The ThreatFox: Eye Pyramid IOCs rule detects potential adversary activity linked to the Eye Pyramid group, which is associated with advanced persistent threats and credential theft. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise and exfiltration attempts.
IOC Summary
Malware Family: Eye Pyramid Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 188[.]23[.]170[.]123:8000 | botnet_cc | 2026-06-20 | 75% |
| ip:port | 5[.]188[.]61[.]49:44443 | botnet_cc | 2026-06-20 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Eye Pyramid
let malicious_ips = dynamic(["5.188.61.49", "188.23.170.123"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["5.188.61.49", "188.23.170.123"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Using Veeam Backup & Replication
Description: A legitimate scheduled backup job using Veeam Backup & Replication may trigger the rule if the backup process involves files or network connections that match Eye Pyramid IOCs.
Filter/Exclusion: process.name != "vbm" OR process.name != "vpxa" or check for process.parent.name == "vpxa" to identify Veeam-related processes.
Scenario: Windows Task Scheduler Running Administrative Maintenance Tasks
Description: A scheduled task using the Windows Task Scheduler to perform routine maintenance (e.g., disk cleanup, log rotation) may involve processes or network activity that match the Eye Pyramid IOCs.
Filter/Exclusion: process.name != "schtasks.exe" or process.parent.name == "services.exe" to exclude legitimate scheduled tasks.
Scenario: Log Management with Splunk Forwarder
Description: The Splunk Universal Forwarder may be transmitting logs to a Splunk indexer, and if the network connection or file paths match Eye Pyramid IOCs, it could trigger the rule.
Filter/Exclusion: process.name != "splunkforwarder" or check for process.parent.name == "splunkforwarder" to identify Splunk-related processes.
Scenario: Database Backup Using SQL Server Agent Job
Description: A SQL Server Agent job configured to back up databases may involve file operations or network connections that match Eye Pyramid IOCs.
Filter/Exclusion: process.name != "sqlservr.exe" or check for process.parent.name == "sqlagent.exe" to identify SQL Server Agent jobs.
Scenario: Network Monitoring with Wireshark or tcpdump
Description: A network analyst using Wireshark or tcpdump to capture and analyze network traffic may trigger the rule if the captured