The ThreatFox: SnappyClient IOCs rule detects potential adversary activity associated with the SnappyClient malware, which is known for its persistence and data exfiltration capabilities. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced threats that may be leveraging these IOCs to maintain persistence and steal sensitive data.
IOC Summary
Malware Family: SnappyClient Total IOCs: 3 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | ohn.stainedunstitch.work | botnet_cc | 2026-05-07 | 100% |
| domain | ootid.srv-auth-dlt-msh.in.net | botnet_cc | 2026-05-07 | 100% |
| domain | sash.thirstyschnapps.cfd | botnet_cc | 2026-05-07 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - SnappyClient
let malicious_domains = dynamic(["ohn.stainedunstitch.work", "ootid.srv-auth-dlt-msh.in.net", "sash.thirstyschnapps.cfd"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that uses snappyclient.exe as part of a system maintenance or patching process.
Filter/Exclusion: Exclude processes initiated by the Task Scheduler with the task name containing “SystemMaintenance” or “PatchManagement”.
Scenario: Admin Tool for Package Management
Description: An administrator uses a legitimate package manager (e.g., choco, winget) that internally calls snappyclient.exe for dependency resolution.
Filter/Exclusion: Exclude processes where the parent process is choco.exe, winget.exe, or msiexec.exe.
Scenario: Cloud Backup Job Using SnappyClient
Description: A cloud backup solution (e.g., Veeam, Acronis) uses snappyclient.exe to transfer data over the network.
Filter/Exclusion: Exclude processes where the command line includes backup-related flags or paths to known backup directories.
Scenario: Internal Development Tool Integration
Description: A development team uses an internal tool (e.g., internal-build-tool.exe) that integrates with snappyclient.exe for artifact distribution.
Filter/Exclusion: Exclude processes where the parent process is internal-build-tool.exe or where the command line includes internal development paths.
Scenario: Log Collection via SnappyClient
Description: A log aggregation tool (e.g., Splunk, ELK Stack) uses snappyclient.exe to collect logs from remote servers.
Filter/Exclusion: Exclude processes where the command line includes log collection flags or paths to log directories.