The ThreatFox: VShell IOCs rule detects potential adversary activity associated with the VShell malware, leveraging known indicators of compromise to identify malicious network traffic and file artifacts. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and respond to advanced persistent threats that may be exfiltrating data or establishing command and control channels.
IOC Summary
Malware Family: VShell Total IOCs: 4 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 47[.]94[.]166[.]205:8083 | botnet_cc | 2026-06-26 | 100% |
| ip:port | 192[.]144[.]167[.]96:28891 | botnet_cc | 2026-06-26 | 100% |
| ip:port | 103[.]208[.]87[.]59:8080 | botnet_cc | 2026-06-26 | 100% |
| ip:port | 156[.]239[.]238[.]145:8084 | botnet_cc | 2026-06-26 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - VShell
let malicious_ips = dynamic(["192.144.167.96", "103.208.87.59", "47.94.166.205", "156.239.238.145"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["192.144.167.96", "103.208.87.59", "47.94.166.205", "156.239.238.145"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that uses vshell as part of a system maintenance routine (e.g., log rotation or backup).
Filter/Exclusion: Exclude processes initiated by the Windows Task Scheduler with a known maintenance task name (e.g., BackupTask or LogRotation).
Scenario: Admin Using VShell for Remote Management
Description: A system administrator uses VShell to securely connect to a remote server for troubleshooting or configuration changes.
Filter/Exclusion: Exclude connections originating from known admin IP ranges or user accounts with elevated privileges (e.g., admin, root, or svc_account).
Scenario: Automated Deployment Tool Integration
Description: A CI/CD tool (e.g., Jenkins, GitLab CI) uses VShell as part of its deployment pipeline to transfer files securely between servers.
Filter/Exclusion: Exclude processes initiated by known CI/CD agents or with command-line arguments matching deployment scripts (e.g., deploy.sh or build_pipeline).
Scenario: Log Analysis Tool Using VShell for Data Transfer
Description: A log analysis tool (e.g., Splunk, ELK Stack) uses VShell to transfer log files between servers for centralized logging and analysis.
Filter/Exclusion: Exclude processes associated with log aggregation tools or with file paths matching known log directories (e.g., /var/log/, /opt/logs/).
Scenario: Database Backup Using VShell
Description: A database backup process (e.g., using mysqldump, pg_dump) uses VShell to transfer backup files to a secure storage location.
Filter/Exclusion: Exclude processes that include database backup commands or file paths that match standard backup directories (e.g., `/backup