ThreatFox: XMRIG IOCs | SOC Hunt Feed

Hunt Hypothesis

The ThreatFox: XMRIG IOCs rule detects potential cryptocurrency mining malware activity by identifying known indicators associated with the XMRIG miner, which is commonly used in ransomware and malware campaigns. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate persistent, stealthy malware that could compromise system integrity and data security.

IOC Summary

Malware Family: XMRIG Total IOCs: 4 IOC Types: ip:port, sha256_hash

Type	Value	Threat Type	First Seen	Confidence
sha256_hash	`e20b8e1d8337cec11d40db7580f42460abbc2b60ce0938bf2c746a32e0747421`	payload	2026-05-29	90%
sha256_hash	`a437ad7a5250390bce355a1957a3584a68df7efc3006e2f2bcf052845bc32ae8`	payload	2026-05-29	90%
ip:port	`91[.]84[.]118[.]236:443`	botnet_cc	2026-05-29	85%
ip:port	`82[.]156[.]212[.]174:22`	payload_delivery	2026-05-29	90%

KQL: Ip Hunt

// Hunt for network connections to known malicious IPs
// Source: ThreatFox - XMRIG
let malicious_ips = dynamic(["91.84.118.236", "82.156.212.174"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc

KQL: Ip Hunt Device

// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["91.84.118.236", "82.156.212.174"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc

KQL: Hash Hunt

// Hunt for files matching known malicious hashes
// Source: ThreatFox - XMRIG
let malicious_hashes = dynamic(["e20b8e1d8337cec11d40db7580f42460abbc2b60ce0938bf2c746a32e0747421", "a437ad7a5250390bce355a1957a3584a68df7efc3006e2f2bcf052845bc32ae8"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc

Required Data Sources

Sentinel Table	Notes
`CommonSecurityLog`	Ensure this data connector is enabled
`DeviceFileEvents`	Ensure this data connector is enabled
`DeviceNetworkEvents`	Ensure this data connector is enabled

References

ThreatFox — XMRIG

False Positive Guidance

Scenario: Legitimate XMRIG Mining Setup
Description: A system administrator is deploying XMRIG as part of a legitimate cryptocurrency mining operation with proper authorization.
Filter/Exclusion: Check for presence of mining.conf or config.json files in known mining directories, and ensure the process is running under a whitelisted user account (e.g., mining_user).
Scenario: Scheduled System Maintenance Job
Description: A scheduled task is running a script that uses xmrig as part of a system health check or log analysis tool (e.g., logrotate or syslog-ng).
Filter/Exclusion: Exclude processes running under the root or systemd user, and check for presence of a known maintenance script or tool in the execution path.
Scenario: Security Tool Integration
Description: A security tool like OSSEC or Tripwire is using xmrig as part of its integrity monitoring or alerting mechanism.
Filter/Exclusion: Filter out processes that are running from known security tool directories (e.g., /opt/ossec/, /var/lib/tripwire/) or are associated with known security tool binaries.
Scenario: DevOps Pipeline Artifact
Description: A CI/CD pipeline (e.g., Jenkins, GitLab CI) is using xmrig as part of a test environment or artifact validation process.
Filter/Exclusion: Exclude processes that are running from known CI/CD directories (e.g., /var/lib/jenkins/, /opt/gitlab/) or are associated with known pipeline scripts.
Scenario: System Monitoring Tool with Custom Scripts
Description: A system monitoring tool like Nagios or Zabbix is using xmrig as part