The ThreatFox: VShell IOCs rule detects potential adversary activity associated with the VShell malware, which is known for its persistence and lateral movement capabilities. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced threats before they cause significant damage to the environment.
IOC Summary
Malware Family: VShell Total IOCs: 6 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 120[.]24[.]144[.]243:16001 | botnet_cc | 2026-06-13 | 100% |
| ip:port | 192[.]3[.]252[.]164:80 | botnet_cc | 2026-06-13 | 100% |
| ip:port | 114[.]132[.]227[.]144:8084 | botnet_cc | 2026-06-12 | 100% |
| ip:port | 134[.]175[.]250[.]157:18088 | botnet_cc | 2026-06-12 | 100% |
| ip:port | 8[.]163[.]59[.]20:9999 | botnet_cc | 2026-06-12 | 100% |
| ip:port | 118[.]107[.]219[.]184:8880 | botnet_cc | 2026-06-12 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - VShell
let malicious_ips = dynamic(["114.132.227.144", "192.3.252.164", "118.107.219.184", "8.163.59.20", "120.24.144.243", "134.175.250.157"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["114.132.227.144", "192.3.252.164", "118.107.219.184", "8.163.59.20", "120.24.144.243", "134.175.250.157"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate System Backup Using VShell
Description: A scheduled backup job uses VShell to transfer files to a remote server.
Filter/Exclusion: Exclude traffic where the source IP is a known internal backup server and the destination is a known backup storage location.
Scenario: Admin Task Using VShell for File Transfer
Description: An administrator uses VShell to transfer configuration files between servers during routine maintenance.
Filter/Exclusion: Exclude traffic initiated by admin accounts (e.g., root, admin, or users in the sudo group) during known maintenance windows.
Scenario: VShell Used for Internal Monitoring Tool Communication
Description: A monitoring tool (e.g., Nagios, Zabbix) uses VShell to communicate with remote agents.
Filter/Exclusion: Exclude traffic where the source or destination is a known monitoring server or agent, and the process name matches the monitoring tool.
Scenario: VShell Used for Secure Remote Access
Description: A developer uses VShell to securely connect to a remote development environment.
Filter/Exclusion: Exclude traffic where the source IP is a known developer workstation and the destination is a known development server, with SSH-based authentication.
Scenario: VShell Used for Log Aggregation
Description: A log aggregation system (e.g., Splunk, ELK Stack) uses VShell to collect logs from remote hosts.
Filter/Exclusion: Exclude traffic where the source is a log collector server and the destination is a known log source, with known log collection processes.