The ThreatFox: XWorm IOCs rule detects potential adversary activity associated with the XWorm malware, which is known for its persistence and lateral movement capabilities. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage compromises before the adversary establishes a persistent foothold in the network.
IOC Summary
Malware Family: XWorm Total IOCs: 3 IOC Types: ip:port, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 192[.]3[.]171[.]227:8823 | botnet_cc | 2026-05-11 | 75% |
| ip:port | 104[.]168[.]5[.]18:8823 | botnet_cc | 2026-05-11 | 75% |
| domain | aliexpress.us.com | botnet_cc | 2026-05-10 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - XWorm
let malicious_ips = dynamic(["104.168.5.18", "192.3.171.227"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["104.168.5.18", "192.3.171.227"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - XWorm
let malicious_domains = dynamic(["aliexpress.us.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Using tar and rsync
Description: A legitimate scheduled backup job uses tar and rsync to archive and transfer data, which may match the XWorm IOC patterns.
Filter/Exclusion: Check for --exclude flags in tar commands or presence of rsync with known backup paths (e.g., /backup/, /var/backups/).
Scenario: Admin Task Using wget to Download Configuration Files
Description: An administrator uses wget to fetch configuration files from an internal server, which may be flagged due to the use of wget in the XWorm IOC.
Filter/Exclusion: Filter by source IP (internal IP range) or check for presence of --no-check-certificate or --user-agent flags indicating legitimate admin activity.
Scenario: Log Collection Using logrotate with gzip
Description: The logrotate utility compresses log files using gzip, which may trigger the XWorm IOC related to compression tools.
Filter/Exclusion: Look for logrotate configuration files in /etc/logrotate.d/ or check for gzip usage in conjunction with log directories like /var/log/.
Scenario: Software Update Using yum or apt with Temporary Files
Description: A package manager like yum or apt creates temporary files during updates, which may be misidentified as XWorm-related IOCs.
Filter/Exclusion: Filter by process names like yum-updatesd or apt, or check for presence of /var/cache/apt/archives/ or /var/cache/yum/ directories.
Scenario: Network Monitoring Tool Using tcpdump with Custom Filters