The ThreatFox: XMRIG IOCs rule detects potential cryptocurrency mining malware activity by identifying known malicious artifacts associated with the XMRIG miner. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate covert mining operations that could compromise system resources and data integrity.
IOC Summary
Malware Family: XMRIG Total IOCs: 8 IOC Types: url, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 177[.]104[.]165[.]104:9443 | payload_delivery | 2026-06-06 | 80% |
| url | hxxp://177[.]104[.]165[.]104:9443/xmrig | payload_delivery | 2026-06-06 | 80% |
| ip:port | 116[.]34[.]14[.]135:22 | payload_delivery | 2026-06-06 | 80% |
| ip:port | 221[.]234[.]36[.]123:22 | payload_delivery | 2026-06-06 | 80% |
| ip:port | 37[.]255[.]239[.]81:22 | payload_delivery | 2026-06-06 | 80% |
| ip:port | 46[.]151[.]182[.]191:5432 | botnet_cc | 2026-06-06 | 80% |
| ip:port | 47[.]103[.]192[.]156:6379 | payload_delivery | 2026-06-06 | 80% |
| ip:port | 8[.]134[.]122[.]94:6379 | payload_delivery | 2026-06-06 | 80% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - XMRIG
let malicious_ips = dynamic(["177.104.165.104", "8.134.122.94", "37.255.239.81", "221.234.36.123", "47.103.192.156", "46.151.182.191", "116.34.14.135"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["177.104.165.104", "8.134.122.94", "37.255.239.81", "221.234.36.123", "47.103.192.156", "46.151.182.191", "116.34.14.135"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for access to known malicious URLs
// Source: ThreatFox - XMRIG
let malicious_urls = dynamic(["http://177.104.165.104:9443/xmrig"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate XMRIG Mining Software Installation
Description: A system administrator installs the XMRIG mining software as part of a legitimate cryptocurrency mining operation.
Filter/Exclusion: Exclude processes or files associated with known XMRIG versions (e.g., xmr-stak or xmrig-3.17.0) using the process.name or file.name field.
Example Filter: process.name != "xmrig" AND file.name != "xmrig"
Scenario: Scheduled System Maintenance Job
Description: A scheduled task runs a script that temporarily uses a tool with a similar name to XMRIG (e.g., xmr-util) for system diagnostics or log parsing.
Filter/Exclusion: Exclude processes associated with scheduled tasks using the process.parent or process.command_line field.
Example Filter: process.parent == "schtasks.exe" OR process.command_line contains "scheduled"
Scenario: Admin Tool with Similar Name
Description: An IT admin uses a legitimate system administration tool with a name similar to XMRIG (e.g., xmr-utility) for configuration management.
Filter/Exclusion: Exclude processes matching known admin tools using the process.name or process.parent field.
Example Filter: process.name != "xmr-utility" AND process.parent != "taskmgr.exe"
Scenario: Log Parsing or Monitoring Tool
Description: A log parsing tool (e.g., logparser.exe) or monitoring tool (e.g., xmr-monitor) is used to analyze system logs or performance metrics.
Filter/Exclusion: Exclude processes associated with log parsing tools using the process.name or process.parent field.
Example Filter: `process.name !=