The ThreatFox: Unknown malware IOCs rule detects potential adversary activity involving unknown malicious indicators of compromise that may indicate the presence of previously unseen malware. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced threats that evade traditional detection methods.
IOC Summary
Malware Family: Unknown malware Total IOCs: 4 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | gdedengikarlos.cfd | payload_delivery | 2026-05-13 | 100% |
| domain | caribb.ru | botnet_cc | 2026-05-12 | 49% |
| domain | mekhovaya-shuba.ru | botnet_cc | 2026-05-12 | 49% |
| domain | beboss34.ru | botnet_cc | 2026-05-12 | 49% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Unknown malware
let malicious_domains = dynamic(["gdedengikarlos.cfd", "caribb.ru", "mekhovaya-shuba.ru", "beboss34.ru"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that uses a known tool like PowerShell or Task Scheduler to perform system diagnostics or updates.
Filter/Exclusion: Exclude processes initiated by Task Scheduler or processes with CommandLine containing schtasks.exe or powershell.exe -Command.
Scenario: Admin Tool for Log Management
Description: An admin uses a tool like Splunk or ELK Stack to collect and analyze logs, which may involve writing to or reading from system files.
Filter/Exclusion: Exclude processes with ProcessName matching splunkd.exe, logstash, or kibana and filter by User being a known admin account.
Scenario: Software Update Job
Description: A system runs a software update job using Windows Update or a tool like Chocolatey to install updates, which may involve temporary file creation.
Filter/Exclusion: Exclude processes with CommandLine containing wuauclt.exe, choco, or msiexec.exe and filter by User being a service account.
Scenario: Database Backup Process
Description: A database backup job, such as using SQL Server Backup or pg_dump, may involve file I/O operations that could trigger the rule.
Filter/Exclusion: Exclude processes with ProcessName matching sqlservr.exe, pg_dump, or mysqldump and filter by User being a DBA account.
Scenario: Network Monitoring Tool
Description: A network monitoring tool like Wireshark or tcpdump may capture network traffic and write to temporary files, which could be flagged as suspicious I/O.
*Filter/