The ThreatFox: XMRIG IOCs rule detects potential cryptocurrency mining malware activity by identifying known malicious artifacts associated with the XMRIG miner. SOC teams should proactively hunt for these indicators in Azure Sentinel to identify and mitigate initial compromise attempts by adversaries leveraging XMRIG for unauthorized resource utilization.
IOC Summary
Malware Family: XMRIG Total IOCs: 4 IOC Types: sha256_hash, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 179[.]43[.]139[.]81:80 | payload_delivery | 2026-05-23 | 60% |
| ip:port | 179[.]43[.]139[.]82:80 | payload_delivery | 2026-05-23 | 70% |
| ip:port | 179[.]43[.]139[.]80:80 | payload_delivery | 2026-05-23 | 60% |
| sha256_hash | ef355778546bc6e044330691404b63eddf83d7fc6073047394a25dd0e98c7d7d | payload | 2026-05-23 | 90% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - XMRIG
let malicious_ips = dynamic(["179.43.139.81", "179.43.139.82", "179.43.139.80"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["179.43.139.81", "179.43.139.82", "179.43.139.80"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for files matching known malicious hashes
// Source: ThreatFox - XMRIG
let malicious_hashes = dynamic(["ef355778546bc6e044330691404b63eddf83d7fc6073047394a25dd0e98c7d7d"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceFileEvents | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate XMRIG Mining Setup
Description: A system administrator is deploying XMRIG as part of a legitimate cryptocurrency mining setup for a sanctioned use case (e.g., a mining pool or internal testing).
Filter/Exclusion: Check for presence of known mining configuration files (e.g., config.json) and verify if the process is associated with a known mining pool or internal infrastructure.
Scenario: Scheduled System Maintenance Job
Description: A scheduled job is running a script that uses grep or find commands with patterns similar to XMRIG IOCs as part of a routine system audit or log analysis.
Filter/Exclusion: Filter out processes initiated by a known system maintenance user (e.g., root, sysadmin, or maintenance) or check for presence of audit scripts in a known directory (e.g., /opt/audit/).
Scenario: Security Tool or SIEM Configuration
Description: A security tool (e.g., Splunk, ELK Stack) is configured to parse logs and includes XMRIG-related keywords in its log parsing rules, leading to false positives.
Filter/Exclusion: Exclude processes or logs associated with known SIEM tools or log parsing utilities (e.g., splunkd, logstash, filebeat).
Scenario: Admin Task Using find or grep
Description: An administrator is using find or grep to search for files or processes related to XMRIG during a forensic investigation or incident response.
Filter/Exclusion: Filter out processes initiated by admin users (e.g., root, admin, security) or check for presence of forensic tools (e.g., volatility, tcpdump).
Scenario: Legitimate Software Update or Patching