The ThreatFox: ValleyRAT IOCs rule detects potential command and control communication associated with the ValleyRAT malware, which is known for exfiltrating sensitive data. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that leverage these IOCs to maintain persistence and steal credentials.
IOC Summary
Malware Family: ValleyRAT Total IOCs: 2 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | gxfsxs.cn | botnet_cc | 2026-05-23 | 100% |
| domain | zythdolm.cn | botnet_cc | 2026-05-23 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - ValleyRAT
let malicious_domains = dynamic(["gxfsxs.cn", "zythdolm.cn"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Using Veeam Backup & Replication
Description: A legitimate scheduled backup job using Veeam Backup & Replication may trigger the rule if it contains a file or network connection matching ValleyRAT IOCs.
Filter/Exclusion: Check for process.name containing “Veeam” or file.name containing “Veeam” in the event log.
Scenario: Admin Task Using PowerShell for Log Management
Description: A system administrator may use PowerShell scripts (e.g., Get-EventLog, Export-Csv) to manage logs, which could resemble malicious activity if the script name or command matches ValleyRAT IOCs.
Filter/Exclusion: Filter by process.user to include only admin accounts (e.g., user.name = "Administrator") or check for process.command_line containing “PowerShell” and “log” or “eventlog”.
Scenario: Network Monitoring Tool Using Wireshark for Traffic Analysis
Description: A network analyst using Wireshark to capture and analyze network traffic may trigger the rule if the captured file or connection matches ValleyRAT IOCs.
Filter/Exclusion: Filter by process.name containing “Wireshark” or check for process.command_line containing “tshark” or “capture”.
Scenario: Software Update Using Microsoft Endpoint Configuration Manager (MECM)
Description: A legitimate software update process via MECM may involve downloading files or connecting to servers that could be flagged by the ValleyRAT detection rule.
Filter/Exclusion: Check for process.name containing “ConfigMgr” or “MECM” and verify the source IP against known Microsoft update servers.
Scenario: Database Backup Using SQL Server Agent Job
Description: A SQL Server Agent job performing a database