diff --git a/global_helpers/panther_iocs.py b/global_helpers/panther_iocs.py
index 90a209e1f..10a978550 100644
--- a/global_helpers/panther_iocs.py
+++ b/global_helpers/panther_iocs.py
@@ -90,77 +90,262 @@
     "${::-j",  # example: ${${::-j}${::-n}di:${::-l}d${::-a}p://example.com:1234/callback}
 }
 
+# Sources:
+# - https://github.com/SigmaHQ/sigma/blob/392500131d75634d8db43b2a2de9ddeb8c9f59dc/rules/network/zeek/zeek_dns_mining_pools.yml
+# - https://github.com/SigmaHQ/sigma/blob/392500131d75634d8db43b2a2de9ddeb8c9f59dc/rules/network/dns/net_dns_pua_cryptocoin_mining_xmr.yml
+# - https://github.com/SigmaHQ/sigma/blob/392500131d75634d8db43b2a2de9ddeb8c9f59dc/rules/windows/network_connection/net_connection_win_crypto_mining_pools.yml
 CRYPTO_MINING_DOMAINS = {
-    "monerohash.com",
-    "do-dear.com",
-    "xmrminerpro.com",
-    "secumine.net",
-    "xmrpool.com",
-    "minexmr.org",
-    "hashanywhere.com",
-    "xmrget.com",
-    "mininglottery.eu",
-    "minergate.com",
-    "moriaxmr.com",
-    "multipooler.com",
-    "moneropools.com",
-    "xmrpool.eu",
-    "coolmining.club",
-    "minexmr.com",
-    "xmrpool.net",
-    "crypto-pool.fr",
-    "xmr.pt",
-    "miner.rocks",
-    "walpool.com",
-    "herominers.com",
-    "gntl.co.uk",
-    "semipool.com",
-    "coinfoundry.org",
-    "cryptoknight.cc",
-    "fairhash.org",
-    "baikalmine.com",
-    "tubepool.xyz",
-    "fairpool.xyz",
+    "1gh.com",
+    "abcxyz.stream",
+    "alimabi.cn",
+    "ap.luckpool.net",
     "asiapool.io",
+    "backup-pool.com",
+    "baikalmine.com",
+    "bcn.pool.minergate.com",
+    "bcn.vip.pool.minergate.com",
+    "bohemianpool.com",
+    "ca.minexmr.com",
+    "ca.monero.herominers.com",
+    "cbd.monerpool.org",
+    "cbdv2.monerpool.org",
+    "coinfoundry.org",
     "coinpoolit.webhop.me",
-    "nanopool.org",
-    "moneropool.com",
-    "miner.center",
-    "prohash.net",
-    "poolto.be",
+    "coolmining.club",
+    "cryptmonero.com",
+    "crypto-pool.fr",
+    "crypto-pool.info",
+    "crypto-pools.org",
     "cryptoescrow.eu",
-    "monerominers.net",
+    "cryptoknight.cc",
+    "cryptonight-hub.miningpoolhub.com",
+    "cryptonight.net",
+    "cryptonotepool.org.uk",
     "cryptonotepool.org",
-    "extrmepool.org",
-    "webcoin.me",
-    "kippo.eu",
-    "hashinvest.ws",
-    "monero.farm",
-    "supportxmr.com",
-    "linux-repository-updates.com",
-    "1gh.com",
+    "d1pool.ddns.net",
+    "d5pool.us",
+    "daili01.monerpool.org",
+    "de.minexmr.com",
+    "dl.nbminer.com",
+    "do-dear.com",
+    "donate.graef.in",
+    "donate.ssl.xmrig.com",
+    "donate.v2.xmrig.com",
+    "donate.xmrig.com",
+    "donate2.graef.in",
+    "drill.moneroworld.com",
     "dwarfpool.com",
+    "emercoin.com",
+    "emercoin.net",
+    "emergate.net",
+    "ethereumpool.co",
+    "eu.luckpool.net",
+    "eu.minerpool.pw",
+    "extremehash.com",
+    "extremepool.org",
+    "extrmepool.org",
+    "fairhash.org",
+    "fairpool.cloud",
+    "fairpool.xyz",
+    "fcn-xmr.pool.minergate.com",
+    "fee.xmrig.com",
+    "fr.minexmr.com",
+    "freeyy.me",
+    "gntl.co.uk",
     "hash-to-coins.com",
-    "hashvault.pro",
-    "pool-proxy.com",
+    "hashanywhere.com",
     "hashfor.cash",
-    "fairpool.cloud",
+    "hashinvest.net",
+    "hashinvest.ws",
