The ThreatFox: XWorm IOCs rule detects potential adversary activity associated with the XWorm malware, leveraging known indicators of compromise to identify suspicious behavior in the environment. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and respond to advanced persistent threats that may be establishing a foothold or exfiltrating data.
IOC Summary
Malware Family: XWorm Total IOCs: 2 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | tiktikmod.ru.com | botnet_cc | 2026-05-12 | 75% |
| domain | brandy.it.com | botnet_cc | 2026-05-12 | 75% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - XWorm
let malicious_domains = dynamic(["tiktikmod.ru.com", "brandy.it.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task using schtasks.exe to perform system maintenance (e.g., disk cleanup or log rotation) may trigger the rule if the task name or command line matches XWorm IOCs.
Filter/Exclusion: Check for schtasks.exe in the command line and ensure the task is scheduled via the Task Scheduler GUI or via schtasks.exe with a known legitimate command.
Scenario: PowerShell Script for Log Analysis
Description: A PowerShell script using PowerShell.exe to analyze system logs or perform compliance checks might include commands that resemble XWorm IOCs.
Filter/Exclusion: Filter for PowerShell.exe with a script path in a known legitimate directory (e.g., C:\Windows\System32\WindowsPowerShell\v1.0\) and check for script signing or execution policies.
Scenario: Admin Tool for Network Monitoring
Description: A network monitoring tool like Wireshark.exe or tcpdump.exe might generate traffic patterns that match XWorm IOCs during normal network analysis.
Filter/Exclusion: Filter for known network analysis tools and check for traffic patterns consistent with legitimate monitoring activities (e.g., specific ports, protocols, or IP ranges).
Scenario: Software Update Job Using Group Policy
Description: A Group Policy update job using gpupdate.exe or GroupPolicy.exe could trigger the rule if the command line includes strings similar to XWorm IOCs.
Filter/Exclusion: Filter for gpupdate.exe or GroupPolicy.exe and check for execution context (e.g., run by a domain admin or via a scheduled task with a known update schedule).
Scenario: Database Backup Using SQL Server Agent Job
Description: A SQL