The ThreatFox: VShell IOCs rule detects potential adversary activity associated with the VShell malware, leveraging known indicators of compromise to identify malicious network traffic or command-and-control communications. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats that may be leveraging VShell for data exfiltration or lateral movement within the network.
IOC Summary
Malware Family: VShell Total IOCs: 4 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 107[.]151[.]246[.]172:8084 | botnet_cc | 2026-05-26 | 100% |
| ip:port | 106[.]75[.]227[.]186:8084 | botnet_cc | 2026-05-26 | 100% |
| ip:port | 106[.]13[.]201[.]122:8080 | botnet_cc | 2026-05-26 | 100% |
| ip:port | 195[.]154[.]43[.]205:8080 | botnet_cc | 2026-05-26 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - VShell
let malicious_ips = dynamic(["107.151.246.172", "195.154.43.205", "106.75.227.186", "106.13.201.122"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["107.151.246.172", "195.154.43.205", "106.75.227.186", "106.13.201.122"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that uses vshell as part of a system maintenance routine, such as log rotation or backup.
Filter/Exclusion: Exclude processes initiated by the schtasks service or tasks with a known maintenance name (e.g., BackupTask, LogRotate).
Scenario: Admin User Performing Remote Management
Description: An admin uses vshell to remotely manage a server via SSH or similar protocol, which is part of standard administrative duties.
Filter/Exclusion: Exclude processes initiated by users with admin privileges (e.g., Administrator, root) or those using known admin tools (e.g., ssh, putty).
Scenario: Integration with Third-Party Monitoring Tools
Description: A monitoring tool like Nagios or Zabbix uses vshell to communicate with monitored systems, triggering the detection rule.
Filter/Exclusion: Exclude processes that originate from known monitoring tools or have connection patterns matching those of monitoring services (e.g., nagios, zabbix, 127.0.0.1).
Scenario: Automated Deployment via CI/CD Pipeline
Description: A CI/CD tool like Jenkins or GitLab CI uses vshell to deploy code or configuration files, which is part of the deployment process.
Filter/Exclusion: Exclude processes initiated by CI/CD agents or with known deployment-related command-line arguments (e.g., --deploy, --ci, --pipeline).
Scenario: Log Analysis Tool Using VShell for File Transfer
Description: A log analysis tool like ELK Stack or Splunk uses vshell to transfer logs between