Adversaries are using XMRIG to covertly mine Monero by establishing C2 connections and leveraging compromised systems, which can lead to resource exhaustion and data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate cryptocurrency mining activity before it causes significant operational impact.
IOC Summary
Malware Family: XMRIG Total IOCs: 3 IOC Types: url, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://cdn.boyzee.xyz/086ad118cef06dd1ebe63c7b/xmrig_linux_amd64 | payload_delivery | 2026-06-01 | 80% |
| ip:port | 213[.]209[.]159[.]66:5432 | botnet_cc | 2026-06-01 | 80% |
| ip:port | 85[.]11[.]167[.]7:5432 | botnet_cc | 2026-06-01 | 80% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - XMRIG
let malicious_ips = dynamic(["213.209.159.66", "85.11.167.7"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["213.209.159.66", "85.11.167.7"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for access to known malicious URLs
// Source: ThreatFox - XMRIG
let malicious_urls = dynamic(["https://cdn.boyzee.xyz/086ad118cef06dd1ebe63c7b/xmrig_linux_amd64"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance or Patching
Description: A legitimate scheduled task using schtasks.exe or task scheduler to update or patch systems may trigger the rule if it connects to a known IP:port associated with XMRIG.
Filter/Exclusion: Exclude connections initiated by scheduled tasks with known patching or maintenance scripts (e.g., C:\Windows\System32\sched.exe, C:\Windows\System32\taskhost.exe).
Scenario: Admin Tools for Remote Management
Description: Tools like PsExec, Remote Desktop Services, or PowerShell used by administrators to manage remote systems may inadvertently connect to IPs or ports associated with XMRIG if misconfigured.
Filter/Exclusion: Exclude outbound connections from known administrative tools (e.g., C:\Windows\System32\PsExec.exe, C:\Windows\System32\mstsc.exe) or from IP ranges used by internal IT management systems.
Scenario: Legitimate Cryptocurrency Mining by IT Department
Description: Some enterprises use legitimate cryptocurrency mining hardware or software for cloud mining or as part of a distributed computing initiative.
Filter/Exclusion: Exclude traffic from known internal mining infrastructure (e.g., servers running minerd, cpuminer, or xmrig for authorized purposes) or from specific IP ranges used for internal mining pools.
Scenario: Network Monitoring Tools or SIEM Data Collection
Description: Tools like Wireshark, tcpdump, or SIEM data collectors may connect to external IPs or ports for data aggregation, potentially matching XMRIG IOCs.
Filter/Exclusion: Exclude connections initiated by network monitoring tools (e.g., C:\Program Files\Wireshark\wireshark.exe, `C:\Program Files\tcpdump\tcp