The ThreatFox: KongTuke IOCs rule detects potential adversary activity associated with the KongTuke threat group, which is linked to malicious network traffic and data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats leveraging these IOCs before significant data loss occurs.
IOC Summary
Malware Family: KongTuke Total IOCs: 3 IOC Types: sha256_hash, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxp://dvxfigqyzgd.com/d | payload_delivery | 2026-05-05 | 75% |
| sha256_hash | 0a73595b5c7efcefe1e82174a3492aa903f4760d6c3202cb93e960a9b9cc9fc8 | payload | 2026-05-05 | 75% |
| sha256_hash | 28c86021ad35cc4e42684376314fe52aa02a5c2776c3a79abcc83a896295967e | payload | 2026-05-05 | 75% |
// Hunt for access to known malicious URLs
// Source: ThreatFox - KongTuke
let malicious_urls = dynamic(["http://dvxfigqyzgd.com/d"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc// Hunt for files matching known malicious hashes
// Source: ThreatFox - KongTuke
let malicious_hashes = dynamic(["0a73595b5c7efcefe1e82174a3492aa903f4760d6c3202cb93e960a9b9cc9fc8", "28c86021ad35cc4e42684376314fe52aa02a5c2776c3a79abcc83a896295967e"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Job
Description: A legitimate scheduled backup job using rsync or tar may trigger the rule if it includes paths or commands resembling malicious IOCs.
Filter/Exclusion: Exclude processes initiated by the backup scheduler (e.g., cron, systemd-timer, or specific service names like backup-service). Use a filter like:
process.parent_process_name : "cron" OR process.parent_process_name : "systemd-timer"Scenario: Admin Task – User Management via CLI
Description: An admin using the command line to manage users (e.g., useradd, usermod, or passwd) may inadvertently match IOC patterns in command-line arguments.
Filter/Exclusion: Exclude processes with useradd, usermod, or passwd in the command line. Use a filter like:
process.command_line : "useradd" OR process.command_line : "usermod" OR process.command_line : "passwd"Scenario: Log Rotation or Monitoring Tool Execution
Description: A log rotation tool like logrotate or monitoring tool like Prometheus may execute scripts or commands that include IOC-like strings.
Filter/Exclusion: Exclude processes associated with log rotation or monitoring tools. Use a filter like:
process.process_name : "logrotate" OR process.process_name : "prometheus"Scenario: Software Update or Patching Job
Description: A scheduled update or patching job (e.g., using yum, apt, or Chocolatey) may include paths or commands that match the IOC patterns.
Filter/Exclusion: Exclude processes initiated by package managers. Use a filter like: