The detection identifies potential Formbook malware activity through known IOCs, indicating an adversary may be establishing persistence or exfiltrating data. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate Formbook-based attacks before significant data loss occurs.
IOC Summary
Malware Family: Formbook Total IOCs: 2 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | www.apartuk.info | botnet_cc | 2026-05-12 | 50% |
| domain | www.axilo.top | botnet_cc | 2026-05-12 | 50% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Formbook
let malicious_domains = dynamic(["www.apartuk.info", "www.axilo.top"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that matches the Formbook IOC due to similar file names or paths (e.g., C:\Windows\System32\formbook.exe).
Filter/Exclusion: Exclude files located in system directories like C:\Windows\System32 or use a filter for processes with task scheduler in their parent process chain.
Scenario: Admin Tool Execution
Description: An administrator uses a legitimate tool like PsExec or WMIC to remotely execute a script that matches Formbook IOCs due to similar command-line arguments.
Filter/Exclusion: Exclude processes initiated by PsExec, WMIC, or schtasks.exe, or filter based on the user context (e.g., Administrator or SYSTEM).
Scenario: Log Collection and Analysis Job
Description: A log analysis tool like Splunk or ELK Stack runs a script that temporarily uses a file or command matching Formbook IOCs during data ingestion.
Filter/Exclusion: Exclude processes related to log collection tools or filter based on the presence of log parsing keywords in the command line.
Scenario: Software Update or Patch Deployment
Description: A patching tool like Microsoft Update or WSUS executes a script that matches Formbook IOCs due to similar file names or temporary execution paths.
Filter/Exclusion: Exclude processes initiated by wuauclt.exe, msiexec.exe, or setup.exe, or filter based on the presence of update-related command-line arguments.
Scenario: Backup and Restore Job
Description: A backup tool like Veeam or Acronis runs a script that temporarily uses a file or command matching Formbook IOCs during backup or