The ThreatFox: Phorpiex IOCs rule detects potential Phorpiex malware activity by identifying known indicators of compromise associated with this advanced persistent threat. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage Phorpiex infections before they cause significant damage.
IOC Summary
Malware Family: Phorpiex Total IOCs: 6 IOC Types: md5_hash, sha256_hash, sha1_hash
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| md5_hash | 700fab1c874a6e5948af14c7d122bd48 | payload | 2026-06-11 | 95% |
| sha1_hash | 164493c98f5172618a090b336b9ddf41d90f5751 | payload | 2026-06-11 | 95% |
| md5_hash | 537013864063eb458e47b3fcbbffbc8f | payload | 2026-06-11 | 95% |
| sha256_hash | 7458d3a59fa6682ac4d2e3070ccbd0c223607eed768bd7a99d14f6dc5bfb88b9 | payload | 2026-06-11 | 95% |
| sha1_hash | 07c5bd17e0d1930f324aaa02369fd7e85a6585d6 | payload | 2026-06-11 | 95% |
| sha256_hash | 162a1c2e10796e24e94283907b9af34f7cbb9a38002e374afa715f7d101248fc | payload | 2026-06-11 | 95% |
// Hunt for files matching known malicious hashes
// Source: ThreatFox - Phorpiex
let malicious_hashes = dynamic(["700fab1c874a6e5948af14c7d122bd48", "164493c98f5172618a090b336b9ddf41d90f5751", "537013864063eb458e47b3fcbbffbc8f", "7458d3a59fa6682ac4d2e3070ccbd0c223607eed768bd7a99d14f6dc5bfb88b9", "07c5bd17e0d1930f324aaa02369fd7e85a6585d6", "162a1c2e10796e24e94283907b9af34f7cbb9a38002e374afa715f7d101248fc"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using schtasks.exe
Description: A legitimate system maintenance task scheduled via schtasks.exe may trigger the rule if the command line includes strings resembling Phorpiex IOCs.
Filter/Exclusion: Exclude processes where schtasks.exe is used with the /create or /run flags and the command line includes known legitimate maintenance scripts or paths (e.g., C:\Windows\System32\schedtasks.exe).
Scenario: Admin using PowerShell for system cleanup
Description: A system administrator might run PowerShell scripts that include command-line arguments similar to Phorpiex IOCs, such as Invoke-Command or Start-Process, which could be flagged.
Filter/Exclusion: Exclude PowerShell processes initiated by users with administrative privileges and where the script path or command line contains known enterprise cleanup tools (e.g., C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe).
Scenario: Legitimate use of certutil.exe for certificate management
Description: The certutil.exe tool is often used to manage certificates and may be used in ways that resemble Phorpiex IOCs, such as fetching or installing certificates.
Filter/Exclusion: Exclude processes where certutil.exe is used with parameters related to certificate management (e.g., -addstore, -getstore) and the command line includes known enterprise certificate paths.
Scenario: Use of msiexec.exe for software deployment
Description: msiexec.exe is commonly used for installing software and may be used in ways that trigger the rule if the command line includes suspicious-looking arguments.
Filter/Exclusion: Exclude processes where msiexec.exe is used with /i