The ThreatFox: FAKEUPDATES IOCs rule detects potential adversary activity involving malicious files and domains associated with a known threat group distributing fake software updates. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage compromise attempts by threat actors leveraging social engineering and supply chain attacks.
IOC Summary
Malware Family: FAKEUPDATES Total IOCs: 3 IOC Types: domain, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | delivery.fitswowllc.com | payload_delivery | 2026-06-01 | 75% |
| ip:port | 172[.]94[.]9[.]102:443 | payload_delivery | 2026-06-01 | 100% |
| domain | api.ioteromixes.com | payload_delivery | 2026-06-01 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - FAKEUPDATES
let malicious_ips = dynamic(["172.94.9.102"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["172.94.9.102"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - FAKEUPDATES
let malicious_domains = dynamic(["delivery.fitswowllc.com", "api.ioteromixes.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate System Update Process
Description: A system administrator is manually installing a legitimate software update using a tool like WSUS or Microsoft Update.
Filter/Exclusion: Exclude processes related to wsus or microsoftupdate and filter by user SYSTEM or Administrator during known update windows.
Scenario: Scheduled Maintenance Job
Description: A scheduled job runs via Task Scheduler to perform routine maintenance, such as log rotation or disk cleanup, using tools like logrotate or cleanmgr.
Filter/Exclusion: Exclude tasks with Task Scheduler or schtasks.exe and filter by known maintenance scripts or paths like C:\Windows\System32\.
Scenario: Antivirus Signature Update
Description: The enterprise antivirus solution (e.g., Microsoft Defender, Kaspersky, Bitdefender) is performing a signature update from its vendor’s server.
Filter/Exclusion: Exclude processes related to antivirus tools and filter by known update URLs or domains associated with the specific antivirus vendor.
Scenario: Software Deployment via SCCM
Description: A Systems Center Configuration Manager (SCCM) deployment is pushing out software updates or patches to endpoints.
Filter/Exclusion: Exclude processes related to CCMExec or SCCM and filter by known deployment paths or user accounts used for patch management.
Scenario: PowerShell Script for Patch Management
Description: A PowerShell script is run by an admin to apply patches or updates using tools like PSUpdate or PowerShell directly.
Filter/Exclusion: Exclude PowerShell scripts with known admin signatures or filter by execution context (e.g., RunAs, Administrator), and exclude paths like `C:\Windows\System32\WindowsPowerShell\v