+    "hashvault.pro",
+    "hellominer.com",
+    "herominers.com",
+    "huadong1-aeon.ppxxmr.com",
+    "iwanttoearn.money",
+    "jw-js1.ppxxmr.com",
+    "kippo.eu",
+    "koto-pool.work",
+    "lhr.nbminer.com",
+    "lhr3.nbminer.com",
+    "linux-repository-updates.com",
+    "linux.monerpool.org",
     "litecoinpool.org",
+    "lokiturtle.herominers.com",
+    "luckpool.net",
+    "masari.miner.rocks",
+    "mine.c3pool.com",
+    "mine.moneropool.com",
+    "mine.ppxxmr.com",
+    "mine.zpool.ca",
+    "mine1.ppxxmr.com",
+    "minemonero.gq",
+    "miner.center",
+    "miner.ppxxmr.com",
+    "miner.rocks",
+    "minercircle.com",
+    "minergate.com",
+    "minerpool.pw",
+    "minerrocks.com",
+    "miners.pro",
+    "minerxmr.ru",
     "mineshaft.ml",
-    "abcxyz.stream",
-    "moneropool.ru",
-    "cryptonotepool.org.uk",
-    "extremepool.org",
-    "extremehash.com",
-    "hashinvest.net",
-    "unipool.pro",
-    "crypto-pools.org",
+    "minexmr.cn",
+    "minexmr.com",
+    "minexmr.org",
+    "mining-help.ru",
+    "mininglottery.eu",
+    "miningpoolhub.com",
+    "mixpools.org",
+    "moner.monerpool.org",
+    "moner1min.monerpool.org",
+    "monero-master.crypto-pool.fr",
+    "monero.crypto-pool.fr",
+    "monero.farm",
+    "monero.hashvault.pro",
+    "monero.herominers.com",
+    "monero.lindon-pool.win",
+    "monero.miners.pro",
     "monero.net",
-    "backup-pool.com",
+    "monero.riefly.id",
+    "monero.us.to",
+    "monerocean.stream",
+    "monerogb.com",
+    "monerohash.com",
+    "monerominers.net",
+    "moneroocean.stream",
+    "moneropool.com",
+    "moneropool.nl",
+    "moneropool.ru",
+    "moneropools.com",
+    "monerorx.com",
+    "monerpool.org",
     "mooo.com",
-    "freeyy.me",
-    "cryptonight.net",
+    "moriaxmr.com",
+    "mro.pool.minergate.com",
+    "multipool.us",
+    "multipooler.com",
+    "myxmr.pw",
+    "na.luckpool.net",
+    "nanopool.org",
+    "nbminer.com",
+    "node3.luckpool.net",
+    "noobxmr.com",
+    "pangolinminer.comgandalph3000.com",
+    "pool-proxy.com",
+    "pool.4i7i.com",
+    "pool.armornetwork.org",
+    "pool.cortins.tk",
+    "pool.gntl.co.uk",
+    "pool.hashvault.pro",
+    "pool.minergate.com",
+    "pool.minexmr.com",
+    "pool.monero.hashvault.pro",
+    "pool.ppxxmr.com",
+    "pool.somec.cc",
+    "pool.support",
+    "pool.supportxmr.com",
+    "pool.usa-138.com",
+    "pool.xmr.pt",
+    "pool.xmrfast.com",
+    "pool2.armornetwork.org",
+    "poolchange.ppxxmr.com",
+    "pooldd.com",
+    "poolmining.org",
+    "poolto.be",
+    "ppxvip1.ppxxmr.com",
+    "ppxxmr.com",
+    "prohash.net",
+    "r.twotouchauthentication.online",
+    "randomx.xmrig.com",
+    "ratchetmining.com",
+    "secumine.net",
+    "seed.emercoin.com",
+    "seed.emercoin.net",
+    "seed.emergate.net",
+    "seed1.joulecoin.org",
+    "seed2.joulecoin.org",
+    "seed3.joulecoin.org",
+    "seed4.joulecoin.org",
+    "seed5.joulecoin.org",
+    "seed6.joulecoin.org",
+    "seed7.joulecoin.org",
+    "seed8.joulecoin.org",
+    "semipool.com",
+    "sg.minexmr.com",
+    "sheepman.mine.bz",
     "shscrypto.net",
+    "siamining.com",
+    "sumokoin.minerrocks.com",
+    "supportxmr.com",
+    "suprnova.cc",
+    "teracycle.net",
+    "trtl.cnpool.cc",
