The ThreatFox: Eye Pyramid IOCs rule detects potential adversary activity linked to the Eye Pyramid group, which is associated with advanced persistent threats and sophisticated malware deployment. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise attempts by this known malicious group.
IOC Summary
Malware Family: Eye Pyramid Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 178[.]16[.]54[.]48:443 | botnet_cc | 2026-06-01 | 75% |
| ip:port | 178[.]16[.]52[.]47:443 | botnet_cc | 2026-06-01 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Eye Pyramid
let malicious_ips = dynamic(["178.16.54.48", "178.16.52.47"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["178.16.54.48", "178.16.52.47"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: System update or patching process using msiexec.exe to install a legitimate Windows update
Filter/Exclusion: Check the command line arguments for msiexec.exe to ensure they match known Windows Update package names or hashes.
Scenario: Scheduled job running task scheduler to execute a legitimate maintenance script
Filter/Exclusion: Filter events where the task is associated with a known enterprise maintenance task or has a valid scheduled task name.
Scenario: Admin performing a system audit using PowerShell with Get-EventLog or Get-WinEvent
Filter/Exclusion: Exclude processes initiated by administrators with known audit tools or scripts that are part of standard system monitoring.
Scenario: Log file rotation using logrotate on Linux systems
Filter/Exclusion: Filter processes related to logrotate or other log management tools, ensuring the process is associated with a known log rotation script.
Scenario: Database backup using sqlcmd or mysqldump
Filter/Exclusion: Exclude processes where the command line includes known backup scripts or database credentials that match enterprise backup configurations.