The ThreatFox: Unknown malware IOCs rule detects potential adversary activity involving unknown malicious indicators that may be associated with advanced persistent threats. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate unknown malware that could evade traditional detection methods.
IOC Summary
Malware Family: Unknown malware Total IOCs: 3 IOC Types: ip:port, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 209[.]99[.]187[.]37:7443 | botnet_cc | 2026-06-15 | 75% |
| url | hxxps://infobhz.com.br/ | payload_delivery | 2026-06-15 | 90% |
| ip:port | 207[.]211[.]163[.]106:7443 | botnet_cc | 2026-06-14 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Unknown malware
let malicious_ips = dynamic(["209.99.187.37", "207.211.163.106"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["209.99.187.37", "207.211.163.106"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Unknown malware
let malicious_urls = dynamic(["https://infobhz.com.br/"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: System update or patching process using wget to download a known safe update from a trusted repository.
Filter/Exclusion: Exclude traffic to known trusted update servers (e.g., updates.redhat.com, download.microsoft.com).
Scenario: Scheduled job running psql to back up a PostgreSQL database to a local or remote server.
Filter/Exclusion: Exclude connections to internal database servers and traffic involving known backup tools (e.g., pg_dump, mysqldump).
Scenario: Admin using curl to manually test a web service endpoint for API validation.
Filter/Exclusion: Exclude traffic to internal development or staging environments, and filter by known admin tools (e.g., curl, Postman).
Scenario: Log management tool like rsyslog or Fluentd sending logs to a centralized SIEM system.
Filter/Exclusion: Exclude traffic to internal SIEM servers and filter by known log management tools (e.g., rsyslog, fluentd, logstash).
Scenario: Automated script using ansible to deploy configuration changes to managed hosts.
Filter/Exclusion: Exclude traffic to internal Ansible controllers and filter by known automation tools (e.g., ansible, saltstack, puppet).