ThreatFox: KongTuke IOCs

Hunt Hypothesis

The ThreatFox: KongTuke IOCs rule detects potential adversary activity associated with the KongTuke threat group, which is linked to malicious network traffic and command-and-control communications. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage compromises from advanced persistent threats leveraging known malicious infrastructure.

IOC Summary

Malware Family: KongTuke Total IOCs: 9 IOC Types: sha256_hash, url, domain

KQL: Domain Hunt

// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - KongTuke
let malicious_domains = dynamic(["human-check.lol", "gerrirsen.icu"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc

KQL: Url Hunt

// Hunt for access to known malicious URLs
// Source: ThreatFox - KongTuke
let malicious_urls = dynamic(["https://gerrirsen.icu/api/v1/status", "https://human-check.lol/o", "https://gerrirsen.icu/file.js", "https://gerrirsen.icu/api/v1/session", "https://gerrirsen.icu/api/v1/verify"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc

KQL: Hash Hunt

// Hunt for files matching known malicious hashes
// Source: ThreatFox - KongTuke
let malicious_hashes = dynamic(["90fe8c831a681c8c1dc77a271bb417fd52479fe6fc79d6cb9b7ffaf13f801f93", "6af715b5105d6d16e02ee6d1de14410a8a0fd2fb3d7b752bb24be25105fac0b2"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc

Required Data Sources

References

• ThreatFox — KongTuke

False Positive Guidance

• Scenario: Scheduled System Backup Job
  Description: A legitimate scheduled backup job using rsync or tar is executing, which may trigger the detection due to command-line similarities.
  Filter/Exclusion: process.command_line NOT LIKE '%rsync%' AND process.command_line NOT LIKE '%tar%'

• Scenario: Admin Task - User Management via useradd
  Description: An administrator is creating a new user via the useradd command, which may resemble malicious activity due to command structure.
  Filter/Exclusion: process.command_line NOT LIKE '%useradd%' AND process.command_line NOT LIKE '%passwd%'

• Scenario: Log Rotation Job Using logrotate
  Description: A system log rotation job using logrotate is running, which may trigger the rule due to file or process name overlaps.
  Filter/Exclusion: process.name != 'logrotate' AND file.name != '/etc/logrotate.conf'

• Scenario: Database Maintenance Task with mysqldump
  Description: A database administrator is performing a routine backup using mysqldump, which may be flagged due to command-line patterns.
  Filter/Exclusion: process.command_line NOT LIKE '%mysqldump%' AND process.command_line NOT LIKE '%--all-databases%'

• Scenario: CI/CD Pipeline Job with git
  Description: A CI/CD pipeline is pulling code from a Git repository, which may trigger the rule due to process or file name similarities.
  Filter/Exclusion: process.name != 'git' AND file.name NOT LIKE '%.git%' AND process.command_line NOT LIKE '%git pull%'