ThreatFox: XMRIG IOCs | SOC Hunt Feed

Hunt Hypothesis

The ThreatFox: XMRIG IOCs rule detects potential cryptocurrency mining malware activity by identifying known malicious artifacts associated with the XMRIG miner. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate unauthorized cryptocurrency mining operations that could drain system resources and compromise network security.

IOC Summary

Malware Family: XMRIG Total IOCs: 3 IOC Types: ip:port

Type	Value	Threat Type	First Seen	Confidence
ip:port	`185[.]214[.]96[.]111:2375`	payload_delivery	2026-06-21	80%
ip:port	`45[.]153[.]34[.]212:8181`	botnet_cc	2026-06-21	80%
ip:port	`193[.]32[.]126[.]167:5432`	payload_delivery	2026-06-21	80%

KQL: Ip Hunt

// Hunt for network connections to known malicious IPs
// Source: ThreatFox - XMRIG
let malicious_ips = dynamic(["45.153.34.212", "193.32.126.167", "185.214.96.111"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc

KQL: Ip Hunt Device

// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["45.153.34.212", "193.32.126.167", "185.214.96.111"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc

Required Data Sources

Sentinel Table	Notes
`CommonSecurityLog`	Ensure this data connector is enabled
`DeviceNetworkEvents`	Ensure this data connector is enabled

References

ThreatFox — XMRIG

False Positive Guidance

Scenario: Legitimate XMRIG Mining Setup
Description: A system administrator is installing XMRIG as part of a legitimate mining setup for a cryptocurrency node or as part of a test environment.
Filter/Exclusion: Exclude processes or files related to known XMRIG versions (e.g., xmrig-5.1.0) or use a filter based on the file path, such as file.path contains /opt/xmrig/.
Scenario: Scheduled System Maintenance Job
Description: A scheduled job runs a script that uses huntr or grep to search for specific strings in log files, which may match XMRIG IOCs.
Filter/Exclusion: Exclude processes initiated by a known system maintenance tool (e.g., cron, systemd, or task scheduler) or filter by command-line arguments like grep --include="*.log".
Scenario: Security Tool or SIEM Configuration
Description: A security tool like OSSEC or Splunk is configured to monitor system logs and may include XMRIG-related keywords in its rule set.
Filter/Exclusion: Exclude events generated by security tools using a filter like process.name contains ossec or source.type == siem.
Scenario: Admin Task Involving String Search
Description: An admin is performing a manual search for suspicious activity using find or strings commands, which may inadvertently match XMRIG IOCs.
Filter/Exclusion: Exclude processes initiated by admin tools like find, strings, or grep using a filter like process.name contains find or process.name contains strings.
Scenario: Legitimate Software Update or Patching
Description: A patching tool like Ansible or Chef is