The ThreatFox: Vidar IOCs rule detects potential command and control activity associated with the Vidar malware, leveraging known indicators linked to its infrastructure. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that may be exfiltrating data or establishing persistence within the environment.
IOC Summary
Malware Family: Vidar Total IOCs: 4 IOC Types: url, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://tri.fazvende.com/ | botnet_cc | 2026-05-19 | 100% |
| domain | tri.tristans-tea.com | botnet_cc | 2026-05-19 | 100% |
| url | hxxps://tri.tristans-tea.com/ | botnet_cc | 2026-05-19 | 100% |
| domain | tri.fazvende.com | botnet_cc | 2026-05-19 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Vidar
let malicious_domains = dynamic(["tri.tristans-tea.com", "tri.fazvende.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Vidar
let malicious_urls = dynamic(["https://tri.fazvende.com/", "https://tri.tristans-tea.com/"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task using schtasks.exe to perform system maintenance, which may trigger the rule due to the presence of the executable name.
Filter/Exclusion: Exclude processes where the full path contains C:\Windows\System32\schtasks.exe or where the parent process is services.exe.
Scenario: Microsoft Endpoint Protection (EPP) Scan
Description: A routine scan initiated by Microsoft Endpoint Protection (EPP) that may include scanning files or processes associated with the Vidar IOC names.
Filter/Exclusion: Exclude processes where the executable is mpcmdrun.exe or where the command line includes mpam-fe.
Scenario: PowerShell Script for Log Collection
Description: A PowerShell script used by the IT team to collect system logs, which may include commands or file names similar to Vidar IOCs.
Filter/Exclusion: Exclude processes where the parent process is powershell.exe and the command line includes -File with a known internal script path.
Scenario: Backup Job Using VSS Writer
Description: A backup job initiated by a third-party backup tool (e.g., Veeam, Acronis) that may interact with the Volume Shadow Copy Service (VSS), which could trigger the rule due to related process names.
Filter/Exclusion: Exclude processes where the executable is vssvc.exe or where the command line includes BackupJobName.
Scenario: Admin Tool for System Monitoring
Description: A legitimate admin tool (e.g., perfmon.exe, eventvwr.exe) used for monitoring system performance or events, which may have similar names to Vidar IOCs.
Filter/Exclusion: Exclude processes where the executable is perfmon.exe or