+    "trtl.pool.mine2gether.com",
+    "tubepool.xyz",
+    "turtle.miner.rocks",
+    "unipool.pro",
+    "us-west.minexmr.com",
+    "usxmrpool.com",
+    "viaxmr.com",
+    "walpool.com",
+    "webcoin.me",
+    "webservicepag.webhop.net",
+    "xiazai.monerpool.org",
+    "xiazai1.monerpool.org",
+    "xmc.pool.minergate.com",
+    "xmo.pool.minergate.com",
+    "xmr-asia1.nanopool.org",
+    "xmr-au1.nanopool.org",
+    "xmr-eu1.nanopool.org",
+    "xmr-eu2.nanopool.org",
+    "xmr-jp1.nanopool.org",
+    "xmr-us-east1.nanopool.org",
+    "xmr-us-west1.nanopool.org",
+    "xmr-us.suprnova.cc",
+    "xmr-usa.dwarfpool.com",
+    "xmr.2miners.com",
+    "xmr.5b6b7b.ru",
+    "xmr.alimabi.cn",
+    "xmr.bohemianpool.com",
+    "xmr.crypto-pool.fr",
+    "xmr.crypto-pool.info",
+    "xmr.f2pool.com",
+    "xmr.hashcity.org",
+    "xmr.hex7e4.ru",
+    "xmr.ip28.net",
+    "xmr.monerpool.org",
+    "xmr.mypool.online",
+    "xmr.nanopool.org",
+    "xmr.pool.gntl.co.uk",
+    "xmr.pool.minergate.com",
+    "xmr.poolto.be",
+    "xmr.ppxxmr.com",
+    "xmr.prohash.net",
+    "xmr.pt",
+    "xmr.simka.pw",
+    "xmr.somec.cc",
+    "xmr.suprnova.cc",
+    "xmr.usa-138.com",
+    "xmr.vip.pool.minergate.com",
+    "xmr1min.monerpool.org",
+    "xmrf.520fjh.org",
+    "xmrf.fjhan.club",
+    "xmrfast.com",
+    "xmrget.com",
+    "xmrigcc.graef.in",
+    "xmrminer.cc",
+    "xmrminerpro.com",
+    "xmrpool.com",
+    "xmrpool.de",
+    "xmrpool.eu",
+    "xmrpool.me",
+    "xmrpool.net",
+    "xmrpool.xyz",
+    "xx11m.monerpool.org",
+    "xx11mv2.monerpool.org",
+    "xxx.hex7e4.ru",
+    "zarabotaibitok.ru",
+    "zer0day.ru",
 }
 
 
diff --git a/rules/aws_vpc_flow_rules/aws_dns_crypto_domain.yml b/rules/aws_vpc_flow_rules/aws_dns_crypto_domain.yml
index 5217f0c5a..1d9c9ce51 100644
--- a/rules/aws_vpc_flow_rules/aws_dns_crypto_domain.yml
+++ b/rules/aws_vpc_flow_rules/aws_dns_crypto_domain.yml
@@ -134,6 +134,48 @@ Tests:
         version: "1.100000"
         vpc_id: vpc-abc123
       Name: Crypto Query Subdomain Trailing Period
+    - ExpectedResult: true
+      Log:
+        account_id: "0123456789"
+        answers:
+            - Class: IN
+              Rdata: 1.2.3.4
+              Type: A
+        query_class: IN
+        query_name: webservicepag.webhop.net
+        query_timestamp: "2022-06-25 00:27:53"
+        query_type: A
+        rcode: NOERROR
+        region: us-west-2
+        srcaddr: 5.6.7.8
+        srcids:
+            instance: i-0abc234
+        srcport: "8888"
+        transport: UDP
+        version: "1.100000"
+        vpc_id: vpc-abc123
+      Name: Checking Against Subdomain IOC
+    - ExpectedResult: true
+      Log:
+        account_id: "0123456789"
+        answers:
+            - Class: IN
+              Rdata: 1.2.3.4
+              Type: A
+        query_class: IN
+        query_name: webservicepag.webhop.net.
+        query_timestamp: "2022-06-25 00:27:53"
+        query_type: A
+        rcode: NOERROR
+        region: us-west-2
+        srcaddr: 5.6.7.8
+        srcids:
+            instance: i-0abc234
+        srcport: "8888"
+        transport: UDP
+        version: "1.100000"
+        vpc_id: vpc-abc123
+      Name: Checking Against Subdomain IOC Trailing Period
 DedupPeriodMinutes: 60
 LogTypes:
     - AWS.VPCDns