The ThreatFox: XWorm IOCs rule detects potential multi-stage malware activity involving persistence, data exfiltration, and C2 communication, indicative of a sophisticated adversary establishing a foothold in the network. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate XWorm infections early, preventing further lateral movement and data compromise.
IOC Summary
Malware Family: XWorm Total IOCs: 3 IOC Types: domain, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | globalwealth2026.duckdns.org | botnet_cc | 2026-05-20 | 75% |
| ip:port | 176[.]65[.]139[.]194:6000 | botnet_cc | 2026-05-20 | 75% |
| ip:port | 68[.]219[.]64[.]89:4444 | botnet_cc | 2026-05-19 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - XWorm
let malicious_ips = dynamic(["176.65.139.194", "68.219.64.89"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["176.65.139.194", "68.219.64.89"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - XWorm
let malicious_domains = dynamic(["globalwealth2026.duckdns.org"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using PowerShell for system maintenance
Description: A scheduled task runs a PowerShell script to perform routine system updates or patching, which may include network communication to internal servers.
Filter/Exclusion: Exclude traffic originating from known system maintenance scripts (e.g., powershell.exe with command-line arguments like -Command or -File pointing to internal update scripts).
Scenario: Admin using Cobalt Strike for red team exercise
Description: A security team member is conducting a red team simulation using Cobalt Strike, which may generate network traffic resembling C2 communication.
Filter/Exclusion: Exclude traffic from known red team tools (e.g., cobaltstrike.exe, teamserver.exe) or from specific user accounts used for penetration testing.
Scenario: Cloud backup service using AWS S3 API
Description: A cloud backup tool (e.g., Veeam, AWS Backup) communicates with an S3 bucket to transfer data, which may be flagged due to similar network patterns.
Filter/Exclusion: Exclude traffic to known internal S3 buckets or from backup tools (e.g., awscli, veeam.exe) with known backup-related endpoints.
Scenario: User accessing internal portal via a compromised session
Description: An authenticated user may access an internal portal (e.g., Jira, Confluence) through a compromised session, leading to suspicious-looking network activity.
Filter/Exclusion: Exclude traffic from known internal applications (e.g., jira.atlassian.com, confluence.example.com) or from users with elevated privileges.
Scenario: System update via Microsoft Intune or SCCM
Description: A device receives a system update via Microsoft Intune or SCCM, which may involve communication with Microsoft servers or internal distribution points.
**Filter/Ex