ThreatFox: AMOS IOCs | SOC Hunt Feed

Hunt Hypothesis

The ThreatFox: AMOS IOCs rule detects potential adversary activity linked to the AMOS threat group, leveraging known indicators of compromise to identify malicious behavior in the environment. SOC teams should proactively hunt for this behavior in Azure Sentinel to mitigate the risk of data exfiltration and lateral movement associated with advanced persistent threats.

IOC Summary

Malware Family: AMOS Total IOCs: 5 IOC Types: sha256_hash, domain

Type	Value	Threat Type	First Seen	Confidence
domain	`blueprintmesh.com`	payload_delivery	2026-06-11	100%
domain	`dstwl.com`	payload_delivery	2026-06-11	100%
sha256_hash	`b56a2ccafe31b6c664c021ec418a660661e5d6d87e1c339beba3b7a4b684d067`	payload	2026-06-11	100%
sha256_hash	`01e33f12a8ee57c89624aeeeb97e57896927483d1442eea22ec6bfddc12f8879`	payload	2026-06-11	100%
sha256_hash	`9a2869a42f54beb07d4d56a16cd56f507a1ae5a9df2e4d816776472cbf4438c6`	payload	2026-06-11	100%

KQL: Domain Hunt

// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - AMOS
let malicious_domains = dynamic(["blueprintmesh.com", "dstwl.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc

KQL: Hash Hunt

// Hunt for files matching known malicious hashes
// Source: ThreatFox - AMOS
let malicious_hashes = dynamic(["b56a2ccafe31b6c664c021ec418a660661e5d6d87e1c339beba3b7a4b684d067", "01e33f12a8ee57c89624aeeeb97e57896927483d1442eea22ec6bfddc12f8879", "9a2869a42f54beb07d4d56a16cd56f507a1ae5a9df2e4d816776472cbf4438c6"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc

Required Data Sources

Sentinel Table	Notes
`DeviceFileEvents`	Ensure this data connector is enabled
`DnsEvents`	Ensure this data connector is enabled

References

ThreatFox — AMOS

False Positive Guidance

Scenario: Scheduled system backup using Veeam Backup & Replication
Filter/Exclusion: Exclude processes associated with veeam or VeeamBackup
Example: process.name != "veeam" or process.name != "VeeamBackup"
Scenario: Regular PowerShell scripting for log management using LogParser
Filter/Exclusion: Exclude processes running under LogParser or PowerShell scripts with known log management patterns
Example: process.name != "LogParser" or script.name != "LogManagement.ps1"
Scenario: Windows Task Scheduler job for system maintenance (e.g., disk cleanup)
Filter/Exclusion: Exclude tasks with known maintenance names or associated with Task Scheduler
Example: process.name != "schtasks" or task.name != "DiskCleanup"
Scenario: Microsoft SQL Server Agent job for database backups
Filter/Exclusion: Exclude processes related to SQL Server Agent or SQL Server services
Example: process.name != "sqlagent" or process.name != "sqlservr"
Scenario: Ansible playbook execution for configuration management
Filter/Exclusion: Exclude processes related to Ansible or known configuration management tasks
Example: process.name != "ansible" or command != "ansible-playbook"