The ThreatFox: VShell IOCs rule detects potential adversary activity associated with the VShell malware, which is known for its persistence and lateral movement capabilities. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced threats before they cause significant damage to the network.
IOC Summary
Malware Family: VShell Total IOCs: 5 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 202[.]162[.]106[.]233:18082 | botnet_cc | 2026-06-15 | 100% |
| ip:port | 47[.]99[.]204[.]80:8821 | botnet_cc | 2026-06-15 | 100% |
| ip:port | 112[.]121[.]165[.]42:80 | botnet_cc | 2026-06-15 | 100% |
| ip:port | 112[.]121[.]165[.]43:80 | botnet_cc | 2026-06-15 | 100% |
| ip:port | 101[.]43[.]128[.]56:8080 | botnet_cc | 2026-06-15 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - VShell
let malicious_ips = dynamic(["202.162.106.233", "47.99.204.80", "112.121.165.42", "101.43.128.56", "112.121.165.43"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["202.162.106.233", "47.99.204.80", "112.121.165.42", "101.43.128.56", "112.121.165.43"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that uses vshell as part of a system maintenance routine, such as log rotation or backup.
Filter/Exclusion: Exclude processes initiated by the schtasks service or tasks with a known maintenance name (e.g., DailyBackup, LogRotation).
Scenario: Admin Using VShell for Remote Management
Description: An administrator uses vshell (e.g., vshell.exe) to remotely manage a server, which is a legitimate use case for some enterprise environments.
Filter/Exclusion: Exclude processes initiated from known admin workstations or with user accounts in the Administrators group.
Scenario: Automated Deployment Tool Using VShell
Description: A CI/CD tool like Jenkins or Ansible uses vshell to execute commands on remote servers during deployment.
Filter/Exclusion: Exclude processes with parent processes from known CI/CD tools (e.g., jenkins.exe, ansible.exe) or with command lines containing deployment-related keywords.
Scenario: Log Analysis Tool Generating VShell Output
Description: A log analysis tool like Splunk or ELK Stack uses vshell to parse or generate logs, which may trigger the detection rule.
Filter/Exclusion: Exclude processes with parent processes from log analysis tools or with command lines containing log-related keywords (e.g., log, analyze, parse).
Scenario: Legacy Application Using VShell for Network Communication
Description: An older enterprise application (e.g., a custom .NET app) uses vshell for internal network communication, which is part of its normal operation.
Filter/Exclusion: Exclude processes associated with known legacy applications or with execution paths in a specific enterprise directory (