The ThreatFox: SPICA IOCs rule detects potential adversary activity linked to the SPICA malware, which is known for its persistence and data exfiltration capabilities. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced threats that may have evaded initial detection mechanisms.
IOC Summary
Malware Family: SPICA Total IOCs: 4 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 173[.]44[.]139[.]144:3000 | botnet_cc | 2026-06-15 | 75% |
| ip:port | 45[.]133[.]216[.]15:3000 | botnet_cc | 2026-06-15 | 75% |
| ip:port | 95[.]164[.]17[.]94:3000 | botnet_cc | 2026-06-15 | 75% |
| ip:port | 89[.]19[.]211[.]240:3000 | botnet_cc | 2026-06-15 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - SPICA
let malicious_ips = dynamic(["95.164.17.94", "89.19.211.240", "173.44.139.144", "45.133.216.15"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["95.164.17.94", "89.19.211.240", "173.44.139.144", "45.133.216.15"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: System backup or restore process using Veeam Backup & Replication
Filter/Exclusion: Exclude file paths containing Veeam or backup in the file_name field.
Scenario: Scheduled job for Windows Task Scheduler performing system diagnostics or log cleanup
Filter/Exclusion: Exclude processes with schtasks.exe or Task Scheduler in the process_name field.
Scenario: PowerShell script running as part of a regular system maintenance task (e.g., disk cleanup or registry check)
Filter/Exclusion: Exclude processes with powershell.exe where the command line includes diskcleanup, cleanmgr, or reg commands.
Scenario: Ansible playbook execution for configuration management or patching
Filter/Exclusion: Exclude processes with ansible in the process_name field and filter by known Ansible playbook paths.
Scenario: Log management tool like Splunk or ELK Stack performing data ingestion or indexing
Filter/Exclusion: Exclude file paths containing splunk, logstash, or elasticsearch in the file_name field.