The ThreatFox: Tofsee IOCs rule detects potential adversary activity linked to the Tofsee threat group, which is associated with high-severity malicious campaigns. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises from advanced persistent threats.
IOC Summary
Malware Family: Tofsee Total IOCs: 4 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 217[.]60[.]241[.]100:418 | botnet_cc | 2026-05-21 | 75% |
| ip:port | 217[.]60[.]241[.]17:418 | botnet_cc | 2026-05-21 | 75% |
| ip:port | 64[.]89[.]161[.]178:482 | botnet_cc | 2026-05-21 | 75% |
| ip:port | 83[.]142[.]209[.]228:418 | botnet_cc | 2026-05-21 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Tofsee
let malicious_ips = dynamic(["83.142.209.228", "64.89.161.178", "217.60.241.100", "217.60.241.17"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["83.142.209.228", "64.89.161.178", "217.60.241.100", "217.60.241.17"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Job
Description: A legitimate scheduled backup job uses a script or tool that matches one of the Tofsee IOCs (e.g., a PowerShell script used for data backup).
Filter/Exclusion: Exclude processes initiated by the Windows Task Scheduler with the task name containing “backup” or “system_backup”.
Scenario: Admin Performing Log Collection via PowerShell
Description: An administrator uses PowerShell to collect logs from multiple servers, which may include commands or scripts that match Tofsee IOCs.
Filter/Exclusion: Exclude processes started by the Administrators group with the command line containing “log” or “Get-EventLog”.
Scenario: Regular System Monitoring with Splunk
Description: A system monitoring tool like Splunk is configured to collect and analyze logs, which may include commands or artifacts that match Tofsee IOCs.
Filter/Exclusion: Exclude processes related to Splunk with the executable name splunkd.exe or containing the string “splunk” in the command line.
Scenario: Patch Management Tool Execution
Description: A patch management tool such as Microsoft System Center Configuration Manager (SCCM) or Ansible is used to deploy updates, which may involve scripts or commands that match Tofsee IOCs.
Filter/Exclusion: Exclude processes initiated by the patch management tool’s service or with the command line containing “patch” or “update”.
Scenario: Database Maintenance Task
Description: A database maintenance task, such as SQL Server Agent job, runs scripts that may include commands or files that match Tofsee IOCs.
Filter/Exclusion: Exclude processes initiated by SQL Server Agent with the job name containing “maintenance” or “db_backup”.