The ThreatFox: XMRIG IOCs rule detects potential cryptocurrency mining malware activity by identifying known indicators associated with the XMRIG miner, which is commonly used in ransomware and malware campaigns. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage compromise attempts that could lead to data exfiltration or system degradation.
IOC Summary
Malware Family: XMRIG Total IOCs: 5 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 85[.]209[.]134[.]204:8181 | botnet_cc | 2026-06-22 | 80% |
| ip:port | 185[.]214[.]96[.]152:2375 | payload_delivery | 2026-06-22 | 80% |
| ip:port | 120[.]26[.]7[.]147:6379 | payload_delivery | 2026-06-22 | 80% |
| ip:port | 59[.]110[.]217[.]189:6379 | payload_delivery | 2026-06-22 | 80% |
| ip:port | 146[.]70[.]184[.]43:5432 | payload_delivery | 2026-06-22 | 80% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - XMRIG
let malicious_ips = dynamic(["59.110.217.189", "146.70.184.43", "85.209.134.204", "185.214.96.152", "120.26.7.147"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["59.110.217.189", "146.70.184.43", "85.209.134.204", "185.214.96.152", "120.26.7.147"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate use of crontab for scheduled system maintenance
Filter/Exclusion: Exclude entries in crontab that match known legitimate maintenance tasks (e.g., @daily /usr/bin/logrotate, @weekly /usr/sbin/backup_script)
Scenario: Use of rsync for legitimate data replication between servers
Filter/Exclusion: Exclude rsync commands that involve known internal server pairs (e.g., rsync -avz user@server1:/data/ user@server2:/backup/)
Scenario: System update or patching using apt or yum
Filter/Exclusion: Exclude package installation events related to known security updates (e.g., apt install -y curl, yum update -y)
Scenario: Admin task involving tar or gzip for archiving logs
Filter/Exclusion: Exclude tar or gzip commands that target known log directories (e.g., /var/log/ or /opt/logs/)
Scenario: Use of wget or curl for legitimate software downloads
Filter/Exclusion: Exclude download activities to known internal or public software repositories (e.g., wget https://download.example.com/tool.tar.gz, curl https://repo.example.com/patch.tar.gz)