The ThreatFox: Unknown malware IOCs rule detects potential adversary activity involving unknown malicious indicators that may indicate the presence of previously unseen malware in the environment. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced threats that evade traditional detection methods.
IOC Summary
Malware Family: Unknown malware Total IOCs: 3 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 43[.]133[.]149[.]36:18080 | botnet_cc | 2026-05-10 | 75% |
| ip:port | 207[.]56[.]2[.]25:7443 | botnet_cc | 2026-05-10 | 75% |
| ip:port | 175[.]27[.]164[.]136:7443 | botnet_cc | 2026-05-10 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Unknown malware
let malicious_ips = dynamic(["43.133.149.36", "175.27.164.136", "207.56.2.25"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["43.133.149.36", "175.27.164.136", "207.56.2.25"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using PowerShell to run a scheduled job that downloads a legitimate update from a known internal repository.
Filter/Exclusion: Exclude any IOCs that match internal IP ranges or domains used by the company’s internal software update servers.
Scenario: A Windows Task Scheduler job is configured to execute a script that uses WMI to query system performance metrics.
Filter/Exclusion: Exclude any IOCs related to WMI queries or system performance monitoring tools like Performance Monitor or Task Scheduler tasks.
Scenario: A Syslog server is configured to collect logs from multiple devices and uses NetFlow to aggregate traffic data.
Filter/Exclusion: Exclude IOCs associated with network monitoring tools like SolarWinds Network Performance Monitor or PRTG Network Monitor.
Scenario: A backup job using Veeam Backup & Replication is configured to transfer data over SMB to a remote storage device.
Filter/Exclusion: Exclude IOCs related to backup tools or SMB traffic to known backup servers within the enterprise.
Scenario: A DevOps pipeline using Jenkins is configured to pull code from a GitLab repository and execute build scripts.
Filter/Exclusion: Exclude IOCs associated with CI/CD tools like Jenkins, GitLab, or GitHub Actions.