The ThreatFox: XMRIG IOCs rule detects potential cryptocurrency mining malware activity by identifying known malicious indicators associated with the XMRIG miner. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate unauthorized mining operations that could compromise system resources and data integrity.
IOC Summary
Malware Family: XMRIG Total IOCs: 3 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 195[.]20[.]239[.]136:2375 | payload_delivery | 2026-06-16 | 80% |
| ip:port | 47[.]253[.]156[.]31:2375 | payload_delivery | 2026-06-16 | 80% |
| ip:port | 60[.]165[.]167[.]98:6379 | payload_delivery | 2026-06-16 | 80% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - XMRIG
let malicious_ips = dynamic(["195.20.239.136", "47.253.156.31", "60.165.167.98"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["195.20.239.136", "47.253.156.31", "60.165.167.98"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: System Update or Patching Process
Description: A legitimate system update or patching process may include files or processes that match XMRIG IOCs due to shared names or paths.
Filter/Exclusion: Exclude processes related to known patching tools (e.g., Windows Update, WSUS, Ansible, SaltStack) or files signed by trusted vendors.
Scenario: Scheduled Job for Log Analysis
Description: A scheduled job using tools like LogParser, PowerShell, or Splunk may execute scripts or use command-line arguments that resemble XMRIG IOCs.
Filter/Exclusion: Exclude processes with command-line arguments containing log, analyze, parse, or Splunk in the argument list.
Scenario: Admin Task Using psutil or Process Explorer
Description: An administrator may use tools like Process Explorer or Python’s psutil library to monitor or manage processes, which could trigger XMRIG IOC matches.
Filter/Exclusion: Exclude processes launched by user accounts with administrative privileges or those associated with system monitoring tools.
Scenario: Legitimate Cryptocurrency Mining Tools
Description: Some legitimate cryptocurrency mining tools (e.g., MinerGate, NiceHash) may share similar command-line arguments or file names with XMRIG.
Filter/Exclusion: Exclude processes or files that match known legitimate mining software signatures or are signed by trusted developers.
Scenario: Backup or Sync Job Using rsync or RoboCopy
Description: A backup or synchronization job using rsync, RoboCopy, or similar tools may involve file operations that resemble XMRIG IOCs.
Filter/Exclusion: Exclude processes with command-line arguments containing backup, sync,