The ThreatFox: PerlBot IOCs rule detects potential adversary activity linked to the PerlBot malware by identifying known indicators of compromise associated with its command and control infrastructure. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises that could lead to data exfiltration or lateral movement within the network.
IOC Summary
Malware Family: PerlBot Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 179[.]43[.]139[.]84:443 | botnet_cc | 2026-05-21 | 75% |
| ip:port | 179[.]43[.]139[.]86:443 | botnet_cc | 2026-05-21 | 80% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - PerlBot
let malicious_ips = dynamic(["179.43.139.86", "179.43.139.84"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["179.43.139.86", "179.43.139.84"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: System backup process using rsync or tar that generates Perl-like script files (e.g., .pl files) for automation
Filter/Exclusion: Exclude files with file_type = "script" and process_name = "rsync" OR process_name = "tar"
Scenario: Scheduled job using cron or systemd that runs a legitimate Perl script for log parsing or data processing
Filter/Exclusion: Exclude processes with process_name = "cron" OR process_name = "systemd" and file_name = "log_parser.pl"
Scenario: Admin task involving the use of perl to generate configuration files or templates for application deployment
Filter/Exclusion: Exclude processes with user = "admin" OR user = "root" and file_name = "config_gen.pl"
Scenario: Development environment where Perl scripts are used for testing or CI/CD pipeline automation (e.g., jenkins or gitlab-runner)
Filter/Exclusion: Exclude processes with process_name = "jenkins" OR process_name = "gitlab-runner" and file_name = "test_script.pl"
Scenario: Use of perl in a DevOps tool like Ansible or Chef for configuration management tasks
Filter/Exclusion: Exclude processes with process_name = "ansible" OR process_name = "chef" and file_name = "config_manage.pl"