The ThreatFox: XWorm IOCs rule detects potential adversary activity associated with the XWorm malware, leveraging known indicators of compromise to identify suspicious network traffic or system behavior. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats that may be leveraging XWorm for lateral movement or data exfiltration.
IOC Summary
Malware Family: XWorm Total IOCs: 2 IOC Types: ip:port, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | gatuso.duckdns.org | botnet_cc | 2026-05-19 | 100% |
| ip:port | 98[.]81[.]111[.]167:443 | botnet_cc | 2026-05-19 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - XWorm
let malicious_ips = dynamic(["98.81.111.167"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["98.81.111.167"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - XWorm
let malicious_domains = dynamic(["gatuso.duckdns.org"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Integrity Check Using Tripwire
Description: A legitimate scheduled job runs Tripwire to verify system integrity, which may trigger the rule if the script path or checksum matches an IOC.
Filter/Exclusion: Exclude processes where process.name contains "tripwire" or process.args includes "--check".
Scenario: Admin Task Using PowerShell for Log Analysis
Description: An administrator uses PowerShell to analyze logs with Get-EventLog or Get-WinEvent, which may include paths or commands resembling XWorm IOCs.
Filter/Exclusion: Exclude processes where process.name is "powershell.exe" and process.args contains "Get-EventLog" or "Get-WinEvent".
Scenario: Regular Software Update via Chocolatey
Description: A system administrator uses Chocolatey to install a legitimate package, which may involve downloading files from URLs matching XWorm IOCs.
Filter/Exclusion: Exclude processes where process.name is "choco.exe" and process.args includes "install" or "update".
Scenario: Backup Job Using Veeam with Temporary Files
Description: A Veeam backup job creates temporary files in a directory that matches an IOC pattern, triggering the rule.
Filter/Exclusion: Exclude processes where process.name is "veeam.exe" and process.args includes "backup" or "backupjob".
Scenario: Network Monitoring Tool Using Wireshark for Traffic Analysis
Description: Wireshark is used to capture and analyze network traffic, which may include IP addresses or domains that match XWorm IOCs.
Filter/Exclusion: Exclude processes where process.name is "wireshark.exe" and process.args includes "capture" or