The ThreatFox: Tofsee IOCs rule detects potential adversary activity linked to the Tofsee threat group, which is associated with high-severity malicious campaigns. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats leveraging these IOCs before they cause significant damage.
IOC Summary
Malware Family: Tofsee Total IOCs: 4 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 83[.]142[.]209[.]228:416 | botnet_cc | 2026-06-04 | 75% |
| ip:port | 64[.]89[.]161[.]178:480 | botnet_cc | 2026-06-04 | 75% |
| ip:port | 217[.]60[.]241[.]17:416 | botnet_cc | 2026-06-04 | 75% |
| ip:port | 217[.]60[.]241[.]39:416 | botnet_cc | 2026-06-04 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Tofsee
let malicious_ips = dynamic(["217.60.241.17", "83.142.209.228", "64.89.161.178", "217.60.241.39"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["217.60.241.17", "83.142.209.228", "64.89.161.178", "217.60.241.39"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Job
Description: A legitimate scheduled job runs a script that queries external threat intelligence feeds, which may include Tofsee IOCs.
Filter/Exclusion: Exclude processes associated with schtasks.exe or Task Scheduler services, or filter by known maintenance scripts (e.g., maintenance_check.ps1).
Scenario: Admin Performing Threat Intelligence Lookup
Description: An admin uses a tool like ThreatIntel or Mandiant Adjudicator to manually check for IOCs, which may include Tofsee indicators.
Filter/Exclusion: Exclude processes initiated by admin accounts with known threat intel tools, or filter by specific command-line arguments used during lookups.
Scenario: Log Collection and Analysis Tool
Description: A tool like Splunk or ELK Stack is configured to collect and analyze logs, which may inadvertently include Tofsee IOCs in log data.
Filter/Exclusion: Exclude processes related to log collection tools, or filter by log sources (e.g., syslog, eventlog) and exclude known log parsing scripts.
Scenario: Automated Patch Management Task
Description: A patch management tool like Microsoft Update or WSUS may query external sources for updates, which could include Tofsee IOCs.
Filter/Exclusion: Exclude processes related to patch management tools, or filter by specific update-related command-line arguments (e.g., wuauclt.exe).
Scenario: Cloud Security Posture Management (CSPM) Tool
Description: A CSPM tool like Cloud Security Fabric or Tenable.io may scan for misconfigurations or vulnerabilities, which could trigger Tofsee IOCs.
Filter/Exclusion: Exclude processes associated with CSPM