The ThreatFox: VShell IOCs rule detects potential adversary activity associated with the VShell malware, which is known for its persistence and lateral movement capabilities. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced threats that could compromise network integrity and data confidentiality.
IOC Summary
Malware Family: VShell Total IOCs: 3 IOC Types: sha256_hash, url, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| sha256_hash | 7d7948005af45b2fbc59a20c266ffd70f584d0fba1a28e048bd9994ad9353bdb | payload | 2026-05-10 | 90% |
| url | hxxp://43[.]142[.]51[.]69:8002 | botnet_cc | 2026-05-10 | 90% |
| ip:port | 43[.]142[.]51[.]69:443 | botnet_cc | 2026-05-10 | 90% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - VShell
let malicious_ips = dynamic(["43.142.51.69"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["43.142.51.69"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for access to known malicious URLs
// Source: ThreatFox - VShell
let malicious_urls = dynamic(["http://43.142.51.69:8002"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc// Hunt for files matching known malicious hashes
// Source: ThreatFox - VShell
let malicious_hashes = dynamic(["7d7948005af45b2fbc59a20c266ffd70f584d0fba1a28e048bd9994ad9353bdb"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceFileEvents | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Job
Description: A legitimate scheduled job runs a script that uses vshell as part of a system maintenance task, such as log rotation or backup.
Filter/Exclusion: Exclude processes initiated by the system scheduler (e.g., cron, at, or task scheduler) or filter by process name like logrotate or backup_script.sh.
Scenario: Admin Task Using VShell for Remote Access
Description: An administrator uses vshell to securely access a remote server for troubleshooting or configuration changes.
Filter/Exclusion: Exclude processes initiated by admin accounts with known credentials or filter by user ID (e.g., root, admin, or sysadmin).
Scenario: Log Collection via VShell
Description: A log aggregation tool like rsyslog or logstash uses vshell to securely transfer logs from remote servers to a central logging server.
Filter/Exclusion: Exclude traffic to known log collection servers or filter by destination IP addresses associated with log management systems.
Scenario: Software Update via VShell
Description: A legitimate software update process uses vshell to transfer patches or updates to remote systems.
Filter/Exclusion: Exclude traffic to known update servers or filter by file names containing keywords like update, patch, or release.
Scenario: Secure File Transfer Using VShell
Description: A file transfer task, such as moving sensitive data between servers, is performed using vshell as part of a secure file transfer protocol.
Filter/Exclusion: Exclude transfers between internal servers or filter by file types or directories associated with internal data movement (e.g., /data/secure/, /backup/).