The ThreatFox: XWorm IOCs rule detects potential adversary activity associated with the XWorm malware, leveraging known indicators of compromise to identify suspicious network or system behavior. SOC teams should proactively hunt for these IOCs in Azure Sentinel to detect and mitigate advanced persistent threats that may be leveraging XWorm for lateral movement or data exfiltration.
IOC Summary
Malware Family: XWorm Total IOCs: 9 IOC Types: ip:port, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 84[.]38[.]129[.]122:443 | botnet_cc | 2026-06-08 | 75% |
| ip:port | 87[.]120[.]107[.]29:1194 | botnet_cc | 2026-06-08 | 75% |
| ip:port | 31[.]56[.]209[.]126:1996 | botnet_cc | 2026-06-08 | 75% |
| ip:port | 216[.]250[.]250[.]247:8086 | botnet_cc | 2026-06-08 | 75% |
| ip:port | 151[.]244[.]232[.]26:443 | botnet_cc | 2026-06-08 | 75% |
| ip:port | 107[.]172[.]13[.]245:7007 | botnet_cc | 2026-06-08 | 75% |
| ip:port | 31[.]56[.]209[.]92:443 | botnet_cc | 2026-06-08 | 75% |
| ip:port | 104[.]168[.]7[.]219:8823 | botnet_cc | 2026-06-08 | 75% |
| domain | frBvNnnFYR6XR622pBE0NQ== | botnet_cc | 2026-06-08 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - XWorm
let malicious_ips = dynamic(["151.244.232.26", "104.168.7.219", "87.120.107.29", "31.56.209.92", "216.250.250.247", "31.56.209.126", "84.38.129.122", "107.172.13.245"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["151.244.232.26", "104.168.7.219", "87.120.107.29", "31.56.209.92", "216.250.250.247", "31.56.209.126", "84.38.129.122", "107.172.13.245"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - XWorm
let malicious_domains = dynamic(["frBvNnnFYR6XR622pBE0NQ=="]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Integrity Check Using sfc /scannow
Description: The System File Checker tool is run as part of routine system maintenance.
Filter/Exclusion: Exclude processes where the command line includes sfc /scannow or sfc /scannow /offbootdir
Scenario: Legitimate Use of PowerShell for Configuration Management
Description: A PowerShell script is used to configure system settings or deploy updates.
Filter/Exclusion: Exclude processes where the executable path contains powershell.exe and the script path is within known enterprise management directories (e.g., C:\Windows\System32\ or C:\Program Files\)
Scenario: Admin Task Using taskkill to Terminate Malicious Processes
Description: An administrator manually terminates a process using taskkill as part of incident response.
Filter/Exclusion: Exclude processes where the command line includes taskkill /im and the target process is known to be a legitimate admin tool (e.g., svchost.exe, explorer.exe)
Scenario: Use of certutil for Certificate Management
Description: The certutil command is used to manage or import digital certificates.
Filter/Exclusion: Exclude processes where the command line includes certutil -addstore or certutil -viewstore and the certificate store is a known enterprise store (e.g., Root, TrustedPublisher)
Scenario: Legitimate Use of msiexec for Software Deployment
Description: A software deployment tool uses msiexec to install or update enterprise applications.
Filter/Exclusion: Exclude processes where the command line includes msiexec /i and the MSI file