The ThreatFox: Chaos IOCs rule detects potential adversary activity linked to the Chaos group, leveraging known malicious indicators to identify compromise. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and respond to advanced persistent threats associated with this high-severity actor.
IOC Summary
Malware Family: Chaos Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 45[.]153[.]127[.]224:8080 | botnet_cc | 2026-05-25 | 50% |
| ip:port | 109[.]110[.]188[.]156:443 | botnet_cc | 2026-05-25 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Chaos
let malicious_ips = dynamic(["45.153.127.224", "109.110.188.156"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["45.153.127.224", "109.110.188.156"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Using rsync
Description: A legitimate scheduled backup job using rsync may trigger the rule if the command includes a file path or argument that matches a known IOC.
Filter/Exclusion: Exclude processes initiated by the root user with rsync and containing /backup/ in the command line.
Scenario: Admin Task Using curl to Fetch Configuration
Description: An administrator may use curl to fetch configuration files from an internal server, which could match an IOC if the URL or command structure is similar to malicious activity.
Filter/Exclusion: Exclude processes with curl commands that include internal IP addresses or URLs matching the company’s internal domain.
Scenario: Log Collection via logrotate
Description: The logrotate utility may generate commands that include file paths or arguments resembling IOCs, especially when rotating logs from multiple services.
Filter/Exclusion: Exclude processes with logrotate and file paths in /var/log/ or /etc/logrotate.d/.
Scenario: Docker Container Management with docker exec
Description: A system administrator may use docker exec to run commands inside a container, which could include arguments that match IOCs if the container is running a legitimate service.
Filter/Exclusion: Exclude processes where the command includes docker exec and the container name matches known internal service containers.
Scenario: Cron Job for Database Maintenance
Description: A cron job running a database maintenance script may include commands that match IOCs, especially if the script interacts with external tools or APIs.
Filter/Exclusion: Exclude processes initiated by the cron daemon and containing database-specific commands or internal service endpoints.