The ThreatFox: PerlBot IOCs rule detects potential adversary activity associated with the PerlBot malware, which is known for executing malicious payloads and exfiltrating data. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises that could lead to data breaches or persistent threats.
IOC Summary
Malware Family: PerlBot Total IOCs: 5 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 179[.]43[.]139[.]83:443 | botnet_cc | 2026-05-17 | 100% |
| ip:port | 209[.]99[.]186[.]7:443 | botnet_cc | 2026-05-17 | 100% |
| ip:port | 179[.]43[.]139[.]83:80 | payload_delivery | 2026-05-17 | 100% |
| ip:port | 179[.]43[.]139[.]85:442 | payload_delivery | 2026-05-17 | 100% |
| ip:port | 179[.]43[.]180[.]84:80 | payload_delivery | 2026-05-17 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - PerlBot
let malicious_ips = dynamic(["179.43.139.83", "209.99.186.7", "179.43.139.85", "179.43.180.84"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["179.43.139.83", "209.99.186.7", "179.43.139.85", "179.43.180.84"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task using perl to perform system maintenance (e.g., log rotation, disk cleanup).
Filter/Exclusion: process.parent_process_name:"Task Scheduler" or process.command_line:"logrotate"
Scenario: Admin Script for Configuration Backup
Description: A system administrator uses a Perl script to automate configuration backups, which may involve file IO operations.
Filter/Exclusion: process.user:"admin_user" and process.command_line:"backup_script.pl"
Scenario: Database Backup Job Using Perl
Description: A database backup job written in Perl is executed by the database management system (e.g., MySQL, PostgreSQL) as part of routine operations.
Filter/Exclusion: process.command_line:"db_backup.pl" or process.parent_process_name:"mysqld"
Scenario: Log Parsing with Perl
Description: A log parsing script using Perl is run by the IT operations team to analyze system or application logs.
Filter/Exclusion: process.command_line:"parse_logs.pl" or process.user:"log_analyzer"
Scenario: Perl-based Monitoring Tool
Description: A legitimate monitoring tool (e.g., Nagios, Zabbix) uses Perl scripts to monitor system metrics and trigger alerts.
Filter/Exclusion: process.command_line:"check_disk.pl" or process.parent_process_name:"nagios"