The ThreatFox: XWorm IOCs rule detects potential adversary activity associated with the XWorm malware, leveraging known indicators of compromise to identify suspicious network traffic or system artifacts. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats that may be leveraging XWorm for data exfiltration or lateral movement.
IOC Summary
Malware Family: XWorm Total IOCs: 3 IOC Types: ip:port, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 155[.]103[.]71[.]244:1234 | botnet_cc | 2026-06-15 | 75% |
| domain | eminley.ydns.eu | botnet_cc | 2026-06-15 | 75% |
| ip:port | 172[.]245[.]106[.]54:3333 | botnet_cc | 2026-06-15 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - XWorm
let malicious_ips = dynamic(["172.245.106.54", "155.103.71.244"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["172.245.106.54", "155.103.71.244"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - XWorm
let malicious_domains = dynamic(["eminley.ydns.eu"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Using rsync
Description: A legitimate scheduled backup job using rsync may trigger the rule if the command includes a suspicious-looking argument that matches an IOC.
Filter/Exclusion: process.command_line NOT LIKE '%rsync%' OR process.parent_process_name = 'cron'
Scenario: Admin Task Using wget to Download a Known Safe Update
Description: An administrator may use wget to download a legitimate update from a trusted source, which could be flagged due to the presence of a known IOC in the command line.
Filter/Exclusion: process.command_line NOT LIKE '%wget%https://trusted-update-server.com%' OR process.parent_process_name = 'sudo'
Scenario: Log File Rotation Using logrotate
Description: The logrotate utility may generate temporary files or use paths that resemble malicious IOCs, especially if the log files are located in a directory with a similar name.
Filter/Exclusion: process.command_line NOT LIKE '%logrotate%' OR process.directory = '/var/log'
Scenario: Software Update via yum or apt
Description: A package manager like yum or apt may execute commands that include IOC-like strings when downloading updates from a repository, leading to a false positive.
Filter/Exclusion: process.command_line NOT LIKE '%yum update%' OR process.command_line NOT LIKE '%apt-get update%'
Scenario: Database Backup Using mysqldump
Description: A database backup script using mysqldump may include paths or arguments that match the XWorm IOCs, especially if the backup directory has a similar name.
Filter/Exclusion: `process.command_line NOT LIKE