The ThreatFox: VShell IOCs rule detects potential adversary activity associated with the VShell malware, which is known for its persistence and lateral movement capabilities. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced threats that could compromise critical systems.
IOC Summary
Malware Family: VShell Total IOCs: 5 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 156[.]248[.]73[.]66:8084 | botnet_cc | 2026-05-18 | 100% |
| ip:port | 156[.]248[.]73[.]115:8084 | botnet_cc | 2026-05-18 | 100% |
| ip:port | 156[.]238[.]249[.]187:9897 | botnet_cc | 2026-05-18 | 100% |
| ip:port | 114[.]132[.]199[.]206:18084 | botnet_cc | 2026-05-18 | 100% |
| ip:port | 81[.]68[.]216[.]220:8000 | botnet_cc | 2026-05-18 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - VShell
let malicious_ips = dynamic(["114.132.199.206", "156.248.73.66", "156.238.249.187", "81.68.216.220", "156.248.73.115"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["114.132.199.206", "156.248.73.66", "156.238.249.187", "81.68.216.220", "156.248.73.115"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that uses vshell as part of a system maintenance process, such as log rotation or backup.
Filter/Exclusion: Exclude processes initiated by the schtasks service or tasks with a known maintenance name (e.g., BackupJob, LogRotation).
Scenario: Admin Access via VShell for Remote Management
Description: An administrator uses vshell to securely access a remote server for troubleshooting or configuration changes.
Filter/Exclusion: Exclude connections originating from known admin IP ranges or user accounts with privileged access (e.g., admin, root, svc_account).
Scenario: Automated Deployment Tool Using VShell
Description: A CI/CD pipeline (e.g., Jenkins, GitLab CI) uses vshell to transfer files or execute commands on target servers during deployment.
Filter/Exclusion: Exclude processes initiated by CI/CD agents or with job names containing keywords like deploy, build, or release.
Scenario: Log Analysis Tool Using VShell for Data Transfer
Description: A log analysis tool (e.g., Splunk, ELK Stack) uses vshell to transfer log files between servers for centralized logging.
Filter/Exclusion: Exclude processes with filenames or paths containing logs, logstash, or splunk in the command line.
Scenario: Network Monitoring Tool with VShell Integration
Description: A network monitoring tool (e.g., Nagios, Zabbix) uses vshell to check system metrics or execute remote commands for monitoring purposes.
Filter/Exclusion: Exclude processes with command-line arguments containing check, monitor, or status and originating from the monitoring tool’s service account.