The ThreatFox: Unknown malware IOCs rule detects potential adversary activity involving unknown malicious indicators that could signal the presence of previously unseen malware. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate emerging threats before they cause significant damage.
IOC Summary
Malware Family: Unknown malware Total IOCs: 6 IOC Types: ip:port, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 159[.]138[.]167[.]119:8888 | botnet_cc | 2026-06-05 | 100% |
| ip:port | 5[.]249[.]160[.]112:7443 | botnet_cc | 2026-06-05 | 75% |
| ip:port | 195[.]26[.]86[.]134:7443 | botnet_cc | 2026-06-05 | 75% |
| ip:port | 193[.]149[.]190[.]156:7443 | botnet_cc | 2026-06-05 | 75% |
| domain | open-claw.co.com | payload_delivery | 2026-06-05 | 100% |
| domain | clawd-setup.com | payload_delivery | 2026-06-05 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Unknown malware
let malicious_ips = dynamic(["193.149.190.156", "195.26.86.134", "5.249.160.112", "159.138.167.119"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["193.149.190.156", "195.26.86.134", "5.249.160.112", "159.138.167.119"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Unknown malware
let malicious_domains = dynamic(["open-claw.co.com", "clawd-setup.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using PowerShell to run a scheduled job that downloads a legitimate update from a known internal repository.
Filter/Exclusion: Exclude all PowerShell scripts that originate from internal IP ranges or are signed by a trusted internal certificate.
Scenario: A Windows Task Scheduler job is configured to execute a script that performs routine log cleanup, which includes writing to a temporary file in the C:\Windows\Temp directory.
Filter/Exclusion: Exclude all file IOCs that occur within the C:\Windows\Temp directory or are associated with known system cleanup tools like cleanmgr.exe.
Scenario: A Sysinternals tool such as Process Explorer is being used by a security analyst to investigate a suspicious process. This tool may generate IOCs that match the rule’s criteria.
Filter/Exclusion: Exclude all IOCs associated with Sysinternals tools or processes running under a security analyst’s user account with elevated privileges.
Scenario: A backup job using Veeam Backup & Replication is executing and temporarily writes to a network share for offsite storage. This may result in network IOCs that match the rule.
Filter/Exclusion: Exclude all network IOCs that originate from or are destined for known backup server IP addresses or domains.
Scenario: A Windows Update process is downloading a patch from Microsoft’s public update server, which may include IOCs that are flagged as unknown malware.
Filter/Exclusion: Exclude all IOCs that match known Microsoft update servers (e.g., download.microsoft.com, windowsupdate.com) or are associated with the wuauclt.exe process.