The ThreatFox: FAKEUPDATES IOCs detection rule identifies potential adversary activity linked to malicious update packages that may be used to deliver malware or compromise systems. SOC teams should proactively hunt for these IOCs in Azure Sentinel to detect and mitigate early-stage attacks that leverage deceptive update mechanisms to evade traditional defenses.
IOC Summary
Malware Family: FAKEUPDATES Total IOCs: 2 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | dummy-tf-test-dummy-2t4navcd.example | payload_delivery | 2026-04-24 | 50% |
| domain | cpanel.eastcoast-wealth.com | botnet_cc | 2026-04-24 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - FAKEUPDATES
let malicious_domains = dynamic(["dummy-tf-test-dummy-2t4navcd.example", "cpanel.eastcoast-wealth.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate System Update Process
Description: A system administrator is deploying a legitimate software update using a tool like WSUS (Windows Server Update Services) or Chocolatey.
Filter/Exclusion: Exclude processes related to wsus or choco using the process.name field.
Example Filter: process.name != "wsus" AND process.name != "choco"
Scenario: Scheduled Maintenance Job
Description: A scheduled job runs via Task Scheduler to perform routine maintenance, such as log rotation or disk cleanup.
Filter/Exclusion: Exclude tasks associated with Task Scheduler using the process.parent.name or process.parent.pid field.
Example Filter: process.parent.name != "schtasks"
Scenario: Internal Software Distribution
Description: An internal tool like PDQ Deploy or Microsoft Endpoint Manager is used to push updates or patches to endpoints.
Filter/Exclusion: Exclude processes associated with PDQ Deploy or Microsoft Intune using the process.name field.
Example Filter: process.name != "PDQDeploy" AND process.name != "intunewin"
Scenario: User-Initiated Software Installation
Description: A user manually installs a legitimate software package using an installer like NSIS (Nullsoft Scriptable Install System).
Filter/Exclusion: Exclude processes related to NSIS or msiexec using the process.name field.
Example Filter: process.name != "nsis" AND process.name != "msiexec"
Scenario: Security Tool or SIEM Integration
Description: A security tool like Splunk or ELK Stack is performing data ingestion or log parsing