The ThreatFox: Unknown malware IOCs rule detects potential adversary activity involving unknown malicious indicators linked to malware execution, suggesting possible advanced persistent threats. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate unknown threats before they cause significant damage.
IOC Summary
Malware Family: Unknown malware Total IOCs: 8 IOC Types: ip:port, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 43[.]133[.]149[.]36:7443 | botnet_cc | 2026-05-11 | 75% |
| ip:port | 20[.]114[.]142[.]61:7443 | botnet_cc | 2026-05-11 | 75% |
| domain | robodomain.sbs | payload_delivery | 2026-05-10 | 100% |
| ip:port | 199[.]247[.]14[.]16:5000 | botnet_cc | 2026-05-10 | 50% |
| ip:port | 199[.]247[.]14[.]16:10000 | botnet_cc | 2026-05-10 | 50% |
| ip:port | 199[.]247[.]14[.]16:80 | botnet_cc | 2026-05-10 | 50% |
| ip:port | 44[.]206[.]172[.]239:7443 | botnet_cc | 2026-05-10 | 75% |
| ip:port | 209[.]99[.]188[.]44:7443 | botnet_cc | 2026-05-10 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Unknown malware
let malicious_ips = dynamic(["43.133.149.36", "20.114.142.61", "199.247.14.16", "44.206.172.239", "209.99.188.44"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["43.133.149.36", "20.114.142.61", "199.247.14.16", "44.206.172.239", "209.99.188.44"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Unknown malware
let malicious_domains = dynamic(["robodomain.sbs"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is running a scheduled backup job that uses a known legitimate tool like rsync or Veeam which temporarily writes to a network share.
Filter/Exclusion: Exclude network IOCs related to backup tools such as rsync, Veeam, or Veritas NetBackup from the detection.
Scenario: A developer is using a legitimate code signing tool like SignTool (Microsoft) or codesign (Apple) to sign a script or binary, which may generate IOCs related to certificate handling.
Filter/Exclusion: Exclude IOCs associated with code signing tools and certificate utilities like SignTool, codesign, or openssl.
Scenario: A system update or patching process uses a tool like Chocolatey or WSUS to download and install updates, which may involve network IOCs to known Microsoft or vendor servers.
Filter/Exclusion: Exclude IOCs related to update tools and known vendor servers such as update.microsoft.com, download.microsoft.com, or wsusserver.
Scenario: A security analyst is performing a forensic investigation using tools like Volatility or Mandiant Red Team which may generate IOCs related to memory analysis or exploit frameworks.
Filter/Exclusion: Exclude IOCs associated with forensic tools and red team frameworks such as Volatility, Mandiant, or Metasploit.
Scenario: A DevOps pipeline uses a CI/CD tool like Jenkins or GitLab CI to pull code from a private repository, which may involve network IOCs to internal Git servers.
Filter/Exclusion: Exclude IOCs related to CI/CD tools and internal Git servers such as gitlab.com, github.com, or internal GitLab instances.