The ThreatFox: XMRIG IOCs rule detects potential cryptocurrency mining malware activity by identifying known indicators associated with the XMRIG miner, which is commonly used in ransomware and malware campaigns. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage compromise attempts that could lead to data exfiltration or system degradation.
IOC Summary
Malware Family: XMRIG Total IOCs: 7 IOC Types: sha256_hash, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| sha256_hash | 01baaef04cf032d418dcd85f047d129aa54b0eeabde2fed7287046c0604c3f1b | payload | 2026-06-14 | 85% |
| sha256_hash | 16d3440fcc067823afc44dcbccea9fbbc2f8c68ae53b7aea45f9adff4c127086 | payload | 2026-06-14 | 85% |
| sha256_hash | 8a68d1c08ea31250063f70b1ccb5051db1f7ab6e17d46e9dd3cc292b9849878b | payload | 2026-06-14 | 85% |
| sha256_hash | a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2 | payload | 2026-06-14 | 85% |
| ip:port | 159[.]89[.]83[.]151:22 | payload_delivery | 2026-06-14 | 85% |
| ip:port | 37[.]58[.]136[.]133:22 | payload_delivery | 2026-06-14 | 85% |
| sha256_hash | 783adb7ad6b16fe9818f3e6d48b937c3ca1994ef24e50865282eeedeab7e0d59 | payload | 2026-06-14 | 85% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - XMRIG
let malicious_ips = dynamic(["159.89.83.151", "37.58.136.133"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["159.89.83.151", "37.58.136.133"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for files matching known malicious hashes
// Source: ThreatFox - XMRIG
let malicious_hashes = dynamic(["01baaef04cf032d418dcd85f047d129aa54b0eeabde2fed7287046c0604c3f1b", "16d3440fcc067823afc44dcbccea9fbbc2f8c68ae53b7aea45f9adff4c127086", "8a68d1c08ea31250063f70b1ccb5051db1f7ab6e17d46e9dd3cc292b9849878b", "a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2", "783adb7ad6b16fe9818f3e6d48b937c3ca1994ef24e50865282eeedeab7e0d59"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceFileEvents | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate XMRIG Mining Setup
Description: A system administrator is deploying XMRIG as part of a legitimate cryptocurrency mining setup for a sanctioned use case (e.g., a mining pool or enterprise use with proper authorization).
Filter/Exclusion: Exclude processes or files associated with known XMRIG versions used in authorized environments (e.g., xmr-stak or xmrig-1.8.0), or filter by user account (e.g., mining_user).
Scenario: Scheduled System Maintenance Job
Description: A scheduled task or cron job is running a script that uses find or rsync to clean up temporary files, which may trigger the XMRIG IOC due to similar command-line patterns.
Filter/Exclusion: Exclude processes initiated by system services or scheduled tasks (e.g., root, systemd, or cron), or filter by command-line arguments that match known legitimate maintenance scripts.
Scenario: Admin Task Using find or grep
Description: An administrator is performing a system audit or log analysis using find or grep commands, which may include paths or strings that resemble XMRIG IOCs.
Filter/Exclusion: Exclude processes initiated by admin users (e.g., root, admin, or sudo) or filter by command-line arguments that match known administrative tools (e.g., find /var/log -name "*.log").
Scenario: Software Update or Patching Process
Description: A system update or patching process involves extracting or installing software that includes files or strings matching XMRIG IOCs due to shared code or libraries.
Filter/Exclusion: Exclude processes related to package managers (e.g., apt, yum, dnf, or rpm) or