The ThreatFox: BianLian IOCs rule detects potential adversary activity linked to the BianLian malware, which is associated with advanced persistent threats and data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises that could lead to long-term data breaches.
IOC Summary
Malware Family: BianLian Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 85[.]11[.]167[.]9:8443 | botnet_cc | 2026-06-17 | 75% |
| ip:port | 163[.]245[.]213[.]241:56893 | botnet_cc | 2026-06-17 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - BianLian
let malicious_ips = dynamic(["85.11.167.9", "163.245.213.241"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["85.11.167.9", "163.245.213.241"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate system backup using Veeam Backup & Replication
Filter/Exclusion: Exclude files or processes associated with veeam.exe or VeeamBackup in the IOC list.
Scenario: Scheduled system maintenance task using Task Scheduler to run PowerShell scripts for log cleanup
Filter/Exclusion: Exclude PowerShell scripts with known maintenance task names or paths like C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe used for scheduled tasks.
Scenario: Regular use of Windows Event Viewer to review logs, which may trigger IOC patterns in log files
Filter/Exclusion: Exclude events related to Eventvwr.exe or specific event IDs commonly associated with log review activities.
Scenario: Use of Windows Management Instrumentation (WMI) for system monitoring and reporting
Filter/Exclusion: Exclude WMI-related processes or queries involving wmic.exe or known WMI provider names.
Scenario: Legitimate use of Microsoft Endpoint Manager (MEM) for device management and policy enforcement
Filter/Exclusion: Exclude processes or files associated with Microsoft Intune or Microsoft Endpoint Manager services.