The ThreatFox: XMRIG IOCs rule detects potential cryptocurrency mining malware activity by identifying known indicators associated with the XMRIG miner, which is commonly used in ransomware and malware campaigns. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage compromise attempts that could lead to data exfiltration or system degradation.
IOC Summary
Malware Family: XMRIG Total IOCs: 5 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 207[.]56[.]229[.]19:2375 | payload_delivery | 2026-06-15 | 80% |
| ip:port | 77[.]223[.]99[.]43:2375 | payload_delivery | 2026-06-15 | 80% |
| ip:port | 202[.]61[.]224[.]163:2375 | payload_delivery | 2026-06-15 | 80% |
| ip:port | 41[.]110[.]4[.]106:2375 | payload_delivery | 2026-06-15 | 80% |
| ip:port | 47[.]113[.]229[.]153:6379 | payload_delivery | 2026-06-15 | 80% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - XMRIG
let malicious_ips = dynamic(["41.110.4.106", "47.113.229.153", "207.56.229.19", "77.223.99.43", "202.61.224.163"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["41.110.4.106", "47.113.229.153", "207.56.229.19", "77.223.99.43", "202.61.224.163"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate XMRIG Mining Software Installation
Description: A system administrator installs the XMRIG mining software as part of a sanctioned cryptocurrency mining operation.
Filter/Exclusion: Exclude processes or files associated with known XMRIG versions used in enterprise environments (e.g., xmr-stak or xmrig-3.17.0).
Scenario: Scheduled System Maintenance Job
Description: A scheduled task runs a script that temporarily accesses files or directories commonly associated with XMRIG during system cleanup or configuration updates.
Filter/Exclusion: Exclude processes initiated by known system maintenance tools like schtasks.exe or Task Scheduler with predefined job names.
Scenario: Admin Task for Log Analysis
Description: A security analyst uses a script or tool like PowerShell or Python to analyze logs for suspicious activity, which inadvertently matches XMRIG IOC patterns.
Filter/Exclusion: Exclude processes initiated by user accounts with administrative privileges or tools like powershell.exe running under known analyst user contexts.
Scenario: Antivirus or EDR False Positive
Description: A legitimate security tool, such as CrowdStrike Falcon or Microsoft Defender, generates a false positive by flagging XMRIG-related files as malicious.
Filter/Exclusion: Exclude files signed by known security vendors or with hashes present in the vendor’s whitelist.
Scenario: Development Environment Testing
Description: A developer is testing a script or application that includes XMRIG-related code or files for testing purposes.
Filter/Exclusion: Exclude processes running from development directories or user-specific paths (e.g., C:\Users\Dev\ or C:\Projects\).