The ThreatFox: Unknown malware IOCs rule detects potential adversary activity involving unknown malicious indicators that may be associated with advanced persistent threats. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate emerging threats before they cause significant damage.
IOC Summary
Malware Family: Unknown malware Total IOCs: 4 IOC Types: ip:port, domain, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 8[.]138[.]103[.]47:8888 | botnet_cc | 2026-06-12 | 100% |
| url | hxxps://slivkishow.asia/ | payload_delivery | 2026-06-12 | 90% |
| domain | slivkishow.asia | payload_delivery | 2026-06-12 | 100% |
| url | hxxps://misterslivker.asia/ | payload_delivery | 2026-06-12 | 90% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Unknown malware
let malicious_ips = dynamic(["8.138.103.47"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["8.138.103.47"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Unknown malware
let malicious_domains = dynamic(["slivkishow.asia"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Unknown malware
let malicious_urls = dynamic(["https://slivkishow.asia/", "https://misterslivker.asia/"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: System update or patching process using wget to download a known safe update from a trusted internal repository.
Filter/Exclusion: Exclude traffic originating from the internal update server IP or domain, or filter by http.host matching the internal repository.
Scenario: Scheduled backup job using rsync or tar to archive and transfer data to a remote backup server.
Filter/Exclusion: Exclude traffic to the backup server IP or domain, or filter by destination.port matching the backup service port (e.g., 22 for SSH, 80/443 for HTTP).
Scenario: Admin performing a manual log analysis using tcpdump or Wireshark to capture network traffic for forensic analysis.
Filter/Exclusion: Exclude traffic from the admin workstation IP or filter by process.name matching tcpdump or wireshark.
Scenario: Internal tool for monitoring system performance, such as netdata or Prometheus, communicating with its own server.
Filter/Exclusion: Exclude traffic to the internal monitoring server IP or domain, or filter by process.name matching the monitoring tool.
Scenario: Legitimate use of curl or powershell to interact with an internal API for configuration management or automation.
Filter/Exclusion: Exclude traffic to the internal API endpoint or filter by http.host matching the internal API domain.