The ThreatFox: XMRIG IOCs rule detects potential cryptocurrency mining activity by identifying indicators linked to the XMRIG miner, which is commonly used in ransomware and malware campaigns. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage compromise attempts that could lead to data exfiltration or system degradation.
IOC Summary
Malware Family: XMRIG Total IOCs: 2 IOC Types: ip:port, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxp://78[.]40[.]117[.]175:8000/xmrig | payload_delivery | 2026-06-07 | 85% |
| ip:port | 38[.]207[.]182[.]124:2375 | payload_delivery | 2026-06-07 | 85% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - XMRIG
let malicious_ips = dynamic(["38.207.182.124"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["38.207.182.124"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for access to known malicious URLs
// Source: ThreatFox - XMRIG
let malicious_urls = dynamic(["http://78.40.117.175:8000/xmrig"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate XMRIG Mining Software Installation
Description: A system administrator installs the XMRIG mining software as part of a legitimate cryptocurrency mining operation.
Filter/Exclusion: Exclude processes related to xmrig or minerd if they are associated with known, authorized mining operations. Example: process.name != "xmrig" or process.name != "minerd".
Scenario: Scheduled System Maintenance Job
Description: A scheduled task runs a script that temporarily uses a tool with a similar name to XMRIG (e.g., xmr or xmrig) for system diagnostics or log parsing.
Filter/Exclusion: Exclude processes initiated by a known system maintenance job, such as schtasks.exe or Task Scheduler, using a filter like process.parent.name == "schtasks.exe".
Scenario: Admin Task Using XMRIG for Performance Testing
Description: A system administrator uses XMRIG as part of a performance testing scenario to simulate mining workloads.
Filter/Exclusion: Exclude processes that are part of a known performance test framework or lab environment, such as perfmon.exe or xmr-test.exe.
Scenario: Legitimate Security Tool with Similar IOC
Description: A legitimate security tool (e.g., XMRig-Scanner or XMRig-Analyzer) is used for threat intelligence analysis and includes similar IOCs as the XMRIG malware.
Filter/Exclusion: Exclude processes that match known security tools, such as xmrig-scanner.exe or xmrig-analyzer.exe.
Scenario: User-Initiated Script with Similar IOC
Description: A user runs a script that includes a command with a similar IOC to XMRIG (e.g., `