Adversaries may be using Formbook malware to exfiltrate data by leveraging compromised Azure environments, as indicated by the detected IOCs. SOC teams should proactively hunt for this behavior to identify and mitigate potential data exfiltration and lateral movement within their Azure Sentinel environment.
IOC Summary
Malware Family: Formbook Total IOCs: 2 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | www.apartuk.info | botnet_cc | 2026-05-12 | 50% |
| domain | www.axilo.top | botnet_cc | 2026-05-12 | 50% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Formbook
let malicious_domains = dynamic(["www.apartuk.info", "www.axilo.top"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that matches the Formbook IOC pattern due to similar command-line arguments or file names.
Filter/Exclusion: Exclude processes initiated by schtasks.exe or tasks with a known name like SystemMaintenanceTask.
Scenario: Admin Performing Log Collection via PowerShell
Description: An admin uses PowerShell to collect logs, which may include commands resembling Formbook’s C2 communication.
Filter/Exclusion: Exclude processes started by powershell.exe with the -Command argument and a known admin script name like Collect-SystemLogs.ps1.
Scenario: Database Backup Job Using SQLCMD
Description: A database backup job uses sqlcmd to execute scripts that include command-line arguments similar to Formbook’s IOCs.
Filter/Exclusion: Exclude processes initiated by sqlcmd.exe with a known job name or script path like C:\Backups\BackupScript.sql.
Scenario: Network Monitoring Tool Generating Traffic
Description: A legitimate network monitoring tool (e.g., Wireshark, PRTG) generates traffic that matches Formbook’s network IOCs.
Filter/Exclusion: Exclude processes with the executable name wireshark.exe or prtg_agent.exe and filter by known monitoring tool IPs or ports.
Scenario: Automated Patching Tool Using UNC Paths
Description: A patching tool (e.g., Microsoft Update, SCCM) uses UNC paths that resemble Formbook’s file IOCs.
Filter/Exclusion: Exclude processes initiated by msiexec.exe or setup.exe and filter by UNC paths associated with known patching tools.