The ThreatFox: Tofsee IOCs rule detects potential adversary activity linked to the Tofsee malware, which is associated with advanced persistent threat groups known for targeted attacks and data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises before significant damage occurs.
IOC Summary
Malware Family: Tofsee Total IOCs: 27 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 51[.]195[.]111[.]212:416 | botnet_cc | 2026-06-09 | 75% |
| ip:port | 217[.]60[.]241[.]14:416 | botnet_cc | 2026-06-09 | 75% |
| ip:port | 51[.]195[.]111[.]212:418 | botnet_cc | 2026-06-09 | 75% |
| ip:port | 217[.]60[.]241[.]39:427 | botnet_cc | 2026-06-09 | 75% |
| ip:port | 217[.]60[.]241[.]14:425 | botnet_cc | 2026-06-09 | 75% |
| ip:port | 51[.]195[.]111[.]212:425 | botnet_cc | 2026-06-09 | 75% |
| ip:port | 217[.]60[.]241[.]14:418 | botnet_cc | 2026-06-09 | 75% |
| ip:port | 51[.]195[.]111[.]212:428 | botnet_cc | 2026-06-09 | 75% |
| ip:port | 217[.]60[.]241[.]14:428 | botnet_cc | 2026-06-09 | 75% |
| ip:port | 217[.]60[.]241[.]17:424 | botnet_cc | 2026-06-09 | 75% |
| ip:port | 217[.]60[.]241[.]39:428 | botnet_cc | 2026-06-09 | 75% |
| ip:port | 51[.]195[.]111[.]212:430 | botnet_cc | 2026-06-09 | 75% |
| ip:port | 217[.]60[.]241[.]39:430 | botnet_cc | 2026-06-09 | 75% |
| ip:port | 83[.]142[.]209[.]228:424 | botnet_cc | 2026-06-09 | 75% |
| ip:port | 217[.]60[.]241[.]39:424 | botnet_cc | 2026-06-09 | 75% |
| ip:port | 83[.]142[.]209[.]228:420 | botnet_cc | 2026-06-09 | 75% |
| ip:port | 217[.]60[.]241[.]17:420 | botnet_cc | 2026-06-09 | 75% |
| ip:port | 217[.]60[.]241[.]39:420 | botnet_cc | 2026-06-09 | 75% |
| ip:port | 217[.]60[.]241[.]17:425 | botnet_cc | 2026-06-09 | 75% |
| ip:port | 83[.]142[.]209[.]228:425 | botnet_cc | 2026-06-09 | 75% |
| ip:port | 217[.]60[.]241[.]39:425 | botnet_cc | 2026-06-09 | 75% |
| ip:port | 83[.]142[.]209[.]228:431 | botnet_cc | 2026-06-09 | 75% |
| ip:port | 217[.]60[.]241[.]39:431 | botnet_cc | 2026-06-09 | 75% |
| ip:port | 217[.]60[.]241[.]17:431 | botnet_cc | 2026-06-09 | 75% |
| ip:port | 217[.]60[.]241[.]39:419 | botnet_cc | 2026-06-09 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Tofsee
let malicious_ips = dynamic(["83.142.209.228", "51.195.111.212", "217.60.241.39", "217.60.241.14", "217.60.241.17"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["83.142.209.228", "51.195.111.212", "217.60.241.39", "217.60.241.14", "217.60.241.17"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job for log analysis
Description: A scheduled job runs a script to analyze system logs using a tool like logrotate or logwatch.
Filter/Exclusion: Exclude processes initiated by a known log analysis tool or scheduled task with a specific command-line argument, e.g., process.name = logwatch or command_line contains --logrotate.
Scenario: Admin task for system cleanup
Description: An administrator uses a tool like CCleaner or Disk Cleanup to remove temporary files.
Filter/Exclusion: Exclude processes with process.name = CCleaner or process.name = DiskCleanup.exe and check for known admin user accounts (e.g., user.name = admin).
Scenario: Automated backup process
Description: A backup tool like Veeam or Commvault runs a backup job that temporarily writes to system directories.
Filter/Exclusion: Exclude processes with process.name = VeeamBackup.exe or process.name = Commvault and check for backup-related command-line arguments (e.g., --backup).
Scenario: System update or patching task
Description: A patching tool like Windows Update or WSUS runs a script to apply updates, which may involve temporary file creation.
Filter/Exclusion: Exclude processes with process.name = wuauserv or process.name = wuauclt.exe and check for update-related command-line arguments (e.g., --update).
Scenario: Security tool configuration or scan
Description: A security tool like Nessus, OpenVAS, or Tripwire performs a configuration scan or baseline check.
Filter/Exclusion: Exclude processes with `process.name