The ThreatFox: BianLian IOCs rule detects potential adversary activity linked to the BianLian malware, which is known for its persistence and data exfiltration capabilities. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced threats that could compromise sensitive data and system integrity.
IOC Summary
Malware Family: BianLian Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 46[.]29[.]166[.]65:3481 | botnet_cc | 2026-06-23 | 75% |
| ip:port | 137[.]220[.]59[.]55:80 | botnet_cc | 2026-06-23 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - BianLian
let malicious_ips = dynamic(["46.29.166.65", "137.220.59.55"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["46.29.166.65", "137.220.59.55"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using crontab to run system maintenance tasks
Filter/Exclusion: Exclude entries where the IOC is found in /etc/crontab or within crontab files in /var/spool/cron/
Example: process.name = crond or file.path = /etc/crontab
Scenario: Use of ps or top for monitoring system processes by system administrators
Filter/Exclusion: Exclude processes where the command line includes ps or top and the user is a system admin (e.g., user.name = root or user.name = admin)
Example: process.name = ps and user.name = root
Scenario: Execution of tar or gzip for archiving logs or backups by the backup team
Filter/Exclusion: Exclude processes where the command line includes tar or gzip and the user is part of the backup group (e.g., user.group = backup)
Example: process.name = tar and user.group = backup
Scenario: Use of rsync for synchronizing files between servers in a multi-server environment
Filter/Exclusion: Exclude processes where the command line includes rsync and the source or destination is a known internal server (e.g., file.path = /path/to/internal/server)
Example: process.name = rsync and file.path = /internal/sync/path
Scenario: Legitimate use of ssh for remote administration or secure file transfer
Filter/Exclusion: Exclude SSH sessions where the user is a known admin and the destination is an internal IP (e.g., destination.ip = 10.0.0.0/8)
Example: