The ThreatFox: PerlBot IOCs rule detects potential adversary activity associated with the PerlBot malware, which is known for executing malicious payloads and exfiltrating data. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises that could lead to data breaches or system control.
IOC Summary
Malware Family: PerlBot Total IOCs: 5 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 43[.]156[.]36[.]214:22 | payload_delivery | 2026-05-18 | 80% |
| ip:port | 43[.]173[.]91[.]132:22 | payload_delivery | 2026-05-18 | 80% |
| ip:port | 43[.]153[.]36[.]218:22 | payload_delivery | 2026-05-18 | 80% |
| ip:port | 122[.]165[.]124[.]15:22 | payload_delivery | 2026-05-18 | 80% |
| ip:port | 176[.]65[.]139[.]43:6667 | botnet_cc | 2026-05-18 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - PerlBot
let malicious_ips = dynamic(["43.173.91.132", "122.165.124.15", "43.156.36.214", "176.65.139.43", "43.153.36.218"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["43.173.91.132", "122.165.124.15", "43.156.36.214", "176.65.139.43", "43.153.36.218"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task using Perl for system maintenance (e.g., perl -e 'print "System check complete"\n') is flagged due to the presence of Perl in the command.
Filter/Exclusion: Exclude commands containing perl -e executed by scheduled tasks with known maintenance names (e.g., TaskScheduler or cron jobs with system-maintenance in the name).
Scenario: Admin Script for Log Parsing
Description: An admin script written in Perl is used to parse and analyze system logs (e.g., perl log_parser.pl /var/log/syslog).
Filter/Exclusion: Exclude processes initiated by admin users (e.g., root, admin, or sysadmin) and filter for scripts located in known admin directories (e.g., /opt/scripts/, /usr/local/bin/).
Scenario: Automated Backup Job Using Perl
Description: A backup script written in Perl is running as part of a nightly backup process (e.g., perl backup_script.pl /data/backup).
Filter/Exclusion: Exclude processes that match known backup job names or are scheduled via cron or Task Scheduler and are located in backup directories (e.g., /backup/scripts/).
Scenario: Perl-based Reporting Tool
Description: A legitimate reporting tool written in Perl is generating reports from database queries (e.g., perl report_generator.pl --output /reports/daily).
Filter/Exclusion: Exclude processes that match known reporting tools (e.g., report_generator.pl) and are executed from known reporting directories (e.g., /reports/tools/).
Scenario: Perl Module Installation via CPAN
Description: A system administrator is installing a Perl module using CPAN (e.g