The ThreatFox: XWorm IOCs rule detects potential adversary activity associated with the XWorm malware, which is known for its persistence and lateral movement capabilities. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced threats before they cause significant damage to the network.
IOC Summary
Malware Family: XWorm Total IOCs: 5 IOC Types: ip:port, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | ayidhh-48261.portmap.host | botnet_cc | 2026-03-19 | 100% |
| domain | aliowiasidaids-62178.portmap.host | botnet_cc | 2026-03-19 | 100% |
| domain | sex4fun.duckdns.org | botnet_cc | 2026-03-19 | 100% |
| ip:port | 41[.]45[.]156[.]241:5505 | botnet_cc | 2026-03-18 | 100% |
| ip:port | 154[.]219[.]104[.]140:7007 | botnet_cc | 2026-03-18 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - XWorm
let malicious_ips = dynamic(["154.219.104.140", "41.45.156.241"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["154.219.104.140", "41.45.156.241"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - XWorm
let malicious_domains = dynamic(["ayidhh-48261.portmap.host", "aliowiasidaids-62178.portmap.host", "sex4fun.duckdns.org"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Job
Description: A legitimate scheduled job runs a script that matches the XWorm IOC pattern (e.g., ps or netstat commands used for monitoring system processes).
Filter/Exclusion: Exclude processes initiated by a known maintenance task, e.g., ps -ef | grep httpd executed by a user with sudo or via a cron job named system_check.
Scenario: Admin Task Using ps or top
Description: A system administrator uses tools like ps or top to monitor running processes, which may include command-line strings matching XWorm IOCs.
Filter/Exclusion: Exclude processes where the command line includes ps, top, or htop and executed by a user with administrative privileges (e.g., root, admin, or sudo).
Scenario: Log Analysis Tool Parsing Logs
Description: A log analysis tool (e.g., logrotate, rsyslog, or splunk) processes system logs and includes entries that match XWorm IOCs due to log formatting.
Filter/Exclusion: Exclude events where the source is a log parsing tool or where the log message contains known log formatting patterns (e.g., grep, awk, or sed in log processing pipelines).
Scenario: Automated Security Scan Tool
Description: A security scanning tool (e.g., nmap, nessus, or openvas) runs a scan that generates output containing strings resembling XWorm IOCs.
Filter/Exclusion: Exclude events where the process is initiated by a known security scanning tool and the command line includes nmap, nessus, or openvas.
**Scenario: Backup or Archive Job Using tar or `