The ThreatFox: ClearFake IOCs rule detects potential adversary activity associated with the ClearFake malware, which is known for distributing malicious payloads through compromised websites and phishing campaigns. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises that could lead to data exfiltration or lateral movement within the network.
IOC Summary
Malware Family: ClearFake Total IOCs: 60 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | wildflora-resource-platform.garden | payload_delivery | 2026-05-20 | 100% |
| domain | gardenprocessinghub.garden | payload_delivery | 2026-05-20 | 100% |
| domain | bloom-distribution-engine.garden | payload_delivery | 2026-05-20 | 100% |
| domain | 0gmqmb12.orbitaldockingmodule.digital | payload_delivery | 2026-05-20 | 100% |
| domain | 7e4kctpk.orbitaldockingmodule.digital | payload_delivery | 2026-05-20 | 100% |
| domain | ecosystemworkflow.garden | payload_delivery | 2026-05-20 | 100% |
| domain | containerized-growth-platform.garden | payload_delivery | 2026-05-20 | 100% |
| domain | floraresourcecenter.garden | payload_delivery | 2026-05-20 | 100% |
| domain | vt40b8nw.badabingsopranoslounge.digital | payload_delivery | 2026-05-20 | 100% |
| domain | 7jhvxkjy.badabingsopranoslounge.digital | payload_delivery | 2026-05-20 | 100% |
| domain | 6nrjnea5.badabingsopranoslounge.digital | payload_delivery | 2026-05-20 | 100% |
| domain | waggrzdi.meadow-observability-core.garden | payload_delivery | 2026-05-20 | 100% |
| domain | jqxpmmgb.meadow-observability-core.garden | payload_delivery | 2026-05-20 | 100% |
| domain | ivsfinmc.meadow-observability-core.garden | payload_delivery | 2026-05-20 | 100% |
| domain | meadow-observability-core.garden | payload_delivery | 2026-05-20 | 100% |
| domain | federatedplantmesh.garden | payload_delivery | 2026-05-20 | 100% |
| domain | irrigation-control-framework.garden | payload_delivery | 2026-05-20 | 100% |
| domain | jfmz4630.badabingsopranoslounge.digital | payload_delivery | 2026-05-20 | 100% |
| domain | wyvz4wf1.badabingsopranoslounge.digital | payload_delivery | 2026-05-20 | 100% |
| domain | botanicalprocessing.garden | payload_delivery | 2026-05-20 | 100% |
| domain | wildfloraanalyticshub.garden | payload_delivery | 2026-05-20 | 100% |
| domain | petal-resource-engine.garden | payload_delivery | 2026-05-20 | 100% |
| domain | baking-stone-thermal-mass.garden | payload_delivery | 2026-05-20 | 100% |
| domain | 0zfu07h8.audioattenuatorschematic.digital | payload_delivery | 2026-05-20 | 100% |
| domain | qqzrh1mo.audioattenuatorschematic.digital | payload_delivery | 2026-05-20 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - ClearFake
let malicious_domains = dynamic(["wildflora-resource-platform.garden", "gardenprocessinghub.garden", "bloom-distribution-engine.garden", "0gmqmb12.orbitaldockingmodule.digital", "7e4kctpk.orbitaldockingmodule.digital", "ecosystemworkflow.garden", "containerized-growth-platform.garden", "floraresourcecenter.garden", "vt40b8nw.badabingsopranoslounge.digital", "7jhvxkjy.badabingsopranoslounge.digital", "6nrjnea5.badabingsopranoslounge.digital", "waggrzdi.meadow-observability-core.garden", "jqxpmmgb.meadow-observability-core.garden", "ivsfinmc.meadow-observability-core.garden", "meadow-observability-core.garden", "federatedplantmesh.garden", "irrigation-control-framework.garden", "jfmz4630.badabingsopranoslounge.digital", "wyvz4wf1.badabingsopranoslounge.digital", "botanicalprocessing.garden", "wildfloraanalyticshub.garden", "petal-resource-engine.garden", "baking-stone-thermal-mass.garden", "0zfu07h8.audioattenuatorschematic.digital", "qqzrh1mo.audioattenuatorschematic.digital", "vintage-telemetry-receiver.garden", "isochronous-cyclotron-beam.garden", "gothic-vault-engineering.garden", "submerged-continental-shelf.garden", "mlye7rvg.siciliandefensetheory.digital", "5hvf702j.siciliandefensetheory.digital", "maglev-propulsion-system.garden", "carbon-dating-calibration.garden", "geostationary-orbit-altitude.garden", "byzantine-mosaic-restoration.garden", "hydraulic-actuator-valve.garden", "o7se9wfy.stack-matrix.digital", "weyland-yutani-corporate-file.garden", "vacuum-tube-amplifier.garden", "perfect-bolognese-simmer.garden", "abyssal-plain-topography.garden", "coriolis-effect-trajectory.garden", "jq7mk5ac.logic-pulse.digital", "microflora-observability-platform.garden", "ecosystemprocessingcore.garden", "containerized-growth-system.garden", "flora-resource-network.garden", "t8oasjc8.cyber-harbor.digital", "meadowanalyticsengine.garden", "botanical-control-framework.garden"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled system cleanup using CCleaner
Filter/Exclusion: Exclude processes associated with ccleaner.exe or ccleanernotifier.exe
Rationale: CCleaner is a legitimate system cleanup tool that may perform actions resembling malicious IOCs during routine maintenance.
Scenario: Windows Task Scheduler job running a legitimate script for log rotation
Filter/Exclusion: Exclude tasks with names containing “logrotate” or “syslog” and associated with the Task Scheduler service
Rationale: Log rotation scripts often access and modify system files, which may be flagged by the detection logic.
Scenario: PowerShell script executed by System Center Configuration Manager (SCCM) for patch management
Filter/Exclusion: Exclude processes with powershell.exe and command line arguments containing “sccm” or “patch”
Rationale: SCCM often runs PowerShell scripts to manage updates, which can involve file system activity similar to malicious IOCs.
Scenario: Microsoft Endpoint Manager (MEM) running a compliance scan
Filter/Exclusion: Exclude processes with microsoftendpointmanager.exe or intune.exe
Rationale: Compliance scans may access various system directories and files, which could trigger the detection rule.
Scenario: Windows Event Log cleanup via Event Viewer or LogParser
Filter/Exclusion: Exclude processes with eventvwr.exe or logparser.exe
Rationale: Log cleanup tools may interact with log files in ways that resemble malicious IOCs, especially during large-scale purges.