The ThreatFox: Tofsee IOCs rule detects potential adversary activity linked to the Tofsee threat group, which is associated with high-severity malicious campaigns. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats leveraging these IOCs before they cause significant damage.
IOC Summary
Malware Family: Tofsee Total IOCs: 17 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 196[.]251[.]121[.]90:429 | botnet_cc | 2026-06-22 | 75% |
| ip:port | 196[.]251[.]121[.]90:422 | botnet_cc | 2026-06-22 | 75% |
| ip:port | 217[.]60[.]241[.]17:422 | botnet_cc | 2026-06-22 | 75% |
| ip:port | 51[.]195[.]111[.]212:422 | botnet_cc | 2026-06-22 | 75% |
| ip:port | 217[.]60[.]241[.]14:422 | botnet_cc | 2026-06-22 | 75% |
| ip:port | 196[.]251[.]121[.]90:431 | botnet_cc | 2026-06-22 | 75% |
| ip:port | 196[.]251[.]121[.]90:430 | botnet_cc | 2026-06-22 | 75% |
| ip:port | 196[.]251[.]121[.]90:419 | botnet_cc | 2026-06-22 | 75% |
| ip:port | 196[.]251[.]121[.]90:425 | botnet_cc | 2026-06-22 | 75% |
| ip:port | 196[.]251[.]121[.]90:427 | botnet_cc | 2026-06-22 | 75% |
| ip:port | 196[.]251[.]121[.]90:418 | botnet_cc | 2026-06-22 | 75% |
| ip:port | 217[.]60[.]241[.]39:422 | botnet_cc | 2026-06-22 | 75% |
| ip:port | 217[.]60[.]241[.]14:419 | botnet_cc | 2026-06-22 | 75% |
| ip:port | 51[.]195[.]111[.]212:419 | botnet_cc | 2026-06-22 | 75% |
| ip:port | 217[.]60[.]241[.]39:421 | botnet_cc | 2026-06-22 | 75% |
| ip:port | 51[.]195[.]111[.]212:421 | botnet_cc | 2026-06-22 | 75% |
| ip:port | 217[.]60[.]241[.]14:421 | botnet_cc | 2026-06-22 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Tofsee
let malicious_ips = dynamic(["217.60.241.39", "196.251.121.90", "217.60.241.14", "217.60.241.17", "51.195.111.212"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["217.60.241.39", "196.251.121.90", "217.60.241.14", "217.60.241.17", "51.195.111.212"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled system maintenance job using schtasks.exe to run a legitimate script
Filter/Exclusion: process.parent_process_name == "schtasks.exe" && process.command_line contains "schtasks" && process.command_line contains "/create"
Scenario: Admin performing a disk cleanup using cleanmgr.exe
Filter/Exclusion: process.name == "cleanmgr.exe" && process.parent_process_name == "explorer.exe"
Scenario: Running a legitimate PowerShell script for log management using powershell.exe
Filter/Exclusion: process.name == "powershell.exe" && process.command_line contains "log-management-script.ps1"
Scenario: Using taskkill.exe to terminate a non-malicious process during troubleshooting
Filter/Exclusion: process.name == "taskkill.exe" && process.command_line contains "/pid" && process.command_line contains "1234" && process.command_line contains " -t"
Scenario: Executing a legitimate backup tool like Veeam Backup & Replication using veeam.exe
Filter/Exclusion: process.name == "veeam.exe" && process.parent_process_name == "svchost.exe" && process.command_line contains "backup"