The ThreatFox: Aisuru IOCs rule detects potential adversary activity linked to the Aisuru threat group, which is associated with high-severity malicious campaigns. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises from known malicious actors.
IOC Summary
Malware Family: Aisuru Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 129[.]212[.]233[.]8:8443 | botnet_cc | 2026-06-24 | 100% |
| ip:port | 206[.]189[.]94[.]70:8443 | botnet_cc | 2026-06-24 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Aisuru
let malicious_ips = dynamic(["129.212.233.8", "206.189.94.70"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["129.212.233.8", "206.189.94.70"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Job
Description: A legitimate scheduled job runs a script that uses a tool like PowerShell or Task Scheduler to perform routine maintenance, which may trigger the detection logic due to similar command-line patterns.
Filter/Exclusion: Exclude processes initiated by Task Scheduler or with CommandLine containing schtasks.exe or powershell.exe -Command.
Scenario: Admin Task Using PowerShell for Log Analysis
Description: An administrator uses PowerShell to analyze system logs or perform forensic analysis, which may include commands that resemble malicious activity.
Filter/Exclusion: Exclude processes with CommandLine containing Get-EventLog, Get-WinEvent, or Invoke-Command executed by a known admin account.
Scenario: Legitimate Software Update Process
Description: A software update process, such as using WSUS or Group Policy, may involve downloading or executing files that match the IOC patterns.
Filter/Exclusion: Exclude processes initiated by wsusutil.exe, gupdate /force, or with User field matching a domain admin account.
Scenario: Database Backup Job Using SQLCMD
Description: A database backup job using SQLCMD or T-SQL scripts may include commands that resemble malicious payloads due to similar syntax.
Filter/Exclusion: Exclude processes with CommandLine containing sqlcmd.exe or BACKUP DATABASE commands executed by a service account.
Scenario: Network Monitoring Tool with Custom Scripts
Description: A network monitoring tool like Wireshark or tcpdump may use custom scripts or plugins that include IOCs due to similar string patterns.
Filter/Exclusion: Exclude processes with CommandLine containing tcpdump, wireshark, or