The ThreatFox: Unknown malware IOCs rule detects potential adversary activity involving unknown malicious indicators that could signal the presence of previously unseen malware in the environment. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced threats that evade traditional detection methods.
IOC Summary
Malware Family: Unknown malware Total IOCs: 6 IOC Types: domain, url, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 193[.]202[.]84[.]17:443 | payload_delivery | 2026-04-24 | 75% |
| url | hxxp://msnf.us.com/Simpletokncar | payload_delivery | 2026-04-24 | 75% |
| domain | silent-harvester.cc | botnet_cc | 2026-04-24 | 100% |
| ip:port | 89[.]46[.]237[.]138:443 | payload_delivery | 2026-04-24 | 75% |
| url | hxxp://msnf.us.com/UserID48236957 | payload_delivery | 2026-04-24 | 75% |
| domain | msnf.us.com | payload_delivery | 2026-04-24 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Unknown malware
let malicious_ips = dynamic(["89.46.237.138", "193.202.84.17"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["89.46.237.138", "193.202.84.17"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Unknown malware
let malicious_domains = dynamic(["silent-harvester.cc", "msnf.us.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Unknown malware
let malicious_urls = dynamic(["http://msnf.us.com/Simpletokncar", "http://msnf.us.com/UserID48236957"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using PowerShell to run a scheduled job that downloads a legitimate software update from a known internal repository.
Filter/Exclusion: Exclude any IOCs that match internal update servers or are associated with known internal tools like PowerShell, Task Scheduler, or Windows Update.
Scenario: A DevOps engineer is using Ansible to deploy a configuration management script that includes a legitimate third-party library, which is flagged as unknown malware.
Filter/Exclusion: Exclude IOCs that match known Ansible modules or third-party libraries used in CI/CD pipelines, such as Ansible, Git, or Docker.
Scenario: A database administrator is using SQL Server Agent to run a maintenance job that connects to a remote database using a known IP address.
Filter/Exclusion: Exclude IOCs that match internal IP ranges, known database management systems like SQL Server, or internal network infrastructure components.
Scenario: A security analyst is using Wireshark to capture and analyze network traffic for a penetration test, which includes legitimate payloads or tools like Metasploit.
Filter/Exclusion: Exclude IOCs associated with security testing tools such as Wireshark, Metasploit, or Nmap, and filter traffic from known test environments.
Scenario: A system administrator is using Windows Task Scheduler to run a script that connects to a public API for monitoring system performance, such as Datadog or New Relic.
Filter/Exclusion: Exclude IOCs that match known monitoring tools or public API endpoints, and filter traffic from scheduled tasks associated with system monitoring.