The ThreatFox: Unknown malware IOCs rule detects potential adversary activity involving unknown malicious indicators that may be associated with advanced persistent threats. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate emerging threats before they cause significant damage.
IOC Summary
Malware Family: Unknown malware Total IOCs: 11 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | graciasdenada.beer | payload_delivery | 2026-05-23 | 100% |
| domain | unacerveza.beer | payload_delivery | 2026-05-23 | 100% |
| domain | bootstrup-framework-js.beer | payload_delivery | 2026-05-23 | 100% |
| domain | fredcreate.beer | payload_delivery | 2026-05-23 | 100% |
| domain | mhaskins.top | payload_delivery | 2026-05-23 | 100% |
| domain | smtnscerver.beer | payload_delivery | 2026-05-23 | 100% |
| domain | advex.monster | payload_delivery | 2026-05-23 | 100% |
| domain | picturequitting.monster | payload_delivery | 2026-05-23 | 100% |
| domain | totalads.monster | payload_delivery | 2026-05-23 | 100% |
| domain | nextpgh3.com | payload_delivery | 2026-05-23 | 100% |
| domain | vsactivens.sbs | payload_delivery | 2026-05-23 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Unknown malware
let malicious_domains = dynamic(["graciasdenada.beer", "unacerveza.beer", "bootstrup-framework-js.beer", "fredcreate.beer", "mhaskins.top", "smtnscerver.beer", "advex.monster", "picturequitting.monster", "totalads.monster", "nextpgh3.com", "vsactivens.sbs"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that uses a tool like PowerShell or Task Scheduler to perform system cleanup or log rotation, which may trigger an IOC related to unknown malware.
Filter/Exclusion: Exclude processes initiated by Task Scheduler or with CommandLine containing schtasks.exe or powershell.exe -Command.
Scenario: Admin Tool Usage for Patching
Description: An administrator uses a tool like Windows Update or WSUS to deploy patches, which may involve IOCs that are flagged as unknown malware.
Filter/Exclusion: Exclude processes with CommandLine containing wuauclt.exe, wusa.exe, or wsusutil.exe.
Scenario: Log Collection and Analysis Tool
Description: A security tool like Splunk, ELK Stack, or Graylog is configured to collect and analyze logs, which may involve IOCs that are mistakenly flagged as unknown malware.
Filter/Exclusion: Exclude processes with ProcessName matching splunkd.exe, logstash, elasticsearch, or graylog-server.
Scenario: Backup and Restore Operations
Description: A backup tool like Veeam, Acronis, or Veritas performs backup or restore operations, which may involve IOCs that are not recognized by the ThreatFox database.
Filter/Exclusion: Exclude processes with ProcessName matching veeam.exe, acronis, or vssadmin.
Scenario: Internal Monitoring and Compliance Tool
Description: A tool like SIEM (e.g., Splunk, QRadar) or Log Management software is used to monitor internal traffic, which may trigger unknown IOC alerts.