The ThreatFox: ClearFake IOCs rule detects potential adversary activity associated with the ClearFake malware, which is known for distributing malicious payloads through compromised websites and phishing campaigns. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage attacks that could lead to data exfiltration or system compromise.
IOC Summary
Malware Family: ClearFake Total IOCs: 39 IOC Types: sha256_hash, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | zoneday-green-house-oper-center.garden | payload_delivery | 2026-05-18 | 100% |
| domain | ecosystemmanagementcore.garden | payload_delivery | 2026-05-18 | 100% |
| domain | containerizedplantnetwork.garden | payload_delivery | 2026-05-18 | 100% |
| domain | floraanalyticsengine.garden | payload_delivery | 2026-05-18 | 100% |
| domain | meadowmonitoringplatform.garden | payload_delivery | 2026-05-18 | 100% |
| domain | irrigationautomationhub.garden | payload_delivery | 2026-05-18 | 100% |
| domain | 4q3wy64m.runtime-sphere.digital | payload_delivery | 2026-05-18 | 100% |
| domain | c2rdcpuv.runtime-sphere.digital | payload_delivery | 2026-05-18 | 100% |
| domain | runtime-sphere.digital | payload_delivery | 2026-05-18 | 100% |
| domain | botanicalworkflowcenter.garden | payload_delivery | 2026-05-18 | 100% |
| domain | distributedgrowthnetwork.garden | payload_delivery | 2026-05-18 | 100% |
| domain | wildfloracontrolsystem.garden | payload_delivery | 2026-05-18 | 100% |
| domain | petalprocessingplatform.garden | payload_delivery | 2026-05-18 | 100% |
| domain | greenhouseresourceengine.garden | payload_delivery | 2026-05-18 | 100% |
| sha256_hash | 70da09d825ce21f1dd43e9f3654e087ccb6cedc6a659ee6f378c41aeb81ea5d8 | payload | 2026-05-18 | 100% |
| domain | primordial-soup-evolution.garden | payload_delivery | 2026-05-18 | 100% |
| domain | westpostva.com | payload_delivery | 2026-05-18 | 100% |
| domain | evamotion.com | payload_delivery | 2026-05-18 | 100% |
| domain | rluvz62i.observability-matrix.digital | payload_delivery | 2026-05-18 | 100% |
| domain | k9h20m23.observability-matrix.digital | payload_delivery | 2026-05-18 | 100% |
| domain | observability-matrix.digital | payload_delivery | 2026-05-18 | 100% |
| domain | subdermal-biometric-chip.garden | payload_delivery | 2026-05-18 | 100% |
| domain | renaissance-fresco-restoration.garden | payload_delivery | 2026-05-18 | 100% |
| domain | stratospheric-weather-balloon.garden | payload_delivery | 2026-05-18 | 100% |
| domain | holographic-projection-grid.garden | payload_delivery | 2026-05-18 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - ClearFake
let malicious_domains = dynamic(["zoneday-green-house-oper-center.garden", "ecosystemmanagementcore.garden", "containerizedplantnetwork.garden", "floraanalyticsengine.garden", "meadowmonitoringplatform.garden", "irrigationautomationhub.garden", "4q3wy64m.runtime-sphere.digital", "c2rdcpuv.runtime-sphere.digital", "runtime-sphere.digital", "botanicalworkflowcenter.garden", "distributedgrowthnetwork.garden", "wildfloracontrolsystem.garden", "petalprocessingplatform.garden", "greenhouseresourceengine.garden", "primordial-soup-evolution.garden", "westpostva.com", "evamotion.com", "rluvz62i.observability-matrix.digital", "k9h20m23.observability-matrix.digital", "observability-matrix.digital", "subdermal-biometric-chip.garden", "renaissance-fresco-restoration.garden", "stratospheric-weather-balloon.garden", "holographic-projection-grid.garden", "deep-sea-hydrothermal-vent.garden", "gothic-cathedral-blueprint.garden", "wlede4d3.network-harbor.digital", "vbvfs28b.network-harbor.digital", "network-harbor.digital", "magnetic-levitation-train.garden", "cybernetic-prosthetic-lab.garden", "subfossil-oak-chronology.garden", "crispy-chicken-cutlets.garden", "orbital-docking-module.garden", "bada-bing-sopranos-lounge.garden", "2u5vvnoh.microservice-pulse.digital", "vla2h0e7.microservice-pulse.digital", "audio-attenuator-schematic.garden"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for files matching known malicious hashes
// Source: ThreatFox - ClearFake
let malicious_hashes = dynamic(["70da09d825ce21f1dd43e9f3654e087ccb6cedc6a659ee6f378c41aeb81ea5d8"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate System Maintenance Task
Description: A system administrator is running a scheduled job to clean up temporary files using a tool like cleanmgr.exe or diskcleanup.exe.
Filter/Exclusion: Exclude processes associated with cleanmgr.exe or diskcleanup.exe using the process.name field.
Scenario: Antivirus Scan Using Windows Defender
Description: Windows Defender is performing a full system scan, which may trigger detection of benign files associated with malware IOCs.
Filter/Exclusion: Exclude processes with process.name containing Windows Defender or MsMpEng.exe.
Scenario: Scheduled Backup Job Using Veeam
Description: A backup job initiated by Veeam is copying files, and some file paths or hashes may match ClearFake IOCs.
Filter/Exclusion: Exclude processes with process.name containing Veeam or veeam.exe.
Scenario: Log File Analysis Using Splunk
Description: A Splunk administrator is analyzing log files, and the tool may be parsing files or directories that match known IOCs.
Filter/Exclusion: Exclude processes with process.name containing splunkd or splunk.exe.
Scenario: Software Update Deployment Using SCCM
Description: A System Center Configuration Manager (SCCM) task is deploying updates, and some package files may have hashes or paths matching ClearFake IOCs.
Filter/Exclusion: Exclude processes with process.name containing CCMExec or smsts.exe.