The ThreatFox: VShell IOCs rule detects potential adversary activity associated with the VShell malware, which is known for its persistence and lateral movement capabilities. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced threats before they cause significant damage to the environment.
IOC Summary
Malware Family: VShell Total IOCs: 9 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 64[.]118[.]131[.]36:8084 | botnet_cc | 2026-05-25 | 100% |
| ip:port | 198[.]46[.]159[.]243:2086 | botnet_cc | 2026-05-25 | 100% |
| ip:port | 192[.]227[.]212[.]57:8084 | botnet_cc | 2026-05-25 | 100% |
| ip:port | 111[.]228[.]0[.]252:8084 | botnet_cc | 2026-05-25 | 100% |
| ip:port | 139[.]84[.]242[.]161:888 | botnet_cc | 2026-05-25 | 100% |
| ip:port | 217[.]194[.]133[.]112:11000 | botnet_cc | 2026-05-25 | 100% |
| ip:port | 8[.]135[.]18[.]143:8084 | botnet_cc | 2026-05-25 | 100% |
| ip:port | 42[.]51[.]37[.]74:8084 | botnet_cc | 2026-05-25 | 100% |
| ip:port | 8[.]148[.]72[.]173:8090 | botnet_cc | 2026-05-25 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - VShell
let malicious_ips = dynamic(["139.84.242.161", "64.118.131.36", "8.148.72.173", "111.228.0.252", "8.135.18.143", "198.46.159.243", "217.194.133.112", "192.227.212.57", "42.51.37.74"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["139.84.242.161", "64.118.131.36", "8.148.72.173", "111.228.0.252", "8.135.18.143", "198.46.159.243", "217.194.133.112", "192.227.212.57", "42.51.37.74"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that connects to a remote server using ssh or scp as part of routine system maintenance.
Filter/Exclusion: Exclude connections to known internal servers using destination_ip IN (list_of_internal_servers) or process_name = "ssh" AND destination_ip IN (internal_network_range).
Scenario: Admin Task Using VShell for File Transfer
Description: An administrator uses VShell to transfer configuration files between servers during a routine configuration update.
Filter/Exclusion: Exclude file transfers involving known admin tools like scp, rsync, or sftp with process_name = "scp" and source_file_path LIKE '/etc/%'.
Scenario: Automated Backup Job Using VShell
Description: A backup job uses VShell to copy data from a database server to a backup server.
Filter/Exclusion: Exclude VShell connections where the source is a known database server and the destination is a backup server, using source_ip IN (database_servers) AND destination_ip IN (backup_servers).
Scenario: Remote Desktop Session Using VShell
Description: A user connects to a remote desktop server using VShell for remote access.
Filter/Exclusion: Exclude connections where the process is rdesktop or xrdp and the destination is a known remote desktop server, using process_name IN ("rdesktop", "xrdp") AND destination_ip IN (rdp_servers).
Scenario: Log Collection Using VShell
Description: A log aggregation tool uses VShell to collect logs from multiple servers.
Filter/Exclusion: Exclude connections from log collection agents using process_name = "logagent" or `process_name = “syslog-ng