In recent years, cryptocurrency built by blockchain technology is getting more and more popular in both information technology and financial industries. Because of providing resources to support hash computing (known as mining) , participants (known as miners) will get cryptocurrency rewards. Therefore, it becomes the reason that attracts many people to join the mining process. Since exchanging cryptocurrency reward to legal money is possible, it interests people with bad intention to use improper means to obtain computing resources for mining, such as using malware to manipulate hacked equipment to install miner software or enabling drive-by download attack to acquire computing resource from web client. This research studies Monero, a cryptocurrency often selected by malwares, trying to investigate its communication progress between miner and mining pool, and extracts packets to get signatures for developing detection rules with corresponding patterns. The experiment results show that applied rules are able to detect suspicious networking activities related to Monero mining. By using implemented rules in this paper, it aims to help network administrators investigate whether the equipment have been infected by Monero mining malware.