The ThreatFox: Tsunami IOCs rule detects potential adversary activity linked to the Tsunami threat group, leveraging known malicious indicators to identify compromise. SOC teams should proactively hunt for this behavior in Azure Sentinel to mitigate advanced persistent threats and prevent lateral movement within their environment.
IOC Summary
Malware Family: Tsunami Total IOCs: 4 IOC Types: sha256_hash, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 43[.]133[.]157[.]218:6379 | payload_delivery | 2026-06-12 | 85% |
| sha256_hash | ef9a91a7f3423d779353baebed34aa1f3b6104e7e4730c77fe8457b42a576ac5 | payload | 2026-06-12 | 85% |
| sha256_hash | e9c924c170332d42cae71bb9113ed9556cf91d5c50257b316eb433be9a211fb7 | payload | 2026-06-12 | 85% |
| sha256_hash | f32b209d33c4194f37dbbf2a677c4faf78cf6b24cf2474bf1c14aed17af40b2e | payload | 2026-06-12 | 85% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Tsunami
let malicious_ips = dynamic(["43.133.157.218"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["43.133.157.218"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for files matching known malicious hashes
// Source: ThreatFox - Tsunami
let malicious_hashes = dynamic(["ef9a91a7f3423d779353baebed34aa1f3b6104e7e4730c77fe8457b42a576ac5", "e9c924c170332d42cae71bb9113ed9556cf91d5c50257b316eb433be9a211fb7", "f32b209d33c4194f37dbbf2a677c4faf78cf6b24cf2474bf1c14aed17af40b2e"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceFileEvents | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Using Veeam Backup & Replication
Description: A legitimate scheduled backup job using Veeam Backup & Replication may trigger the rule due to the presence of similar file paths or network connections.
Filter/Exclusion: Exclude processes initiated by veeam.exe or check for the presence of Veeam in the process name or command line arguments.
Scenario: Windows Task Scheduler Running PowerShell Scripts for System Maintenance
Description: A scheduled PowerShell script running via Task Scheduler for system maintenance (e.g., log cleanup, registry defragmentation) may match the IOCs due to similar command-line arguments or file paths.
Filter/Exclusion: Filter out processes started by schtasks.exe or check for the presence of Task Scheduler in the parent process or command line.
Scenario: Admin Using PowerShell for Log Analysis with Splunk
Description: An administrator using PowerShell to analyze logs with Splunk may trigger the rule due to similar network connections or file access patterns.
Filter/Exclusion: Exclude processes where the user is a domain admin or check for the presence of Splunk in the command line or process name.
Scenario: Database Backup Using SQL Server Agent Job
Description: A SQL Server Agent job performing a database backup may trigger the rule due to similar file access or network activity.
Filter/Exclusion: Filter out processes initiated by sqlservr.exe or check for the presence of SQL Server Agent in the parent process or command line.
Scenario: Network Monitoring Tool Using Wireshark for Traffic Analysis
Description: A network monitoring tool like Wireshark capturing traffic on a monitored network may trigger the rule due to similar network connections or file access.
Filter/Exclusion: Exclude processes initiated by `wireshark.exe