The ThreatFox: ClearFake IOCs rule detects potential adversary activity linked to the ClearFake malware, which is associated with high-severity malicious campaigns. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced threats leveraging known malicious IOCs before they cause significant damage.
IOC Summary
Malware Family: ClearFake Total IOCs: 95 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | refid.brix9mira.lat | payload_delivery | 2026-05-05 | 100% |
| domain | lanhop.grov6lira.lat | payload_delivery | 2026-05-05 | 100% |
| domain | autbox.brix9mira.lat | payload_delivery | 2026-05-05 | 100% |
| domain | subcli.grov6lira.lat | payload_delivery | 2026-05-05 | 100% |
| domain | domreg.telo5reth.lat | payload_delivery | 2026-05-05 | 100% |
| domain | bitkit.grov6lira.lat | payload_delivery | 2026-05-05 | 100% |
| domain | envset.grov6lira.lat | payload_delivery | 2026-05-05 | 100% |
| domain | pwrlog.telo5reth.lat | payload_delivery | 2026-05-05 | 100% |
| domain | extnet.telo5reth.lat | payload_delivery | 2026-05-05 | 100% |
| domain | doclab.grov6lira.lat | payload_delivery | 2026-05-05 | 100% |
| domain | syncit.pavi1xen.lat | payload_delivery | 2026-05-05 | 100% |
| domain | pkgrun.telo5reth.lat | payload_delivery | 2026-05-05 | 100% |
| domain | modbus.telo5reth.lat | payload_delivery | 2026-05-05 | 100% |
| domain | ioflow.pavi1xen.lat | payload_delivery | 2026-05-05 | 100% |
| domain | srcget.telo5reth.lat | payload_delivery | 2026-05-05 | 100% |
| domain | taskid.pavi1xen.lat | payload_delivery | 2026-05-05 | 100% |
| domain | uidmap.nira6qen.lat | payload_delivery | 2026-05-05 | 100% |
| domain | comweb.pavi1xen.lat | payload_delivery | 2026-05-05 | 100% |
| domain | ftpsrv.nira6qen.lat | payload_delivery | 2026-05-05 | 100% |
| domain | refid.pavi1xen.lat | payload_delivery | 2026-05-05 | 100% |
| domain | autbox.pavi1xen.lat | payload_delivery | 2026-05-05 | 100% |
| domain | libsys.nira6qen.lat | payload_delivery | 2026-05-05 | 100% |
| domain | jobadm.nira6qen.lat | payload_delivery | 2026-05-05 | 100% |
| domain | domreg.sali8mor.lat | payload_delivery | 2026-05-05 | 100% |
| domain | rawdat.nira6qen.lat | payload_delivery | 2026-05-05 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - ClearFake
let malicious_domains = dynamic(["refid.brix9mira.lat", "lanhop.grov6lira.lat", "autbox.brix9mira.lat", "subcli.grov6lira.lat", "domreg.telo5reth.lat", "bitkit.grov6lira.lat", "envset.grov6lira.lat", "pwrlog.telo5reth.lat", "extnet.telo5reth.lat", "doclab.grov6lira.lat", "syncit.pavi1xen.lat", "pkgrun.telo5reth.lat", "modbus.telo5reth.lat", "ioflow.pavi1xen.lat", "srcget.telo5reth.lat", "taskid.pavi1xen.lat", "uidmap.nira6qen.lat", "comweb.pavi1xen.lat", "ftpsrv.nira6qen.lat", "refid.pavi1xen.lat", "autbox.pavi1xen.lat", "libsys.nira6qen.lat", "jobadm.nira6qen.lat", "domreg.sali8mor.lat", "rawdat.nira6qen.lat", "pwrlog.sali8mor.lat", "zipark.nira6qen.lat", "extnet.sali8mor.lat", "osbase.pano2vor.lat", "pkgrun.sali8mor.lat", "metalt.pano2vor.lat", "modbus.sali8mor.lat", "apidoc.pano2vor.lat", "srcget.sali8mor.lat", "uidmap.thora5ven.lat", "dbinst.pano2vor.lat", "ftpsrv.thora5ven.lat", "skyvpn.pano2vor.lat", "libsys.thora5ven.lat", "cmdset.pano2vor.lat", "jobadm.thora5ven.lat", "rawdat.thora5ven.lat", "tmpdir.sora8lin.lat", "sshbin.sora8lin.lat", "zipark.thora5ven.lat", "sslkey.sora8lin.lat", "osbase.nelo2qir.lat", "metalt.nelo2qir.lat", "getcfg.sora8lin.lat", "ipnode.sora8lin.lat"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate System Update via Microsoft Update
Description: A system update from Microsoft may include files or registry keys that match the ClearFake IOC list due to similar naming or hash collisions.
Filter/Exclusion: Check the file path and source (file.path contains "C:\Windows\Update" or process.parent equals "svchost.exe")
Scenario: Scheduled Job for Log Cleanup
Description: A scheduled task running a log cleanup script (e.g., logclean.exe) may trigger the rule if the script’s hash or file name matches an IOC.
Filter/Exclusion: Filter by process.name equals "logclean.exe" or process.parent equals "schtasks.exe"
Scenario: Admin Task for Patch Management
Description: An admin task using a tool like Microsoft Baseline Security Analyzer (MBSA) or Windows Server Update Services (WSUS) may generate IOCs that match the ClearFake list.
Filter/Exclusion: Filter by process.name equals "mbsa.exe" or process.name equals "wsusutil.exe"
Scenario: Legitimate File Integrity Monitoring (FIM) Tool
Description: A FIM tool like Microsoft Advanced Threat Analytics (ATA) or Tripwire may have files or registry keys that match the ClearFake IOCs.
Filter/Exclusion: Filter by process.name equals "tripwire.exe" or process.name equals "mata.exe"
Scenario: Antivirus Quarantine Process
Description: An antivirus tool like Microsoft Defender or Bitdefender may temporarily store quarantined files in a location that matches the ClearFake IOCs.
Filter/Exclusion: Filter by process.name equals "MsMpEng.exe"