The ThreatFox: XMRIG IOCs rule detects potential cryptocurrency mining activity by identifying indicators linked to the XMRIG miner, which is commonly used in ransomware and malware campaigns. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate persistent, stealthy mining operations that could compromise system integrity and resource availability.
IOC Summary
Malware Family: XMRIG Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 193[.]160[.]101[.]210:2375 | botnet_cc | 2026-05-20 | 90% |
| ip:port | 193[.]160[.]101[.]229:2375 | botnet_cc | 2026-05-20 | 90% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - XMRIG
let malicious_ips = dynamic(["193.160.101.210", "193.160.101.229"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["193.160.101.210", "193.160.101.229"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: System Update or Patching Process
Description: A legitimate system update or patching process may include scripts or tools that match the XMRIG IOC pattern, such as xmrig or minerd.
Filter/Exclusion: Exclude processes initiated by known update tools like yum, apt, or wsusutil, or filter by process names associated with system patching (e.g., update.exe, patchmgr.exe).
Scenario: Scheduled Job for Data Processing
Description: A scheduled job using a tool like Python or Bash script may execute commands that resemble XMRIG IOCs, such as minerd or xmrig.
Filter/Exclusion: Exclude processes with a CommandLine containing known data processing tools or scripts, or filter by scheduled task names (e.g., DataProcessingJob, ETLJob).
Scenario: Admin Task for Log Analysis
Description: An administrator may use a tool like LogParser or PowerShell to analyze logs, which could include commands that match XMRIG IOCs.
Filter/Exclusion: Exclude processes initiated by admin accounts with elevated privileges or filter by command lines containing log analysis tools (e.g., LogParser.exe, PowerShell.exe with specific -Command arguments).
Scenario: DevOps Pipeline Execution
Description: A CI/CD pipeline using tools like Jenkins, GitLab CI, or Azure DevOps may run scripts that temporarily use XMRIG-related binaries during testing or deployment.
Filter/Exclusion: Exclude processes related to CI/CD tools (e.g., jenkins.exe, gitlab-runner, azure-pipelines.exe) or filter by environment variables indicating a test or staging environment.
**Scenario: Security Tool or