The ThreatFox: Unknown Stealer IOCs rule detects potential adversary activity involving unknown malware that may be exfiltrating sensitive data or establishing persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced threats that evade traditional detection methods.
IOC Summary
Malware Family: Unknown Stealer Total IOCs: 2 IOC Types: url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxp://trailblazehealth.com/curl/6e2d25066bc1db68a10d55189c7c0bae6443d5178fd4310808270e261236ce30 | payload_delivery | 2026-05-21 | 100% |
| url | hxxps://api-metrics-5453.com/curl/3e97b0eddfddb28e10008f9348381b2665e1ad12476315b24a64808696c3347b | payload_delivery | 2026-05-21 | 100% |
// Hunt for access to known malicious URLs
// Source: ThreatFox - Unknown Stealer
let malicious_urls = dynamic(["http://trailblazehealth.com/curl/6e2d25066bc1db68a10d55189c7c0bae6443d5178fd4310808270e261236ce30", "https://api-metrics-5453.com/curl/3e97b0eddfddb28e10008f9348381b2665e1ad12476315b24a64808696c3347b"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate System Maintenance Task
Description: A scheduled job runs schtasks.exe to perform routine system maintenance, which may trigger the rule due to the presence of the executable.
Filter/Exclusion: Exclude processes where image contains schtasks.exe and parent_process is services.exe or task scheduler.
Scenario: Admin Performing File Integrity Check
Description: An administrator uses PowerShell.exe to run a script that checks for file integrity using tools like Get-FileHash, which may be flagged due to similar IOCs.
Filter/Exclusion: Exclude processes where process_name is PowerShell.exe and command_line contains Get-FileHash or certutil.
Scenario: Software Deployment via Group Policy
Description: A Group Policy Object (GPO) deployment uses gpupdate.exe and msiexec.exe to install legitimate software, which may match the IOCs of the Unknown Stealer.
Filter/Exclusion: Exclude processes where parent_process is services.exe and process_name is msiexec.exe or gpupdate.exe.
Scenario: Log Collection via Splunk or ELK
Description: A log collection agent like splunkforwarder.exe or logstash.exe may be flagged due to its use of similar command-line arguments or file paths as the IOCs.
Filter/Exclusion: Exclude processes where process_name is splunkforwarder.exe, logstash.exe, or filebeat and parent_process is services.exe.
Scenario: Antivirus or EDR Tool Scanning
Description: A legitimate EDR tool like Microsoft Defender or CrowdStrike Falcon may trigger the rule when