The ThreatFox: VShell IOCs rule detects potential adversary activity associated with the VShell malware, which is known for its persistence and lateral movement capabilities. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced threats that could compromise critical systems.
IOC Summary
Malware Family: VShell Total IOCs: 82 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 39[.]104[.]25[.]196:38664 | botnet_cc | 2026-05-17 | 100% |
| ip:port | 206[.]119[.]6[.]250:8884 | botnet_cc | 2026-05-17 | 100% |
| ip:port | 206[.]119[.]6[.]240:8884 | botnet_cc | 2026-05-17 | 100% |
| ip:port | 206[.]119[.]0[.]234:8884 | botnet_cc | 2026-05-17 | 100% |
| ip:port | 206[.]119[.]0[.]233:8884 | botnet_cc | 2026-05-17 | 100% |
| ip:port | 206[.]119[.]6[.]236:8884 | botnet_cc | 2026-05-17 | 100% |
| ip:port | 206[.]119[.]6[.]234:8884 | botnet_cc | 2026-05-17 | 100% |
| ip:port | 206[.]119[.]0[.]230:8884 | botnet_cc | 2026-05-17 | 100% |
| ip:port | 206[.]119[.]6[.]233:8884 | botnet_cc | 2026-05-17 | 100% |
| ip:port | 206[.]119[.]0[.]229:8884 | botnet_cc | 2026-05-17 | 100% |
| ip:port | 206[.]119[.]6[.]231:8884 | botnet_cc | 2026-05-17 | 100% |
| ip:port | 124[.]70[.]215[.]164:80 | botnet_cc | 2026-05-17 | 100% |
| ip:port | 206[.]119[.]6[.]227:8884 | botnet_cc | 2026-05-17 | 100% |
| ip:port | 206[.]119[.]6[.]226:8884 | botnet_cc | 2026-05-17 | 100% |
| ip:port | 206[.]119[.]5[.]253:8884 | botnet_cc | 2026-05-17 | 100% |
| ip:port | 206[.]119[.]6[.]229:8884 | botnet_cc | 2026-05-17 | 100% |
| ip:port | 206[.]119[.]6[.]228:8884 | botnet_cc | 2026-05-17 | 100% |
| ip:port | 206[.]119[.]5[.]247:8884 | botnet_cc | 2026-05-17 | 100% |
| ip:port | 206[.]119[.]5[.]245:8884 | botnet_cc | 2026-05-17 | 100% |
| ip:port | 206[.]119[.]5[.]246:8884 | botnet_cc | 2026-05-17 | 100% |
| ip:port | 206[.]119[.]5[.]243:8884 | botnet_cc | 2026-05-17 | 100% |
| ip:port | 206[.]119[.]5[.]242:8884 | botnet_cc | 2026-05-17 | 100% |
| ip:port | 206[.]119[.]5[.]240:8884 | botnet_cc | 2026-05-17 | 100% |
| ip:port | 206[.]119[.]5[.]239:8884 | botnet_cc | 2026-05-17 | 100% |
| ip:port | 206[.]119[.]5[.]233:8884 | botnet_cc | 2026-05-17 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - VShell
let malicious_ips = dynamic(["206.119.4.234", "38.14.248.161", "206.119.3.226", "206.119.4.250", "206.119.6.227", "8.148.181.158", "206.119.6.226", "88.216.208.91", "206.119.0.230", "206.119.2.226", "206.119.0.229", "206.119.7.229", "39.105.163.147", "206.119.4.252", "206.119.5.232", "206.119.2.245", "206.119.3.233", "206.119.4.237", "206.119.4.254", "206.119.4.232", "206.119.3.249", "206.119.3.246", "206.119.6.245", "206.119.4.238", "206.119.4.249", "124.70.215.164", "206.119.3.231", "206.119.5.247", "206.119.5.239", "206.119.3.230", "206.119.2.235", "106.75.252.66", "206.119.3.243", "206.119.3.235", "206.119.5.236", "206.119.5.243", "206.119.5.240", "206.119.5.230", "39.104.25.196", "206.119.5.234", "206.119.3.252", "206.119.1.240", "206.119.6.234", "23.94.133.100", "206.119.4.251", "206.119.4.226", "206.119.6.229", "206.119.2.250", "206.119.5.237", "206.119.0.233"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["206.119.4.234", "38.14.248.161", "206.119.3.226", "206.119.4.250", "206.119.6.227", "8.148.181.158", "206.119.6.226", "88.216.208.91", "206.119.0.230", "206.119.2.226", "206.119.0.229", "206.119.7.229", "39.105.163.147", "206.119.4.252", "206.119.5.232", "206.119.2.245", "206.119.3.233", "206.119.4.237", "206.119.4.254", "206.119.4.232", "206.119.3.249", "206.119.3.246", "206.119.6.245", "206.119.4.238", "206.119.4.249", "124.70.215.164", "206.119.3.231", "206.119.5.247", "206.119.5.239", "206.119.3.230", "206.119.2.235", "106.75.252.66", "206.119.3.243", "206.119.3.235", "206.119.5.236", "206.119.5.243", "206.119.5.240", "206.119.5.230", "39.104.25.196", "206.119.5.234", "206.119.3.252", "206.119.1.240", "206.119.6.234", "23.94.133.100", "206.119.4.251", "206.119.4.226", "206.119.6.229", "206.119.2.250", "206.119.5.237", "206.119.0.233"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled job runs a script that interacts with the network, triggering an IOC match due to standard network communication.
Filter/Exclusion: Exclude tasks associated with schtasks.exe or Task Scheduler with known maintenance scripts (e.g., C:\Windows\System32\maintenance.bat).
Scenario: Admin Access via VShell for Remote Management
Description: A system administrator uses VShell to securely access a remote server, which may generate network traffic matching the IOC signature.
Filter/Exclusion: Exclude connections originating from known admin IPs or using credentials from the Local Admin group (e.g., [email protected] with Administrators group membership).
Scenario: Log Collection via VShell
Description: A log aggregation tool like Splunk or ELK uses VShell to transfer logs between servers, which may trigger an IOC due to standard file transfer patterns.
Filter/Exclusion: Exclude traffic involving known log collection tools (e.g., splunkforwarder, logstash) or specific log directories (e.g., C:\Logs\).
Scenario: Software Update via VShell
Description: A legitimate software update process uses VShell to transfer patches or updates to multiple endpoints, which may match the IOC signature.
Filter/Exclusion: Exclude traffic associated with known update tools (e.g., Windows Update, WSUS, Microsoft Endpoint Manager) or specific update directories (e.g., C:\Windows\SoftwareUpdate\).
Scenario: Database Backup via VShell
Description: A database backup process uses VShell to transfer large datasets between servers, which may trigger an IOC due to high-volume network activity.
Filter/Exclusion: Exclude traffic involving known