The ThreatFox: Unknown malware IOCs rule detects potential adversary activity involving unknown malicious indicators that may be associated with advanced persistent threats. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate emerging threats before they cause significant damage.
IOC Summary
Malware Family: Unknown malware Total IOCs: 6 IOC Types: domain, ip:port, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 8[.]138[.]103[.]47:8888 | botnet_cc | 2026-06-12 | 100% |
| url | hxxps://slivkishow.asia/ | payload_delivery | 2026-06-12 | 90% |
| domain | slivkishow.asia | payload_delivery | 2026-06-12 | 100% |
| url | hxxps://misterslivker.asia/ | payload_delivery | 2026-06-12 | 90% |
| domain | misterslivker.asia | payload_delivery | 2026-06-12 | 100% |
| url | hxxp://94[.]183[.]232[.]247/Ciabins.sh | payload_delivery | 2026-06-12 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Unknown malware
let malicious_ips = dynamic(["8.138.103.47"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["8.138.103.47"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Unknown malware
let malicious_domains = dynamic(["slivkishow.asia", "misterslivker.asia"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Unknown malware
let malicious_urls = dynamic(["https://slivkishow.asia/", "https://misterslivker.asia/", "http://94.183.232.247/Ciabins.sh"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate system maintenance task, such as schtasks.exe running a cleanup job, may generate IOCs that match the unknown malware signature.
Filter/Exclusion: Exclude processes initiated by schtasks.exe or with a command line containing /create or /run.
Scenario: Software Update Process
Description: A legitimate software update process, such as msiexec.exe or setup.exe, may trigger IOCs when deploying patches or updates.
Filter/Exclusion: Exclude processes with known update paths (e.g., C:\Windows\Temp\ or C:\Program Files\) or those associated with enterprise update tools like Microsoft Endpoint Configuration Manager.
Scenario: Admin Task Using PowerShell
Description: An administrator using PowerShell (powershell.exe) to perform routine system administration tasks, such as log rotation or configuration changes, may generate IOCs that match the rule.
Filter/Exclusion: Exclude processes with a command line containing -Command or -File that points to known admin scripts or tools (e.g., C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe).
Scenario: Antivirus or Endpoint Protection Scan
Description: A legitimate antivirus or endpoint protection tool, such as mpcmdrun.exe (Microsoft Defender) or avgscan.exe, may generate IOCs during a full system scan.
Filter/Exclusion: Exclude processes associated with known security tools (e.g., C:\Windows\System32\mpcmdrun.exe, C:\Program Files\Avast\).
Scenario: Log Collection or Monitoring Tool
Description: A log collection tool like logparser.exe or splunkforwarder.exe may generate IOCs when reading