tcp:\/\/|stratum\+ssl:\/\/|--donate-level|-o pool\.|xmrpool|supportxmr|minexmr|moneroocean|hashvault|nanopool)/
| eval DetectionBranch = "MinerProcessExecution"
| eval AlertSeverity = "High"
| table _timeevent, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, DetectionBranch, AlertSeverity

union

// Branch 2: Mining pool network connections
#event_simpleName=NetworkConnectIP4
| RemotePort in [3333, 3334, 4444, 4445, 14444, 45560, 5555, 8333, 7777, 9999, 13333, 19999]
| NOT RemoteAddressIP4 = /^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)/
| NOT ImageFileName = /(?i)(chrome|firefox|msedge|brave|opera|iexplore)\.exe$/
| eval DetectionBranch = "MiningPoolNetworkConnection"
| eval AlertSeverity = "High"
| table _timeevent, ComputerName, UserName, ImageFileName, RemoteAddressIP4, RemotePort, LocalAddressIP4, DetectionBranch, AlertSeverity

union

// Branch 3: DNS requests to mining pool domains
#event_simpleName=DnsRequest
| DomainName = /(?i)(minexmr\.com|supportxmr\.com|nanopool\.org|f2pool\.com|antpool\.com|pool\.minergate\.com|xmrpool\.eu|hashvault\.pro|moneroocean\.stream|xmr\.pool)/
| eval DetectionBranch = "MiningPoolDNSLookup"
| eval AlertSeverity = "High"
| table _timeevent, ComputerName, UserName, DomainName, RequestType, ContextBaseFileName, DetectionBranch, AlertSeverity

| sort field=_timeevent order=desc
| limit 500
high severity high confidence

CrowdStrike LogScale CQL detection for T1204.003 using three branches against Falcon telemetry: ProcessRollup2 events matching known cryptocurrency miner binary names or mining pool stratum protocol arguments, NetworkConnectIP4 events to known mining pool destination ports from non-browser processes with non-RFC1918 destinations, and DnsRequest events resolving known mining pool domain names. Leverages native Falcon event types for high-fidelity host-based telemetry.

Data Sources

CrowdStrike Falcon Endpoint ProtectionFalcon ProcessRollup2 eventsFalcon NetworkConnectIP4 eventsFalcon DnsRequest eventsFalcon Event Stream (real-time)

Required Tables

#event_simpleName=ProcessRollup2#event_simpleName=NetworkConnectIP4#event_simpleName=DnsRequest

False Positives & Tuning

  • Authorized cryptocurrency mining nodes managed by the IT or finance team on dedicated hosts, which will generate both ProcessRollup2 miner process events and repeated NetworkConnectIP4 connections to pool addresses
  • Threat intelligence or malware analysis workstations running miner samples in isolated environments for research, triggering process and network detections without actual compromise
  • Container orchestration platforms (Kubernetes, Docker Swarm) deploying legitimate workloads on ports that overlap with known mining pool ports, particularly port 4444 used by some development and monitoring tools
Download portable Sigma rule (.yml)

Other platforms for T1204.003

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Docker Container Executing Cryptocurrency Miner Process Name

    Expected signal: Linux syslog or auditd process creation event showing process name 'xmrig' spawned under dockerd/containerd parent process. If Sysmon for Linux is deployed, EventCode=1 with Image containing 'xmrig' and ParentImage containing 'containerd-shim' or 'runc'. Docker daemon logs show container start/stop events.

  2. Test 2Simulate Mining Pool Network Connection Attempt

    Expected signal: If Sysmon for Linux is deployed: EventCode=3 network connection event with Image=curl, DestinationPort=3333, DestinationHostname=pool.minexmr.com. DNS query EventCode=22 for pool.minexmr.com. On Windows equivalent: 'Test-NetConnection -ComputerName pool.minexmr.com -Port 3333' generates Sysmon EventCode=3.

  3. Test 3Pull and Inspect Publicly Known Malicious-Style Docker Image Name

    Expected signal: Docker daemon log entry for image pull. Process creation event for 'wget' process spawned from container runtime (dockerd/containerd parent). Network connection attempt to 127.0.0.1:3333 generating Sysmon EventCode=3 or auditd network event. 'docker history' output shows image layer commands.

  4. Test 4AWS EC2 Instance Launch from Public Community AMI

    Expected signal: AWS CloudTrail RunInstances event with eventName=RunInstances, requestParameters.instancesSet.items[0].imageId containing the public AMI ID, userIdentity fields showing the executing principal, awsRegion=us-east-1. Followed by StopInstances event.

  5. Test 5Container Environment Variable Credential Exposure Simulation

    Expected signal: Process creation event with container spawning wget/curl with credential parameters visible in command line. Network connection attempt to exfil endpoint. Container inspect shows AWS_* environment variables in container configuration. Linux syslog shows process execution under dockerd parent.

Last updated: 2026-04-19 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1204.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1204User Execution

Related Sub-techniques

T1204.001Malicious LinkT1204.002Malicious FileT1204.004Malicious Copy and PasteT1204.005Malicious Library

Related Techniques

T1204User ExecutionT1204.001Malicious LinkT1204.002Malicious FileT1608.001Upload MalwareT1036.005Match Legitimate Resource Name or LocationT1525Implant Internal ImageT1610Deploy ContainerT1496Resource HijackingT1552.007Container API

Same Tactic: Execution

Popular Detections