The ThreatFox: Tofsee IOCs rule detects potential adversary activity linked to the Tofsee threat group, which is associated with high-severity malicious campaigns. SOC teams should proactively hunt for these indicators in Azure Sentinel to identify and mitigate advanced persistent threats before they cause significant damage.
IOC Summary
Malware Family: Tofsee Total IOCs: 4 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 217[.]60[.]241[.]17:421 | botnet_cc | 2026-05-18 | 75% |
| ip:port | 217[.]60[.]241[.]17:430 | botnet_cc | 2026-05-18 | 75% |
| ip:port | 83[.]142[.]209[.]228:421 | botnet_cc | 2026-05-18 | 75% |
| ip:port | 83[.]142[.]209[.]228:430 | botnet_cc | 2026-05-18 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Tofsee
let malicious_ips = dynamic(["217.60.241.17", "83.142.209.228"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["217.60.241.17", "83.142.209.228"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Using Veeam Backup & Replication
Description: A legitimate scheduled backup job using Veeam Backup & Replication may trigger the rule due to the presence of similar IOCs (e.g., file paths or network connections).
Filter/Exclusion: process.name != "vbm.exe" OR process.name != "vpxa.exe"
Scenario: Windows Task Scheduler Running Admin Tasks
Description: A legitimate admin task scheduled via Windows Task Scheduler (e.g., schtasks.exe) may match the detection logic if it involves similar command-line arguments or file paths.
Filter/Exclusion: process.name != "schtasks.exe" OR process.name != "taskhost.exe"
Scenario: Log Collection via Splunk Forwarder
Description: A Splunk Universal Forwarder may be configured to collect logs from multiple systems, and its network activity or file access could be flagged by the rule.
Filter/Exclusion: process.name != "splunkforwarder.exe" OR destination.port != 9997
Scenario: PowerShell Script for System Monitoring Using PerfMon
Description: A PowerShell script using perfmon or Get-Counter to monitor system performance may trigger the rule due to similar process or file IOCs.
Filter/Exclusion: process.name != "powershell.exe" OR process.args != "Get-Counter"
Scenario: Database Maintenance Job Using SQL Server Agent
Description: A SQL Server Agent job performing routine maintenance tasks (e.g., index rebuilds or backups) may generate network or file activity that matches the rule.
Filter/Exclusion: process.name != "sqlservr.exe" OR process.name != "sqlagent.exe"