The ThreatFox: XMRIG IOCs rule detects potential cryptocurrency mining malware activity by identifying known indicators associated with the XMRIG miner, which is commonly used in ransomware and malware campaigns. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage compromise attempts that could lead to data exfiltration or system degradation.
IOC Summary
Malware Family: XMRIG Total IOCs: 9 IOC Types: ip:port, domain, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 107[.]189[.]27[.]179:22 | payload_delivery | 2026-06-01 | 80% |
| ip:port | 178[.]128[.]51[.]84:22 | payload_delivery | 2026-06-01 | 80% |
| ip:port | 179[.]43[.]133[.]154:22 | payload_delivery | 2026-06-01 | 80% |
| ip:port | 117[.]50[.]81[.]36:6379 | payload_delivery | 2026-06-01 | 80% |
| ip:port | 200[.]4[.]115[.]1:80 | botnet_cc | 2026-06-01 | 80% |
| url | hxxp://200[.]4[.]115[.]1/promocioni3.php | payload_delivery | 2026-06-01 | 80% |
| url | hxxps://s.littleshabby.net/payloads/indexi.png | payload_delivery | 2026-06-01 | 80% |
| domain | s.littleshabby.net | payload_delivery | 2026-06-01 | 80% |
| ip:port | 165[.]154[.]104[.]88:5432 | botnet_cc | 2026-06-01 | 80% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - XMRIG
let malicious_ips = dynamic(["200.4.115.1", "117.50.81.36", "165.154.104.88", "107.189.27.179", "178.128.51.84", "179.43.133.154"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["200.4.115.1", "117.50.81.36", "165.154.104.88", "107.189.27.179", "178.128.51.84", "179.43.133.154"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - XMRIG
let malicious_domains = dynamic(["s.littleshabby.net"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - XMRIG
let malicious_urls = dynamic(["http://200.4.115.1/promocioni3.php", "https://s.littleshabby.net/payloads/indexi.png"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate XMRIG Mining Software Installation
Description: A system administrator installs the XMRIG mining software as part of a legitimate cryptocurrency mining operation authorized by the organization.
Filter/Exclusion: Exclude processes or files associated with known XMRIG versions (e.g., xmrig-3.19.0), or filter by user account (e.g., root or mining), or check for presence of a legitimate license or configuration file.
Scenario: Scheduled System Maintenance Job
Description: A scheduled job runs a script that uses find or grep commands to search for files or processes, which may match XMRIG IOCs due to similar command-line syntax.
Filter/Exclusion: Exclude processes initiated by cron jobs or task schedulers (e.g., crond, task scheduler), or filter by command-line arguments that do not match known malicious patterns.
Scenario: Admin Task Involving File Scanning
Description: A security admin uses a tool like ClamAV or Sophos to scan the system for malware, and the scan results include false positives matching XMRIG IOCs.
Filter/Exclusion: Exclude files flagged by known antivirus tools, or filter by file type (e.g., .exe, .dll, .so) and check for presence of legitimate signatures.
Scenario: Log Analysis Tool Generating Alerts
Description: A log analysis tool like ELK Stack or Splunk processes logs and generates alerts that match XMRIG IOCs due to similar string patterns in log entries.
Filter/Exclusion: Exclude log entries from known log sources (e.g., syslog, auth.log), or filter by log severity levels (e.g., info, debug) and verify against known