The ThreatFox: Eye Pyramid IOCs rule detects potential adversary activity linked to the Eye Pyramid group, which is associated with advanced persistent threats and data exfiltration. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage compromise and prevent data loss.
IOC Summary
Malware Family: Eye Pyramid Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 178[.]16[.]54[.]48:443 | botnet_cc | 2026-06-01 | 75% |
| ip:port | 178[.]16[.]52[.]47:443 | botnet_cc | 2026-06-01 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Eye Pyramid
let malicious_ips = dynamic(["178.16.54.48", "178.16.52.47"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["178.16.54.48", "178.16.52.47"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that matches the IOC pattern due to similar naming or file paths.
Filter/Exclusion: process.name != "schtasks.exe" OR process.name != "task scheduler" or use a custom field like process.name != "maintenance_script.ps1"
Scenario: Admin Performing Log Collection via LogParser
Description: An administrator uses LogParser to collect and analyze logs, which may trigger the rule due to matching command-line arguments or file paths.
Filter/Exclusion: process.name != "logparser.exe" or process.args NOT LIKE "%-i %C:\Windows\System32\logfiles%"
Scenario: PowerShell Script for System Monitoring
Description: A PowerShell script used for system monitoring (e.g., perfmon.exe or PowerShell.exe) may trigger the rule due to similar command-line arguments.
Filter/Exclusion: process.name != "PowerShell.exe" or process.args NOT LIKE "%-Command %Get-Counter%"
Scenario: Software Update Job Using Windows Update Agent
Description: A Windows Update job or a third-party update tool (e.g., wsusoffline, Chocolatey) may trigger the rule due to matching file paths or command-line arguments.
Filter/Exclusion: process.name != "wuauclt.exe" or process.name != "choco.exe"
Scenario: Database Backup Job Using SQL Server Agent
Description: A SQL Server Agent job that performs backups may trigger the rule due to similar file paths or command-line arguments.
Filter/Exclusion: process.name != "sqlservr.exe" or process.name != "sqlagent.exe"