ThreatFox: Antidot IOCs

Hunt Hypothesis

The ThreatFox: Antidot IOCs rule detects potential adversary activity linked to the Antidot threat group, which is associated with malicious campaigns targeting cloud environments. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced threats leveraging known malicious indicators before they cause significant damage.

IOC Summary

Malware Family: Antidot Total IOCs: 4 IOC Types: url

KQL: Url Hunt

// Hunt for access to known malicious URLs
// Source: ThreatFox - Antidot
let malicious_urls = dynamic(["https://imperialguard.icu:1672", "https://catfoodeuro.shop:12655", "https://fastconsulting.info:19586", "https://fastdeliveryaservice.world:2468"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc

Required Data Sources

References

• ThreatFox — Antidot

False Positive Guidance

• Scenario: Legitimate scheduled job for updating Antidot configuration
  Filter/Exclusion: Exclude entries where the file path contains antidot/config_update.sh or similar known update scripts.

• Scenario: Admin task to generate reports using Antidot’s built-in reporting tool
  Filter/Exclusion: Exclude processes where the command line includes --report or generate_report.sh associated with Antidot.

• Scenario: Routine system maintenance task involving Antidot log rotation
  Filter/Exclusion: Exclude processes where the command line includes logrotate and the path contains antidot/logs/.

• Scenario: Use of Antidot’s API for internal system integration
  Filter/Exclusion: Exclude requests where the URL contains /api/v1/ and the source IP is from a known internal API gateway.

• Scenario: Antidot service startup during system boot
  Filter/Exclusion: Exclude processes where the command line includes systemd and the service name is antidot-service.