The ThreatFox: Tsunami IOCs rule detects potential adversary activity linked to the Tsunami threat group, leveraging known malicious indicators to identify compromise. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and respond to advanced persistent threats before they cause significant damage.
IOC Summary
Malware Family: Tsunami Total IOCs: 4 IOC Types: ip:port, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 94[.]140[.]120[.]193:8080 | botnet_cc | 2026-06-04 | 75% |
| domain | rc.de-zahlung.eu | botnet_cc | 2026-06-04 | 100% |
| domain | rnd.exposedbotnets.ru | botnet_cc | 2026-06-04 | 100% |
| domain | irc.shadow-mods.net | botnet_cc | 2026-06-04 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Tsunami
let malicious_ips = dynamic(["94.140.120.193"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["94.140.120.193"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Tsunami
let malicious_domains = dynamic(["rc.de-zahlung.eu", "rnd.exposedbotnets.ru", "irc.shadow-mods.net"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Using Veeam Backup & Replication
Description: A legitimate scheduled backup job using Veeam Backup & Replication may trigger the rule due to the use of similar IOCs (e.g., network connections or file paths).
Filter/Exclusion: process.name != "veeambackup" OR process.parent.name != "veeambackup"
Scenario: Windows Task Scheduler Running Administrative Scripts
Description: A legitimate administrative task scheduled via Windows Task Scheduler (e.g., schtasks.exe) may match the IOCs if it involves similar command-line arguments or file paths.
Filter/Exclusion: process.name != "schtasks.exe" OR process.parent.name != "services.exe"
Scenario: Log Management with Splunk Forwarder
Description: The Splunk Universal Forwarder may generate traffic that matches the IOCs if it’s sending logs to a centralized server, especially if the destination IP or port is similar to known malicious activity.
Filter/Exclusion: process.name != "splunkforwarder" OR destination.ip != <known_splunk_server_ip>
Scenario: PowerShell Script for System Monitoring Using PowerShell
Description: A legitimate PowerShell script used for system monitoring (e.g., powershell.exe running a script to check system performance) may trigger the rule if it uses similar command-line arguments or file paths.
Filter/Exclusion: process.name != "powershell.exe" OR process.parent.name != "explorer.exe"
Scenario: Database Backup Using SQL Server Agent Job
Description: A SQL Server Agent job that performs database backups may trigger the rule if it involves network connections or file paths that overlap with the Tsunami IOCs.
Filter/Exclusion: `process.name != “sqlservr.exe