The ThreatFox: Tofsee IOCs rule detects potential adversary activity associated with the Tofsee malware, which is known for its persistence and data exfiltration capabilities. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced threats before they cause significant damage.
IOC Summary
Malware Family: Tofsee Total IOCs: 4 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 217[.]60[.]241[.]17:426 | botnet_cc | 2026-05-24 | 75% |
| ip:port | 217[.]60[.]241[.]17:427 | botnet_cc | 2026-05-24 | 75% |
| ip:port | 83[.]142[.]209[.]228:426 | botnet_cc | 2026-05-24 | 75% |
| ip:port | 83[.]142[.]209[.]228:427 | botnet_cc | 2026-05-24 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Tofsee
let malicious_ips = dynamic(["217.60.241.17", "83.142.209.228"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["217.60.241.17", "83.142.209.228"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Job
Description: A legitimate scheduled job runs a script that uses curl to fetch a configuration file from an internal server.
Filter/Exclusion: Exclude curl commands where the URL matches internal domain patterns (e.g., *.internal.corp).
Scenario: Admin Task - User Management Script
Description: An admin runs a script that uses wget to download a user list from a local server for batch processing.
Filter/Exclusion: Exclude wget commands where the URL is within the company’s internal IP range (e.g., 10.0.0.0/8).
Scenario: Log Collection via Fluentd
Description: The enterprise uses Fluentd to collect logs from various services, which may involve curl or wget to send data to a central logging server.
Filter/Exclusion: Exclude traffic to known internal log aggregation endpoints (e.g., logs.central.corp).
Scenario: Software Update via Chocolatey
Description: A system administrator uses Chocolatey to install updates, which may involve downloading packages from a trusted internal repository.
Filter/Exclusion: Exclude package downloads from internal Chocolatey repositories (e.g., internal-repo.corp).
Scenario: Backup Job Using rsync
Description: A backup job uses rsync to transfer data to a remote backup server, which may involve temporary network tools like curl for metadata.
Filter/Exclusion: Exclude curl or wget commands associated with backup jobs (e.g., process name backup-job.sh).