The ThreatFox: XMRIG IOCs rule detects potential cryptocurrency mining malware activity by identifying known indicators associated with the XMRIG miner, which is commonly used in ransomware and malware campaigns. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage compromise attempts that could lead to data exfiltration or system degradation.
IOC Summary
Malware Family: XMRIG Total IOCs: 3 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 18[.]225[.]109[.]243:5432 | botnet_cc | 2026-06-04 | 80% |
| ip:port | 18[.]224[.]108[.]49:5432 | botnet_cc | 2026-06-04 | 80% |
| ip:port | 40[.]124[.]174[.]187:5432 | botnet_cc | 2026-06-04 | 80% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - XMRIG
let malicious_ips = dynamic(["40.124.174.187", "18.225.109.243", "18.224.108.49"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["40.124.174.187", "18.225.109.243", "18.224.108.49"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate XMRIG Mining Software Installation
Description: A system administrator installs the XMRIG mining software as part of a sanctioned cryptocurrency mining operation.
Filter/Exclusion: Check for presence of xmrig.conf or mining.sh in known mining directories, and exclude processes running under a dedicated mining user account.
Scenario: Scheduled System Maintenance Job Using XMRIG
Description: A scheduled job runs a script that uses XMRIG for load testing or benchmarking purposes.
Filter/Exclusion: Exclude processes initiated by a scheduled task with a known job name (e.g., SystemMaintenanceJob) and verify the script is signed or whitelisted.
Scenario: Admin Task to Update XMRIG Configuration
Description: An administrator updates the XMRIG configuration file to change mining pool settings or worker credentials.
Filter/Exclusion: Exclude file modifications to xmrig.conf or config.json that occur during known maintenance windows or via approved configuration management tools (e.g., Ansible, Puppet).
Scenario: Legitimate Use of XMRIG in a DevOps Pipeline
Description: A CI/CD pipeline includes a step that runs XMRIG for testing or benchmarking purposes.
Filter/Exclusion: Exclude processes initiated by CI/CD agents (e.g., Jenkins, GitLab Runner) and check for presence of a known pipeline identifier or environment variable.
Scenario: XMRIG Used for Internal Load Balancing or Traffic Analysis
Description: XMRIG is used internally to simulate network traffic or test load balancing mechanisms.
Filter/Exclusion: Exclude processes running on internal network interfaces (e.g., 192.168.x.x) and verify the process is associated with a known internal testing tool or service.