The ThreatFox: BeaverTail IOCs rule detects potential adversary activity linked to the BeaverTail threat group, which is associated with high-severity malicious behavior. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage compromises from a known advanced threat actor.
IOC Summary
Malware Family: BeaverTail Total IOCs: 9 IOC Types: sha256_hash, url, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 23[.]27[.]202[.]27:27017 | payload_delivery | 2026-06-21 | 100% |
| url | hxxp://23[.]27[.]13[.]43/ | payload_delivery | 2026-06-21 | 100% |
| url | hxxp://198[.]105[.]127[.]210/ | payload_delivery | 2026-06-21 | 100% |
| url | hxxp://23[.]27[.]202[.]27:27017/ | payload_delivery | 2026-06-21 | 100% |
| sha256_hash | f5c6be4753d6613c97f1b10c4d93a5d97a8f4fb21eb13da0ed04b23a8a61c2f6 | payload | 2026-06-21 | 100% |
| sha256_hash | 7520924e8d680263216a8eae31e6e2fc4424024ab61d7eb1503b663cb82811d2 | payload | 2026-06-21 | 100% |
| sha256_hash | c2bf4f7f74b80ed3d57473ba9e897fe5b8991e38a99343a46e0f8032e53a4ba7 | payload | 2026-06-21 | 100% |
| ip:port | 23[.]27[.]13[.]43:80 | payload_delivery | 2026-06-21 | 100% |
| ip:port | 198[.]105[.]127[.]210:80 | payload_delivery | 2026-06-21 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - BeaverTail
let malicious_ips = dynamic(["23.27.13.43", "23.27.202.27", "198.105.127.210"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["23.27.13.43", "23.27.202.27", "198.105.127.210"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for access to known malicious URLs
// Source: ThreatFox - BeaverTail
let malicious_urls = dynamic(["http://23.27.13.43/", "http://198.105.127.210/", "http://23.27.202.27:27017/"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc// Hunt for files matching known malicious hashes
// Source: ThreatFox - BeaverTail
let malicious_hashes = dynamic(["f5c6be4753d6613c97f1b10c4d93a5d97a8f4fb21eb13da0ed04b23a8a61c2f6", "7520924e8d680263216a8eae31e6e2fc4424024ab61d7eb1503b663cb82811d2", "c2bf4f7f74b80ed3d57473ba9e897fe5b8991e38a99343a46e0f8032e53a4ba7"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceFileEvents | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled system backups using Veeam Backup & Replication
Filter/Exclusion: Exclude files or processes associated with veeam or VeeamBackup in the IOC list.
Scenario: Regular PowerShell scripting for log management using LogParser
Filter/Exclusion: Exclude PowerShell scripts that include LogParser.exe or use known log management command-line arguments.
Scenario: Windows Task Scheduler job for daily system health checks
Filter/Exclusion: Exclude tasks with names or paths containing TaskScheduler, schtasks.exe, or Microsoft.Windows.TaskScheduler.
Scenario: Microsoft Intune policy deployment using PowerShell DSC
Filter/Exclusion: Exclude processes or files related to Microsoft.Intune, DSC, or ConfigurationManager.
Scenario: Ansible playbook execution for configuration management on Linux servers
Filter/Exclusion: Exclude files or processes related to ansible, ansible-playbook, or known Ansible modules like copy or template.