The ThreatFox: SmokeLoader IOCs rule detects potential command and control communication associated with the SmokeLoader malware, which is commonly used for initial access and persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises before lateral movement and data exfiltration occur.
IOC Summary
Malware Family: SmokeLoader Total IOCs: 3 IOC Types: url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxp://144[.]31[.]203[.]24/ | botnet_cc | 2026-05-18 | 100% |
| url | hxxp://144[.]31[.]203[.]12/ | botnet_cc | 2026-05-18 | 100% |
| url | hxxp://144[.]31[.]158[.]255/ | botnet_cc | 2026-05-18 | 100% |
// Hunt for access to known malicious URLs
// Source: ThreatFox - SmokeLoader
let malicious_urls = dynamic(["http://144.31.203.24/", "http://144.31.203.12/", "http://144.31.158.255/"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate system maintenance task, such as schtasks.exe running a cleanup job, may trigger the rule if the task name or command line matches known SmokeLoader IOCs.
Filter/Exclusion: Exclude processes initiated by schtasks.exe with command lines containing clean, maintenance, or cleanup.
Scenario: Admin Tool Usage for Patch Management
Description: An administrator using a tool like Windows Update or WSUS might execute scripts or commands that resemble SmokeLoader IOCs.
Filter/Exclusion: Exclude processes associated with wuauclt.exe, wusa.exe, or wsusutil.exe and filter by known patch management command lines.
Scenario: Log Management Tool Execution
Description: A log management tool like Splunk or ELK Stack might execute scripts or binaries that match the IOC patterns used in the SmokeLoader detection.
Filter/Exclusion: Exclude processes launched by splunk.exe, logstash.exe, or kibana.exe and filter by known log processing command lines.
Scenario: Backup Job Execution
Description: A backup job using tools like Veeam, Acronis, or VSS might trigger the rule if the backup script or binary matches the IOC signature.
Filter/Exclusion: Exclude processes launched by veeam.exe, acronis.exe, or vssadmin.exe and filter by known backup command lines.
Scenario: PowerShell Script for Configuration Management
Description: A PowerShell script used for configuration management (e.g., PowerShell.exe running a script from C:\Windows\System32\) might trigger the rule if the script content matches SmokeLoader IOC patterns.
*Filter/