The ThreatFox: Tofsee IOCs rule detects potential adversary activity linked to the Tofsee threat group, which is associated with high-severity malicious campaigns. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises from advanced persistent threats.
IOC Summary
Malware Family: Tofsee Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 217[.]60[.]241[.]8:426 | botnet_cc | 2026-05-08 | 75% |
| ip:port | 217[.]60[.]241[.]8:428 | botnet_cc | 2026-05-08 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Tofsee
let malicious_ips = dynamic(["217.60.241.8"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["217.60.241.8"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using Tofsee IOC
Description: A scheduled job runs a script that uses a Tofsee IOC (e.g., tofsee.sh) as part of a routine system check or log analysis.
Filter/Exclusion: process.name != "tofsee.sh" OR process.parent.name == "cron" OR "systemd"
Scenario: Admin using Tofsee for threat intelligence lookup
Description: A security admin manually queries Tofsee to check if an IP or domain is flagged as malicious.
Filter/Exclusion: user.name != "security_admin" OR process.name != "tofsee.sh"
Scenario: Integration with SIEM tool using Tofsee IOC
Description: A SIEM tool (e.g., Splunk, ELK) uses Tofsee IOC as part of a data enrichment process.
Filter/Exclusion: process.name != "splunkd" OR "logstash" OR "elasticsearch" OR process.parent.name == "siem_integration"
Scenario: Automated compliance check using Tofsee IOC
Description: A compliance tool runs a script that uses Tofsee to verify if certain assets are flagged.
Filter/Exclusion: process.name != "compliance_checker.sh" OR process.parent.name == "jenkins" OR "ansible"
Scenario: Legitimate system update using Tofsee IOC
Description: A system update or patching tool uses Tofsee IOC to validate the integrity of a package.
Filter/Exclusion: process.name != "patching_tool.sh" OR process.parent.name == "yum" OR "apt" OR "dnf"