The hunt hypothesis detects potential Vidar malware activity through suspicious process executions and registry modifications indicative of credential theft and persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced threats before data exfiltration occurs.
IOC Summary
Malware Family: Vidar Total IOCs: 2 IOC Types: domain, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | som.hidayahnetwork.com | botnet_cc | 2026-05-06 | 100% |
| url | hxxps://som.hidayahnetwork.com/ | botnet_cc | 2026-05-06 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Vidar
let malicious_domains = dynamic(["som.hidayahnetwork.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Vidar
let malicious_urls = dynamic(["https://som.hidayahnetwork.com/"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate Scheduled Task for System Maintenance
Description: A system administrator creates a scheduled task using schtasks.exe to run a legitimate maintenance script (e.g., cleanmgr.exe or defrag.exe) at regular intervals.
Filter/Exclusion: Exclude tasks created by known admin accounts (e.g., Administrator, SYSTEM) or tasks with a known legitimate command line that matches the scheduled task’s command.
Scenario: Regular Use of PsExec for Remote Administration
Description: An IT admin uses PsExec (from Sysinternals) to remotely execute commands on multiple servers for patching or configuration management.
Filter/Exclusion: Exclude processes initiated by trusted admin users or those that match known PsExec command patterns used in legitimate remote administration workflows.
Scenario: Microsoft Defender ATP Integration with Microsoft 365
Description: A security tool like Microsoft Defender ATP is configured to communicate with Microsoft 365 services, which may involve outbound connections to Microsoft endpoints.
Filter/Exclusion: Exclude connections to Microsoft’s public IP ranges or domains (e.g., *.microsoft.com, *.office.com) associated with legitimate security tool integrations.
Scenario: PowerShell Script for Log Collection
Description: A script written in PowerShell (e.g., Get-EventLog, Get-WinEvent) is used to collect system logs for compliance or monitoring purposes.
Filter/Exclusion: Exclude PowerShell scripts executed by known log collection tools (e.g., LogParser, Splunk, ELK) or scripts with known legitimate command-line arguments.
Scenario: Registry-Based Service Startup for a Legitimate Application
Description: A legitimate application (e.g., SQL Server, Exchange, or IIS) is configured to start via a registry