The ThreatFox: VShell IOCs rule detects potential adversary activity linked to the VShell malware, characterized by suspicious network connections and file executions associated with known malicious indicators. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats leveraging VShell before significant data exfiltration or system compromise occurs.
IOC Summary
Malware Family: VShell Total IOCs: 3 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 121[.]89[.]84[.]19:8084 | botnet_cc | 2026-06-24 | 100% |
| ip:port | 154[.]19[.]242[.]244:14001 | botnet_cc | 2026-06-24 | 100% |
| ip:port | 121[.]89[.]84[.]19:8080 | botnet_cc | 2026-06-24 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - VShell
let malicious_ips = dynamic(["121.89.84.19", "154.19.242.244"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["121.89.84.19", "154.19.242.244"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that uses vshell as part of a system maintenance routine (e.g., log rotation or backup).
Filter/Exclusion: process.name != "vshell" OR process.parent.name == "schtasks.exe"
Scenario: Admin Using VShell for Remote Management
Description: An administrator uses VShell to securely connect to a remote server for troubleshooting or configuration.
Filter/Exclusion: user.name == "admin" OR process.parent.name == "taskmgr.exe"
Scenario: Automated Backup Job Using VShell
Description: A backup tool (e.g., Veeam, Acronis) uses VShell to transfer data between servers during a scheduled backup.
Filter/Exclusion: process.name == "veeam.exe" OR process.name == "acronis.exe"
Scenario: Network Monitoring Tool Using VShell for Traffic Analysis
Description: A network monitoring tool (e.g., Wireshark, tcpdump) uses VShell to capture or analyze network traffic.
Filter/Exclusion: process.name == "wireshark.exe" OR process.name == "tcpdump.exe"
Scenario: Development Environment with VShell for Debugging
Description: A developer uses VShell to debug or test an application in a local development environment.
Filter/Exclusion: process.name == "vscode.exe" OR process.name == "debugger.exe"