The detection identifies potential Lumma Stealer activity through known IOCs, indicating an adversary may be exfiltrating data or establishing persistence. SOC teams should proactively hunt for this behavior to detect and mitigate advanced threats leveraging compromised Azure environments.
IOC Summary
Malware Family: Lumma Stealer Total IOCs: 2 IOC Types: url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://pantofr.cyou | botnet_cc | 2026-05-20 | 75% |
| url | hxxps://brownhc.cyou | botnet_cc | 2026-05-19 | 75% |
// Hunt for access to known malicious URLs
// Source: ThreatFox - Lumma Stealer
let malicious_urls = dynamic(["https://pantofr.cyou", "https://brownhc.cyou"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate Scheduled Job for Log Management
Description: A scheduled job runs logrotate or rsyslog to manage log files, which may trigger the rule due to similar command-line patterns.
Filter/Exclusion: Exclude processes related to logrotate, rsyslog, or syslog-ng using the process.name field.
Example Filter: process.name not in ("logrotate", "rsyslog", "syslog-ng")
Scenario: Admin Task Using PowerShell for System Maintenance
Description: An administrator uses PowerShell to perform system maintenance tasks, such as Get-EventLog or Get-Service, which may resemble malicious activity.
Filter/Exclusion: Exclude PowerShell scripts or commands associated with system administration using process.name or script.name.
Example Filter: process.name not in ("powershell.exe", "pwsh") or script.name not in ("SystemMaintenance.ps1", "AdminTools.ps1")
Scenario: Legitimate Use of WMI for Monitoring
Description: A monitoring tool like WMIC is used to query system information, which may match the IOCs associated with Lumma Stealer.
Filter/Exclusion: Exclude WMI-related processes using process.name or process.args.
Example Filter: process.name not in ("wmic.exe") or process.args not contains "query"
Scenario: Antivirus or EDR Tool Scanning for Malware
Description: A security tool like Microsoft Defender or CrowdStrike Falcon performs a scan and generates alerts that may be flagged by the rule.
Filter/Exclusion: Exclude processes related to antivirus or EDR tools using process.name.
Example Filter: `process.name not