The ThreatFox: Eye Pyramid IOCs rule detects potential adversary activity linked to the Eye Pyramid group, which is associated with advanced persistent threat (APT) tactics and data exfiltration. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage compromise by a sophisticated threat actor.
IOC Summary
Malware Family: Eye Pyramid Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 37[.]77[.]150[.]174:4333 | botnet_cc | 2026-05-25 | 75% |
| ip:port | 37[.]77[.]150[.]174:4332 | botnet_cc | 2026-05-25 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Eye Pyramid
let malicious_ips = dynamic(["37.77.150.174"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["37.77.150.174"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that matches the IOC pattern due to similar naming or path structure.
Filter/Exclusion: Exclude processes initiated by the Task Scheduler with CommandLine containing /S or --schedule.
Scenario: Admin Tool Execution
Description: An administrator uses a legitimate tool like PowerShell or PsExec to perform routine system management tasks that may trigger the IOC.
Filter/Exclusion: Exclude processes with ProcessName equal to powershell.exe or psexec.exe and check for admin privileges using User field.
Scenario: Log File Analysis Job
Description: A security tool like ELK Stack or Splunk runs a job that parses log files and generates output matching the IOC pattern.
Filter/Exclusion: Exclude processes with ProcessName containing splunkd or logstash and check for CommandLine containing --log or --file.
Scenario: Software Update Deployment
Description: A legitimate software update process (e.g., using Chocolatey or WSUS) may include files or commands that match the IOC due to similar syntax.
Filter/Exclusion: Exclude processes with ProcessName containing choco or wsusutil and check for CommandLine containing update or install.
Scenario: Network Monitoring Tool Output
Description: A network monitoring tool like Wireshark or tcpdump generates output that includes IP addresses or domains matching the IOC.
Filter/Exclusion: Exclude processes with ProcessName equal to wireshark or tcpdump and check for CommandLine containing --output or --file.