The ThreatFox: FAKEUPDATES IOCs detection rule identifies potential adversary activity linked to fake software update campaigns, which are commonly used to deploy malware. SOC teams should proactively hunt for these IOCs in Azure Sentinel to detect and mitigate early-stage compromise attempts by threat actors leveraging social engineering and supply chain attacks.
IOC Summary
Malware Family: FAKEUPDATES Total IOCs: 3 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | user.exathomessellmyhomeflorida.com | botnet_cc | 2026-06-15 | 100% |
| domain | prod-images.familyoffice-tech.com | botnet_cc | 2026-06-15 | 100% |
| domain | files.smartpcai.com | botnet_cc | 2026-06-15 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - FAKEUPDATES
let malicious_domains = dynamic(["user.exathomessellmyhomeflorida.com", "prod-images.familyoffice-tech.com", "files.smartpcai.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate System Update Job
Description: A scheduled job runs wuauclt.exe (Windows Update Agent) to check for and install system updates.
Filter/Exclusion: Exclude processes where ImageFileName is wuauclt.exe and CommandLine contains /detectnow or /background.
Scenario: Admin Performing Software Inventory Scan
Description: An administrator uses PowerShell.exe to scan the system for installed software using Get-WmiObject.
Filter/Exclusion: Exclude processes where ProcessName is powershell.exe and CommandLine contains Get-WmiObject -Class Win32_Product.
Scenario: Scheduled Antivirus Scan
Description: A scheduled antivirus scan is initiated by msseces.exe (Microsoft Security Essentials Engine).
Filter/Exclusion: Exclude processes where ImageFileName is msseces.exe and ParentProcessName is services.exe.
Scenario: Patch Management Tool Execution
Description: A patch management tool like Microsoft Deployment Toolkit (MDT) runs a script to apply updates.
Filter/Exclusion: Exclude processes where ProcessName is msdtc.exe or mstsc.exe and CommandLine contains patch or update.
Scenario: User-Initiated System Cleanup
Description: A user runs cleanmgr.exe (Disk Cleanup) to free up disk space.
Filter/Exclusion: Exclude processes where ImageFileName is cleanmgr.exe and CommandLine contains /sagerun:1 or /d (disk).