The ThreatFox: XMRIG IOCs rule detects potential cryptocurrency mining malware activity by identifying known indicators associated with the XMRIG miner, which is commonly used in ransomware and malware campaigns. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage compromise attempts that could lead to data exfiltration or system degradation.
IOC Summary
Malware Family: XMRIG Total IOCs: 6 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 139[.]59[.]67[.]197:6379 | payload_delivery | 2026-06-26 | 80% |
| ip:port | 158[.]69[.]201[.]163:6379 | payload_delivery | 2026-06-26 | 80% |
| ip:port | 47[.]243[.]208[.]30:6379 | payload_delivery | 2026-06-26 | 80% |
| ip:port | 64[.]227[.]164[.]38:6379 | payload_delivery | 2026-06-26 | 80% |
| ip:port | 211[.]234[.]111[.]116:5432 | payload_delivery | 2026-06-26 | 80% |
| ip:port | 77[.]90[.]185[.]248:5432 | payload_delivery | 2026-06-26 | 80% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - XMRIG
let malicious_ips = dynamic(["139.59.67.197", "64.227.164.38", "211.234.111.116", "47.243.208.30", "158.69.201.163", "77.90.185.248"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["139.59.67.197", "64.227.164.38", "211.234.111.116", "47.243.208.30", "158.69.201.163", "77.90.185.248"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate XMRIG Mining Setup
Description: A system administrator is deploying XMRIG as part of a legitimate cryptocurrency mining operation with proper authorization.
Filter/Exclusion: Check for presence of a valid mining license or configuration file (mining.conf) in the XMRIG directory, or use a filter like process.name != "xmrig" if the tool is not expected to run on the system.
Scenario: Scheduled System Maintenance Job
Description: A scheduled task is running a script that uses xmrig as part of a system maintenance or backup process.
Filter/Exclusion: Exclude processes associated with the task scheduler (e.g., schtasks.exe or at.exe) or filter by process name using process.name != "xmrig" during scheduled job execution.
Scenario: Security Tool or SIEM Integration
Description: A security tool or SIEM system is using xmrig as part of its integration with a threat intelligence feed or IOC lookup service.
Filter/Exclusion: Exclude processes that are known to be part of SIEM integrations (e.g., splunkd.exe, elastic-agent.exe) or check for the presence of a known SIEM integration configuration file.
Scenario: Admin Task for IOC Validation
Description: A security analyst is manually validating IOCs using a script or tool that includes xmrig as part of a test or validation process.
Filter/Exclusion: Exclude processes that are running from a known analyst workstation or check for the presence of a validation script or log file (e.g., validate_iocs.sh).
Scenario: System Update or Patching Process
Description: A system update or patching process includes a script that temporarily uses xmrig to verify system integrity or check for known vulnerabilities.