Hello friends,
As a security administrator in my organization I can see a rising trand of JSCoinminer events
These events are users surfing to a web page which is infected with a malitious script
Unfortunatly you will not know about this at all as the default configuration in the SEPM is to ALLOW and NO LOG
This is the event:
15/02/2018 12:42:20 | Browser Protection | DOM | CEO | CEO | Other | Not applicable | [SID: 30358] Web Attack: JSCoinminer Download 8 attack blocked. Traffic has been blocked for this application: C:\Program Files\Internet Explorer\iexplore.exe |
You need to go to your IPS policy --> Windows Settings --> Exceptions --> ADD
If you filter for action Allow you will see many interesting signatures, I really recommend checking them out by enabling LOGGING to see
if you have such traffic. You can see 3 JSCoinminer options.
Plus, you can detect TOR,IRC,P2P, PSExec traffic and many more which I block inside my network using these options
