The ThreatFox: XMRIG IOCs rule detects potential cryptocurrency mining malware activity by identifying known indicators associated with the XMRIG miner, which is commonly used in ransomware and malware campaigns. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage compromise attempts that could lead to data exfiltration or system degradation.
IOC Summary
Malware Family: XMRIG Total IOCs: 4 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 193[.]160[.]100[.]154:2375 | botnet_cc | 2026-05-21 | 90% |
| ip:port | 8[.]146[.]237[.]26:9655 | botnet_cc | 2026-05-21 | 100% |
| ip:port | 118[.]145[.]104[.]154:6379 | payload_delivery | 2026-05-21 | 90% |
| ip:port | 117[.]150[.]62[.]177:6379 | payload_delivery | 2026-05-21 | 90% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - XMRIG
let malicious_ips = dynamic(["193.160.100.154", "8.146.237.26", "117.150.62.177", "118.145.104.154"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["193.160.100.154", "8.146.237.26", "117.150.62.177", "118.145.104.154"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: System Maintenance Task Using XMRIG for Performance Monitoring
Description: An administrator uses XMRIG as part of a legitimate system monitoring tool to track resource usage.
Filter/Exclusion: Exclude processes associated with known system monitoring tools (e.g., nmon, sar, iostat) or filter by user root or admin and exclude known monitoring scripts.
Scenario: Scheduled Job for Log Analysis Using XMRIG
Description: A scheduled job runs a script that uses XMRIG to analyze log files for anomalies.
Filter/Exclusion: Exclude processes initiated by cron or task scheduler (e.g., cron, schtasks.exe) and filter by known log analysis tools (e.g., logrotate, splunk, graylog).
Scenario: Development Environment with XMRIG for Testing
Description: A developer uses XMRIG in a sandboxed or isolated environment to test cryptocurrency mining algorithms.
Filter/Exclusion: Exclude processes running in a virtual machine or container (e.g., docker, kvm, vbox) or filter by user accounts typically used for development (e.g., dev, test).
Scenario: IT Team Using XMRIG for Network Traffic Analysis
Description: The IT team deploys XMRIG to analyze network traffic patterns for baseline behavior.
Filter/Exclusion: Exclude processes running under the IT team’s service account and filter by network analysis tools (e.g., tcpdump, Wireshark, ntop).
Scenario: Legacy System Using XMRIG for Resource Allocation
Description: An older system uses XMRIG as part of a legacy resource allocation framework.
Filter/Exclusion: Exclude processes running on older operating systems (e.g.,