The ThreatFox: VShell IOCs rule detects potential adversary activity linked to the VShell malware, which is known for its persistence and lateral movement capabilities. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced threats before they cause significant damage to the network.
IOC Summary
Malware Family: VShell Total IOCs: 3 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 38[.]45[.]125[.]101:8084 | botnet_cc | 2026-05-21 | 100% |
| ip:port | 116[.]181[.]16[.]176:9876 | botnet_cc | 2026-05-21 | 100% |
| ip:port | 103[.]207[.]68[.]231:8443 | botnet_cc | 2026-05-21 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - VShell
let malicious_ips = dynamic(["38.45.125.101", "116.181.16.176", "103.207.68.231"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["38.45.125.101", "116.181.16.176", "103.207.68.231"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that uses vshell as part of a system maintenance routine, such as log rotation or backup.
Filter/Exclusion: Exclude processes initiated by the Windows Task Scheduler with the command line containing vshell and a known maintenance script path (e.g., C:\Windows\System32\logrotate.bat).
Scenario: Admin User Performing Remote Management
Description: An admin user uses vshell to remotely manage a server via a legitimate remote administration tool like PsExec or WinRM.
Filter/Exclusion: Exclude processes where the user is a domain admin and the command line includes PsExec or WinRM with a known management script or IP address.
Scenario: Log Collection via VShell
Description: A security tool like Splunk or ELK uses vshell to collect logs from remote servers as part of a centralized logging setup.
Filter/Exclusion: Exclude processes where the command line includes Splunk or logstash and the destination is a known log collection server (e.g., 10.10.10.10).
Scenario: Database Backup via VShell
Description: A database backup job uses vshell to transfer backup files from a remote SQL Server or Oracle instance to a local storage location.
Filter/Exclusion: Exclude processes where the command line includes sqlbackup or expdp and the destination path is a known backup directory (e.g., D:\Backups\).
Scenario: Network Monitoring Tool Using VShell
Description: A network monitoring tool like Nagios or Zabbix uses vshell to check the status of