The ThreatFox: XMRIG IOCs rule detects potential cryptocurrency mining malware activity by identifying known indicators associated with the XMRIG miner, which is commonly used in ransomware and malware campaigns. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage compromise attempts that could lead to data exfiltration or system degradation.
IOC Summary
Malware Family: XMRIG Total IOCs: 4 IOC Types: domain, ip:port, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxp://194[.]238[.]26[.]34:8880/r8x4k2m9/stager_linux_amd64 | payload_delivery | 2026-06-10 | 85% |
| domain | updates.officehub.works | botnet_cc | 2026-06-10 | 85% |
| ip:port | 47[.]86[.]190[.]58:6379 | payload_delivery | 2026-06-10 | 85% |
| ip:port | 209[.]58[.]169[.]220:60137 | payload_delivery | 2026-06-10 | 85% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - XMRIG
let malicious_ips = dynamic(["47.86.190.58", "209.58.169.220"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["47.86.190.58", "209.58.169.220"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - XMRIG
let malicious_domains = dynamic(["updates.officehub.works"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - XMRIG
let malicious_urls = dynamic(["http://194.238.26.34:8880/r8x4k2m9/stager_linux_amd64"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that temporarily uses a tool like psutil or systeminfo to gather system metrics, which may trigger the XMRIG IOC due to similar command-line patterns.
Filter/Exclusion: Exclude processes associated with schtasks.exe or tasks with TaskName containing “Maintenance” or “SystemCheck”.
Scenario: Admin Performing Log Analysis with LogParser
Description: An administrator uses Microsoft’s LogParser tool to analyze event logs, which may include commands resembling XMRIG IOCs due to similar syntax.
Filter/Exclusion: Exclude processes with Image containing LogParser.exe or EventTracingForWindows.
Scenario: Database Backup Job Using SQLCMD
Description: A database backup job runs sqlcmd to execute T-SQL scripts, which may include command-line arguments that resemble XMRIG IOCs.
Filter/Exclusion: Exclude processes with Image containing sqlcmd.exe or sqlbackup.exe, or where the command line includes BACKUP DATABASE.
Scenario: Software Inventory Scan with SCCM Client
Description: The SCCM client runs a software inventory scan, which may include commands that match XMRIG IOCs due to similar file or process names.
Filter/Exclusion: Exclude processes with Image containing ccmexec.exe or smsclient.exe, or where the command line includes SoftwareInventory.
Scenario: Scripted Automation with PowerShell
Description: A PowerShell script runs a series of commands to automate system tasks, which may inadvertently match XMRIG IOCs due to similar command structures.
Filter/Exclusion: Exclude processes with Image containing powershell.exe and where the script path or