The ThreatFox: KongTuke IOCs rule detects potential adversary activity associated with the KongTuke threat group, which is linked to malicious network traffic and data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats leveraging these IOCs before significant data loss occurs.
IOC Summary
Malware Family: KongTuke Total IOCs: 4 IOC Types: url, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://cwrtwright.com/g | payload_delivery | 2026-04-18 | 100% |
| url | hxxps://cwrtwright.com/t | payload_delivery | 2026-04-18 | 100% |
| url | hxxps://cwrtwright.com/file.js | payload_delivery | 2026-04-18 | 100% |
| domain | cwrtwright.com | payload_delivery | 2026-04-18 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - KongTuke
let malicious_domains = dynamic(["cwrtwright.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - KongTuke
let malicious_urls = dynamic(["https://cwrtwright.com/g", "https://cwrtwright.com/t", "https://cwrtwright.com/file.js"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Job
Description: A legitimate scheduled backup job uses a script that matches one of the KongTuke IOCs (e.g., a file path or command).
Filter/Exclusion: Exclude processes related to backup tools like Veeam, Commvault, or VSS (Volume Shadow Copy Service). Use a filter like:
process.name != "vssadmin" AND process.name != "veeam" AND process.name != "commvault"Scenario: Admin Task for Log Management
Description: An administrator is using a tool like LogParser or PowerShell to analyze logs, which may trigger a KongTuke IOC due to similar command structures.
Filter/Exclusion: Exclude processes associated with log management tools such as logparser.exe, powershell.exe (with specific command-line arguments), or splunkd. Use a filter like:
process.name != "logparser.exe" AND process.name != "splunkd" AND process.name != "powershell.exe" AND (process.args NOT LIKE "%-Command%" OR process.args NOT LIKE "%Get-EventLog%")Scenario: Development Environment Testing
Description: A developer is testing a script or application that includes a string matching a KongTuke IOC, such as a hardcoded IP or domain.
Filter/Exclusion: Exclude processes running in development environments or from known development tools like Visual Studio, IntelliJ, or PyCharm. Use a filter like:
process.name != "devenv.exe" AND process.name != "idea64.exe" AND process.name != "pycharm64.exe"Scenario: Network Monitoring Tool Usage
Description: A