The ThreatFox: XWorm IOCs rule detects potential adversary activity associated with the XWorm malware, leveraging known indicators of compromise to identify malicious network traffic or system behavior. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced threats that could compromise critical systems and data.
IOC Summary
Malware Family: XWorm Total IOCs: 3 IOC Types: domain, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | ogonna.ydns.eu | botnet_cc | 2026-06-11 | 75% |
| ip:port | 94[.]154[.]32[.]163:7004 | botnet_cc | 2026-06-11 | 75% |
| ip:port | 45[.]88[.]91[.]5:7004 | botnet_cc | 2026-06-11 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - XWorm
let malicious_ips = dynamic(["94.154.32.163", "45.88.91.5"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["94.154.32.163", "45.88.91.5"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - XWorm
let malicious_domains = dynamic(["ogonna.ydns.eu"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Integrity Verification Using sfc /scannow
Description: The System File Checker (sfc) tool is run as part of routine system maintenance to verify the integrity of system files.
Filter/Exclusion: Exclude processes where the command line includes sfc /scannow or the process is initiated by Task Scheduler with a known maintenance task name.
Scenario: Admin Task: PowerShell Script for Log Cleanup
Description: An administrator runs a PowerShell script to clean up old log files, which may involve file system operations that resemble malicious activity.
Filter/Exclusion: Exclude processes initiated by PowerShell.exe where the script path is known and whitelisted (e.g., C:\Windows\System32\cleanlog.exe or a custom admin script in a trusted directory).
Scenario: Legitimate Software Update via Microsoft Intune
Description: A software update is deployed via Microsoft Intune, which may include file operations that match the XWorm IOCs.
Filter/Exclusion: Exclude processes where the parent process is msiexec.exe or the file path is associated with a known Microsoft update package (e.g., C:\Windows\Temp\*.msi).
Scenario: Automated Backup Job Using Veeam Backup & Replication
Description: A backup job initiated by Veeam may involve copying files to a remote location, which could trigger the rule due to network activity or file access patterns.
Filter/Exclusion: Exclude processes where the parent process is Veeam.Backup.Run.exe or the destination path is a known backup directory (e.g., C:\Backup\ or a network share used for backups).
Scenario: User-Initiated File Transfer via File Transfer Tool (e.g., WinSCP)