The detection identifies potential adversary activity linked to the IClickFix threat group through known IOCs, indicating possible compromise or data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced threats before they cause significant damage.
IOC Summary
Malware Family: IClickFix Total IOCs: 2 IOC Types: domain, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | empretec.co.zw | payload_delivery | 2026-05-06 | 100% |
| ip:port | 91[.]92[.]34[.]76:443 | payload_delivery | 2026-05-06 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - IClickFix
let malicious_ips = dynamic(["91.92.34.76"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["91.92.34.76"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - IClickFix
let malicious_domains = dynamic(["empretec.co.zw"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that matches the IOC pattern (e.g., C:\Windows\System32\Tasks\maintenance.ps1).
Filter/Exclusion: process.name != "schtasks.exe" or process.path != "C:\Windows\System32\Tasks\"
Scenario: Admin Performing Disk Cleanup
Description: An administrator uses the built-in Disk Cleanup tool (cleanmgr.exe) which may trigger the IOC due to file paths or command-line arguments.
Filter/Exclusion: process.name != "cleanmgr.exe" or process.command_line not contains "cleanmgr.exe"
Scenario: PowerShell Script for Log Rotation
Description: A PowerShell script (logrotate.ps1) used for rotating log files is mistakenly flagged due to similar command-line arguments or file paths.
Filter/Exclusion: process.name != "powershell.exe" or process.command_line not contains "logrotate.ps1"
Scenario: Antivirus Quarantine Process
Description: A legitimate antivirus tool (e.g., Bitdefender, Kaspersky) moves files to quarantine, which may match the IOC pattern.
Filter/Exclusion: process.name contains "bitdefender" or process.name contains "kaspersky"
Scenario: System File Integrity Check (SFIC)
Description: A system integrity check tool like Sysinternals Process Explorer or Microsoft’s DISM may trigger the rule due to file access patterns.
Filter/Exclusion: process.name contains "dism.exe" or process.name contains "process.exe"