The ThreatFox: ClearFake IOCs rule detects potential adversary activity associated with the ClearFake malware, leveraging known malicious indicators to identify compromised systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced threats that may evade traditional detection methods.
IOC Summary
Malware Family: ClearFake Total IOCs: 3 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | pwrlogview.devharbor.pics | payload_delivery | 2026-05-11 | 100% |
| domain | argvlidcheck.co | payload_delivery | 2026-05-11 | 100% |
| domain | authshellverif.co | payload_delivery | 2026-05-11 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - ClearFake
let malicious_domains = dynamic(["pwrlogview.devharbor.pics", "argvlidcheck.co", "authshellverif.co"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate System Update via Windows Update
Description: A system update from Microsoft’s Windows Update service includes a file that matches one of the ClearFake IOCs due to a naming similarity.
Filter/Exclusion: process.name != "wuauclt.exe" or process.parent.name != "svchost.exe"
Scenario: Scheduled Job for Log Rotation
Description: A scheduled task (e.g., logrotate.exe) is executing and generates a file that matches an IOC due to similar naming or path structure.
Filter/Exclusion: process.name != "logrotate.exe" or process.parent.name != "schtasks.exe"
Scenario: Admin Task for File Cleanup
Description: An administrator is performing a file cleanup task using a script or tool like del.exe or PowerShell, which deletes files that match ClearFake IOCs.
Filter/Exclusion: process.name != "powershell.exe" or process.name != "del.exe" and user.name != "Administrator"
Scenario: Legitimate Antivirus Scan
Description: A legitimate antivirus tool (e.g., avgscan.exe) is scanning the system and temporarily creates files that match ClearFake IOCs during its operation.
Filter/Exclusion: process.name != "avgscan.exe" or process.parent.name != "avgservice.exe"
Scenario: Development Environment Artifact
Description: A developer is using a tool like docker.exe or npm to build an application, and the resulting files or temporary artifacts match ClearFake IOCs.
Filter/Exclusion: process.name != "docker.exe" or process.name != "npm" and user.name != "dev-user"