The ThreatFox: SocksProxyGo IOCs rule detects potential adversary use of SocksProxyGo infrastructure to establish covert network communication channels. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threat (APT) activities leveraging compromised or malicious proxy services.
IOC Summary
Malware Family: SocksProxyGo Total IOCs: 4 IOC Types: sha256_hash, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxp://45[.]76[.]21[.]42/index.js | payload_delivery | 2026-03-18 | 100% |
| url | hxxp://45[.]76[.]21[.]42/svchost.exe | payload_delivery | 2026-03-18 | 100% |
| url | hxxp://45[.]76[.]21[.]42/3/3 | payload_delivery | 2026-03-18 | 100% |
| sha256_hash | 1454b64b74eb655db859d3c1e2c2afc13cbb45b6173dee60923357637da17386 | payload | 2026-03-18 | 100% |
// Hunt for access to known malicious URLs
// Source: ThreatFox - SocksProxyGo
let malicious_urls = dynamic(["http://45.76.21.42/index.js", "http://45.76.21.42/svchost.exe", "http://45.76.21.42/3/3"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc// Hunt for files matching known malicious hashes
// Source: ThreatFox - SocksProxyGo
let malicious_hashes = dynamic(["1454b64b74eb655db859d3c1e2c2afc13cbb45b6173dee60923357637da17386"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: System Update via Chocolatey
Description: A system update using Chocolatey installs a legitimate package that matches the SocksProxyGo IOC due to similar naming or hash.
Filter/Exclusion: process.name != "choco.exe" or process.parent.name != "choco.exe"
Scenario: Scheduled Job for Network Monitoring
Description: A scheduled job runs a network monitoring tool (e.g., Wireshark or tcpdump) that generates traffic matching SocksProxyGo IOCs.
Filter/Exclusion: process.name != "tcpdump.exe" or process.name != "Wireshark.exe"
Scenario: Admin Task for Proxy Configuration
Description: An administrator configures a proxy server (e.g., Squid or NGINX) using a script that includes IP addresses or domains matching SocksProxyGo IOCs.
Filter/Exclusion: process.name != "squid.exe" or process.name != "nginx.exe"
Scenario: Legitimate Socks Proxy Tool Usage
Description: A developer uses a legitimate socks proxy tool (e.g., socksify or proxychains) which may have similar IOCs.
Filter/Exclusion: process.name != "socksify.exe" or process.name != "proxychains.exe"
Scenario: False Positive from Threat Intelligence Feed
Description: A threat intelligence feed incorrectly lists a benign IP or domain associated with SocksProxyGo, leading to a false positive.
Filter/Exclusion: source != "ThreatFox" or source != "known_benign_feed"