The detection identifies potential BianLian malware activity through associated IOCs, indicating possible adversary presence within the network. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats early.
IOC Summary
Malware Family: BianLian Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 34[.]123[.]214[.]16:8443 | botnet_cc | 2026-06-13 | 75% |
| ip:port | 194[.]213[.]18[.]93:991 | botnet_cc | 2026-06-12 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - BianLian
let malicious_ips = dynamic(["34.123.214.16", "194.213.18.93"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["34.123.214.16", "194.213.18.93"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate system update using BianLian-associated tools
Description: A system update or patching process uses a tool like msiexec.exe or setup.exe, which may be flagged due to its association with BianLian.
Filter/Exclusion: Exclude processes related to known update mechanisms (e.g., msiexec.exe, setup.exe, wusa.exe) or use a filter based on the file path (e.g., C:\Windows\System32\*).
Scenario: Scheduled job using BianLian-related scripts
Description: A scheduled task (e.g., via Task Scheduler) runs a script or executable that is falsely associated with BianLian, such as a legitimate maintenance script named clean.exe.
Filter/Exclusion: Exclude processes initiated by the Task Scheduler (Task Scheduler service) or filter by the command line argument (e.g., --clean or --maintenance).
Scenario: Admin tool using BianLian IOCs for forensic analysis
Description: An administrator uses a tool like Process Explorer or Procmon to investigate system behavior, and the tool’s behavior matches the BianLian IOC pattern.
Filter/Exclusion: Exclude processes from known administrative tools (e.g., procmon.exe, procexp.exe, wbemtest.exe) or filter by user context (e.g., User = Administrator).
Scenario: Legitimate software installation via MSI package
Description: A company installs a legitimate software package using an MSI installer, which may contain a file or registry key that matches BianLian IOCs.
Filter/Exclusion: Exclude processes related to MSI installation (e.g., msiexec.exe) or filter by the file extension (e.g., .msi, .msp).