The ThreatFox: XMRIG IOCs rule detects potential cryptocurrency mining malware activity by identifying known indicators associated with the XMRIG miner, which is commonly used in ransomware and malware campaigns. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage compromise attempts that could lead to data exfiltration or system degradation.
IOC Summary
Malware Family: XMRIG Total IOCs: 11 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 151[.]243[.]150[.]40:2375 | payload_delivery | 2026-06-03 | 85% |
| ip:port | 64[.]89[.]163[.]134:5432 | botnet_cc | 2026-06-03 | 80% |
| ip:port | 13[.]58[.]162[.]150:5432 | botnet_cc | 2026-06-03 | 80% |
| ip:port | 65[.]49[.]1[.]222:5432 | botnet_cc | 2026-06-03 | 80% |
| ip:port | 98[.]80[.]4[.]99:5432 | botnet_cc | 2026-06-03 | 80% |
| ip:port | 18[.]219[.]33[.]158:6379 | payload_delivery | 2026-06-03 | 80% |
| ip:port | 151[.]243[.]150[.]40:5353 | botnet_cc | 2026-06-03 | 80% |
| ip:port | 111[.]228[.]48[.]124:6379 | payload_delivery | 2026-06-03 | 80% |
| ip:port | 82[.]112[.]241[.]16:6379 | payload_delivery | 2026-06-03 | 80% |
| ip:port | 143[.]198[.]92[.]217:5432 | botnet_cc | 2026-06-03 | 80% |
| ip:port | 46[.]151[.]182[.]191:5432 | payload_delivery | 2026-06-03 | 80% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - XMRIG
let malicious_ips = dynamic(["82.112.241.16", "46.151.182.191", "143.198.92.217", "64.89.163.134", "111.228.48.124", "18.219.33.158", "151.243.150.40", "13.58.162.150", "65.49.1.222", "98.80.4.99"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["82.112.241.16", "46.151.182.191", "143.198.92.217", "64.89.163.134", "111.228.48.124", "18.219.33.158", "151.243.150.40", "13.58.162.150", "65.49.1.222", "98.80.4.99"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate XMRIG Mining Setup
Description: A system administrator is deploying a legitimate XMRIG mining instance for internal load testing or performance benchmarking.
Filter/Exclusion: Exclude processes where the command line includes --config pointing to a known internal XMRIG config file, or filter by user account (e.g., root or mining).
Scenario: Scheduled System Maintenance Job
Description: A scheduled job runs a script that temporarily uses XMRIG binaries for system diagnostics or resource monitoring.
Filter/Exclusion: Exclude processes with a parent process ID (PPID) matching the system scheduler (e.g., systemd, cron, or at) or filter by process name like diag_tool.sh.
Scenario: Security Tool or SIEM Integration
Description: A security tool or SIEM (e.g., Splunk, ELK) is using XMRIG for internal testing or integration with threat intelligence feeds.
Filter/Exclusion: Exclude processes running under the security tool’s service account (e.g., splunk, logstash) or filter by process name like threat_intel_fetcher.
Scenario: Admin Task for IOC Validation
Description: A security analyst is manually testing or validating XMRIG IOCs using tools like yara or osquery for forensic analysis.
Filter/Exclusion: Exclude processes where the command line includes --test or --validate, or filter by user account (e.g., security_analyst).
Scenario: Legacy System Compatibility Check
Description: A legacy system or compatibility tool is using XMRIG binaries for backward compatibility or to test older infrastructure.
Filter/Exclusion: Exclude processes with a parent process ID (PPID) matching a known