The ThreatFox: PlugX IOCs rule detects potential adversary activity associated with the PlugX malware family, leveraging known indicators of compromise to identify malicious network traffic. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and respond to advanced persistent threats that may be establishing command and control channels or exfiltrating data.
IOC Summary
Malware Family: PlugX Total IOCs: 3 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | update-trellix.com | botnet_cc | 2026-05-08 | 49% |
| domain | license.claude-pro.com | botnet_cc | 2026-05-08 | 49% |
| domain | gouvvbo.top | botnet_cc | 2026-05-08 | 49% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - PlugX
let malicious_domains = dynamic(["update-trellix.com", "license.claude-pro.com", "gouvvbo.top"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using schtasks.exe
Description: A system administrator schedules a maintenance task using schtasks.exe, which is a common legitimate tool for managing scheduled jobs.
Filter/Exclusion: Exclude processes where schtasks.exe is used with the /create or /run flags and the task name contains known administrative task patterns (e.g., Maintenance, Backup, Update).
Scenario: System update using msiexec.exe
Description: A Windows system is applying a legitimate software update via msiexec.exe, which is often used for installing or updating Microsoft products.
Filter/Exclusion: Exclude processes where msiexec.exe is used with the /i or /update flags and the package name matches known Microsoft update packages (e.g., Windows10.21H2.msu).
Scenario: Log file parsing using PowerShell.exe
Description: A security analyst or admin uses PowerShell to parse and analyze log files, which is a common legitimate activity.
Filter/Exclusion: Exclude processes where PowerShell.exe is invoked with scripts that match known log analysis patterns (e.g., Get-EventLog, Select-String, Out-File) and the script path is within a known admin script directory (e.g., C:\Scripts\).
Scenario: Database backup using sqlcmd.exe
Description: A DBA runs a database backup using sqlcmd.exe, which is a standard tool for executing SQL commands from the command line.
Filter/Exclusion: Exclude processes where sqlcmd.exe is used with backup-related commands (e.g., BACKUP DATABASE) and the instance name matches known production SQL Server instances.
**Scenario: User account